TL;DR

Most data breaches exploit gaps that are decades-old problems: unencrypted laptops, untested backups, no data classification, and excessive access. This playbook gives you four concrete actions — endpoint encryption, a 3-2-1 backup strategy, DLP policies, and least-privilege access controls — that a small business can implement this week for under $200/month. No theoretical frameworks; just tools, costs, and a checklist.

1. Encryption: At Rest and In Transit

Encryption is the single highest-ROI control you can deploy. If a laptop is stolen, an S3 bucket is misconfigured, or a backup tape falls off a truck, encryption converts a catastrophic breach into a non-event. Yet surveys consistently show that 30-40% of SMB endpoints remain unencrypted.

Endpoint encryption should be your first move. BitLocker is built into Windows 10/11 Pro and Enterprise editions — no additional cost, no additional software. For Windows Home users or machines needing cross-platform support, VeraCrypt is free, open-source, and audited. It can encrypt entire system partitions or create encrypted container files for sensitive directories. On macOS, FileVault is the native equivalent and should be enabled by default via MDM policy.

Encryption in transit is equally non-negotiable. Every external-facing service must use TLS 1.2 or higher. Internal services should follow the same rule — the FortiBleed leak exposing credentials for 73,000 Fortinet VPN devices is a stark reminder that even VPN infrastructure can leak if credentials aren't protected at rest and transport layers aren't hardened. Enforce HTTPS everywhere, use HSTS headers, and kill legacy protocols like TLS 1.0/1.1 and SSLv3 immediately.

Cost: BitLocker and VeraCrypt — $0. FileVault — $0. If you need centralized key management across multiple endpoints, Microsoft BitLocker Administration and Monitoring (MBAM) or a commercial MDM like Jamf ($4/device/month for Mac) adds management overhead but keeps recovery keys safe.

2. The 3-2-1 Backup Rule — And Why "Microsoft 365 Backup" Isn't Enough

The 3-2-1 rule is simple: keep 3 copies of your data, on 2 different media types, with 1 copy stored offsite. It has been the gold standard for over a decade, and the ACSC's backup guidance reinforces it specifically for Australian organisations.

Why does this still matter in 2026? Because SaaS platforms create a false sense of security. Microsoft 365 retains deleted items for 30-90 days, but ransomware that encrypts your SharePoint and OneDrive files doesn't care about versioning windows — it corrupts the live data and the backups alike if you have no independent copy. The recent reminder from Acronis that "Microsoft 365 backup isn't enough" is spot-on: shared responsibility means Microsoft keeps the service running, but recovering your business data is your job.

Practical implementation for SMBs:

  • Local backup: Veeam Agent for Microsoft Windows is free for standalone endpoints. Veeam Backup & Replication Community Edition covers up to 10 VMs at no cost. For physical workstations, Backblaze Business Backup at $99/year per machine gives unlimited cloud backup with centralised admin.
  • Offsite/cloud copy: Backblaze B2 at $6/TB/month is the cheapest reliable object storage for backup targets. Pair it with Veeam for immutable, ransomware-resistant backups using the hardened Linux repository feature.
  • Immutable copy: Ensure at least one backup copy is write-once-read-many (WORM). Ransomware actively hunts and deletes backups — if your backup target is on the same domain as your file server, it's not a backup, it's a second victim.

Verify backup integrity weekly. A backup you haven't test-restored is a hope, not a backup. Run a monthly restore drill: pick a random file, restore it to a test location, and confirm it opens.

Cost: Veeam Community — $0. Backblaze Business — $99/year/device. B2 storage — $6/TB/month. A 5-person business with 1TB total data: roughly $50-60/month.

3. Data Loss Prevention: Know Where Your Sensitive Data Lives

You cannot protect what you haven't classified. DLP isn't about buying a product — it's about understanding where sensitive data lives, who can access it, and preventing it from leaving your environment through email, USB, cloud uploads, or OAuth-connected third-party apps.

The Klue OAuth breach is a perfect example of why DLP matters: threat actors exploited OAuth token theft to exfiltrate Salesforce CRM data. If those organisations had DLP policies alerting on bulk data exports from Salesforce, or if they'd monitored OAuth app permissions, the breach window would have been hours instead of weeks.

Microsoft Purview DLP is the most accessible starting point for organisations already on Microsoft 365 E3 or E5. It includes pre-built policies for financial data, PII (including Australian privacy identifiers), and health information. You can start in audit mode (monitor only, no blocking) to understand your data flow, then escalate to enforcement mode once you've tuned false positives.

Varonis goes deeper — it scans file shares, SharePoint, and cloud repositories to find overexposed sensitive data and provides automated access remediation. It's more expensive but pays for itself by finding the "everyone has access" folders that compliance audits miss.

For smaller budgets, start with data discovery: use Microsoft Compliance Manager (included in M365) to scan your tenant, or run SPIPS-style open-source tools to identify sensitive data patterns in file shares. Classification labels in Microsoft Purview are free with E3 — apply "Confidential" and "Internal" labels to files, and DLP policies can then target them.

Cost: Microsoft Purview DLP — included in M365 E5 ($57/user/month) or available as an add-on. Varonis Data Security Platform — roughly $15-25/user/month for SMB deployments. For zero-budget teams, Purview sensitivity labels (free with E3) plus manual classification gets you 60% of the value.

4. Access Controls: Least Privilege That Actually Sticks

The principle of least privilege is older than the internet, yet most SMBs still give every employee local admin rights and full access to shared drives. Every additional permission is an additional attack surface — for the employee, and for whoever compromises their account.

Implement these this week:

  1. Remove local admin rights from all endpoints. Use a privileged access management (PAM) solution or even a simple LAPS configuration for when admin access is genuinely needed. Microsoft LAPS is free and built into Windows.
  2. Enforce MFA everywhere. Not just email — every cloud service, every VPN, every admin console. Conditional Access policies in Entra ID (free tier supports security defaults; P1 at $6/user/month adds granular policies) can block logins from untrusted locations and require MFA for all access.
  3. Audit OAuth applications. The Klue breach shows why — any third-party app connected via OAuth can exfiltrate data with whatever permissions it was granted. Review and revoke unused app registrations in Entra ID weekly.
  4. Implement role-based access for file shares and cloud storage. The CIS Controls v8 benchmarks (Control 6 — Access Control Management) provide a concrete checklist. Start by removing "Everyone" and "Domain Users" from sensitive folders and replacing with security groups.

Cost: Microsoft LAPS — $0. Entra ID P1 — $6/user/month. For non-Microsoft environments, Keycloak is free and open-source with full RBAC and SSO support.

Quick-Win Checklist (Do These This Week)

  • Encrypt every endpoint: Verify BitLocker/FileVault is active on all laptops. Run manage-bde -status on Windows or fdesetup status on macOS to confirm.
  • Test a backup restore: Pick one critical file, restore it from backup, verify it opens. Document the time it took.
  • Run Purview Data Classification: Enable sensitivity labels in Microsoft Purview and run a scan of SharePoint and OneDrive. Review the "sensitive data" report.
  • Remove local admin rights: Convert all standard user accounts to standard (non-admin). Document which machines need exceptions.
  • Audit OAuth apps: In Entra ID, review Enterprise Applications and revoke anything unused or unrecognised.
  • Enable MFA security defaults: If you haven't already, turn on Entra ID Security Defaults. It's free and takes 5 minutes.

FAQ

Can't I just rely on cloud providers for backup? No. Shared responsibility means the provider protects the infrastructure, not your data. Microsoft 365, Google Workspace, and AWS all have limited retention windows and don't protect against user-initiated deletion or ransomware corruption. You need an independent backup — ideally immutable — outside the primary platform.

What's the minimum viable DLP for a 5-person business? Start with Microsoft Purview sensitivity labels (free with M365 E3) and manual classification. Define three tiers: Public, Internal, Confidential. Label critical files, then create a simple mail flow rule that warns when emails containing "Confidential" labelled attachments are sent externally. That's 80% of the protection for $0.

Do we need hardware security modules (HSMs) for encryption keys? For most SMBs, no. BitLocker's TPM integration and VeraCrypt's key derivation are sufficient. HSMs are warranted when you're managing encryption keys for regulated data at scale (e.g., PCI DSS Level 1, or large-scale healthcare). A managed MDM with centralised key escrow is the practical middle ground.

How often should we test backup restores? At minimum, monthly. The ACSC recommends quarterly full restore tests, but for critical data (customer databases, financial records), weekly verification of at least one file restore is prudent. The cost of a failed restore discovered during an incident is incalculable.

Conclusion

Data protection isn't a product purchase — it's a set of habits. Encrypt your endpoints today. Test a backup restore this afternoon. Classify your sensitive data this week. Remove local admin rights before lunch. None of these actions requires a six-figure budget or a dedicated security team. The tools are free or cheap, the frameworks are well-documented, and the cost of inaction is measured in the breaches you'll read about tomorrow.

Start with the checklist above. Do one item per day. In a week, your data protection posture will be stronger than 70% of businesses your size.

Visit consult.lil.business for a free cybersecurity assessment — we'll review your current encryption, backup, and access control posture and give you a prioritised action plan.

References

  1. NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices
  2. ACSC Guidance: Backing Up Your Information
  3. CIS Controls v8 — Data Protection and Access Control Management
  4. Microsoft Purview Data Loss Prevention Documentation
  5. Veeam Best Practices for Ransomware-Resistant Backups

Verifier warning: verifier could not run (PluginLlmTrustError).

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation