The Data Protection Playbook: Encryption, Backups, DLP, and Access Controls You Can Deploy This Week

Why Data Protection Is a Posture, Not a Product

Data breaches cost Australian businesses an average of $4.26 million per incident, and the most common root cause isn't advanced malware — it's unencrypted laptops, untested backups, and over-privileged user accounts. Data protection posture means layered controls that work together: encrypt data so stolen devices are useless, back up data so ransomware can't hold you hostage, prevent exfiltration with DLP, and restrict access so a single compromised account doesn't expose everything. The good news? Every control in this playbook has a free or low-cost implementation path suitable for small and medium businesses.

1. Encryption: Lock Down Data at Rest and in Transit

Encryption is your last line of defence. When a laptop is stolen from a car or a server is physically accessed, encryption ensures the data on that device is unreadable without the key. NIST SP 800-111 provides guidance on storage encryption for endpoint and media protection, and it should be the baseline reference for any encryption deployment.

Full-disk encryption for endpoints (free):

• Windows: BitLocker is built into Windows 10/11 Pro and Enterprise. Enable it via Settings > Privacy & Security > Device Encryption, or via Group Policy for fleet-wide deployment. No additional licensing required beyond Windows Pro.
• macOS: FileVault is built into every Mac. Enable via System Settings > Privacy & Security > FileVault. Recovery keys should be escrowed centrally — Apple's MDM or Microsoft Intune both support this.
• Linux: LUKS (Linux Unified Key Setup) is the standard. Most distributions offer it during installation. For existing systems, cryptsetup can encrypt additional volumes.

File and container encryption for sensitive data:

• VeraCrypt (free, open-source): Creates encrypted containers that mount as virtual drives. Ideal for protecting specific sensitive files — client data, financial records, credentials — on shared workstations or portable drives. Cross-platform (Windows, macOS, Linux).

Encryption in transit:

• Enforce HTTPS/TLS everywhere. Use TLS 1.2 minimum (TLS 1.3 preferred) on all web services, email (SMTPS/IMAPS), and VPN connections.
• Enable opportunistic TLS on your mail server (Maddy, Postfix, and Exchange all support it) so email in transit between servers is encrypted.
• Use SFTP or HTTPS for file transfers — never plain FTP.

Cost: $0. BitLocker, FileVault, VeraCrypt, and TLS are all free. The only investment is administrative time for deployment and key management.

2. The 3-2-1 Backup Rule: Your Ransomware Insurance

The ACSC's backup guidance is unambiguous: every business needs a backup strategy that survives ransomware, hardware failure, theft, and natural disaster. The 3-2-1 rule is the standard framework:

• 3 copies of your data (production + 2 backups)
• 2 different media types (e.g., local NAS + cloud)
• 1 copy stored off-site (cloud or physically off-site)

Local backup solutions:

• Veeam Agent for Microsoft Windows Free and Veeam Agent for Linux Free: Bare-metal image backups to local storage or NAS. The free tier supports a single machine but is fully functional for file-level and image-level recovery.
• Windows File History / macOS Time Machine: Built-in, free, and adequate for individual workstation file recovery.

Cloud/off-site backup:

• Backblaze Business Backup: $99/year per computer for unlimited backup. Includes centralised management and reporting. For a 20-person team, that's $165/month.
• Backblaze B2 + restic/rclone: For server and NAS data, Backblaze B2 object storage at $6/TB/month combined with open-source backup tools (restic, rclone, duplicity) gives you enterprise-grade off-site backup at a fraction of Veeam Cloud Connect pricing.
• Veeam Community Edition: Free for up to 10 instances (VMs, physical servers, cloud workloads). Includes backup, replication, and fast recovery.

The critical step most businesses skip — verify your backups:

An untested backup is a hope, not a strategy. Every week, pick one backup at random and perform a test restore. Verify file integrity, confirm the restore completes successfully, and time how long it takes. If you can't restore within your recovery time objective, your backup strategy needs revision. Document the test results.

Cost: $0 (built-in tools + free Veeam) to $165/month (Backblaze for 20 machines).

3. Data Loss Prevention (DLP): Stop Sensitive Data Walking Out the Door

DLP policies monitor and control how sensitive data moves — preventing credit card numbers from being emailed to personal accounts, client lists from being uploaded to Dropbox, or source code from being pasted into ChatGPT. CIS Controls v8 (Control 3 — Data Protection) recommends identifying sensitive data, documenting where it lives, and deploying automated controls to prevent unauthorised transfer.

For Microsoft 365 environments:

• Microsoft Purview DLP: Included in Microsoft 365 E3 ($36/user/month) and E5 ($57/user/month) licenses. Provides policy-based DLP across Exchange Online, SharePoint, OneDrive, Teams, and endpoints. Start with pre-built policy templates for Australian privacy data (PII, TFN, Medicare numbers, driver's licence numbers).
• If you're on Microsoft 365 Business Premium ($30/user/month), you get a subset of Purview DLP capabilities for endpoints — sufficient for most SMBs.

For data discovery and classification:

• Varonis Data Security Platform: Automatically discovers and classifies sensitive data across file shares, SharePoint, and cloud stores. Identifies overexposed files, stale data, and unusual access patterns. Pricing is enterprise-tier (contact sales), but they offer a free Data Risk Assessment that's worth running — it'll show you exactly where your sensitive data is exposed.
• Microsoft Purview Data Classification: Free with Microsoft 365 E3/E5. Scan and label documents automatically based on sensitivity (Public, Internal, Confidential, Highly Confidential).

Quick DLP wins without enterprise licensing:

1. Audit SharePoint and shared drive permissions monthly — remove "Everyone" and "Authenticated Users" access.
2. Block USB mass storage on workstations via Group Policy if it's not needed for business operations.
3. Restrict personal cloud storage domains (consumer Dropbox, Google Drive, WeTransfer) at the network firewall or DNS filtering layer.

4. Access Controls: Least Privilege and Zero Trust Fundamentals

The majority of data breaches involve compromised credentials — and the damage scales directly with what those credentials can access. Implement these access control fundamentals this week:

Immediate actions:

• Enforce MFA everywhere. All accounts, no exceptions. Microsoft Authenticator, Google Authenticator, or a hardware key (YubiKey, ~$55 each). SMS-based MFA is better than nothing but is increasingly vulnerable to SIM-swapping — prefer app-based or hardware.
• Audit privileged accounts. Count how many users have Domain Admin, local admin, or cloud administrator rights. If it's more than 2-3 people, you're over-privileged. CIS Control 5 recommends maintaining an inventory of all administrative accounts and reviewing it quarterly.
• Implement least-privilege file access. Map your shared drives and cloud folders to who actually needs access. Remove broad permissions groups ("All Staff", "Domain Users") from sensitive directories. Replace with named groups with documented business justification.
• Enable conditional access policies. In Microsoft Entra ID (formerly Azure AD), set policies that block logins from unexpected countries, require MFA for admin roles, and block legacy authentication protocols (IMAP, POP, SMTP basic auth).

Cost: $0 for Microsoft Authenticator and Group Policy changes. $55/user for hardware security keys if you choose YubiKeys.

Quick-Win Checklist: Deploy This Week

Monday — Encrypt endpoints:

• Enable BitLocker on all Windows Pro machines (or verify it's already on with manage-bde -status)
• Enable FileVault on all Macs
• Install VeraCrypt and create encrypted containers for portable sensitive files
• Verify TLS on all customer-facing web services (check with ssllabs.com/ssltest)

Tuesday — Verify backup integrity:

• Confirm you have 3 copies, 2 media types, 1 off-site
• Perform a test restore from yesterday's backup — time it and document
• Check backup logs for failures in the last 30 days
• Ensure backups are immutable or offline (so ransomware can't encrypt them)

Wednesday — Classify sensitive data:

• Identify where your most sensitive data lives (client records, financials, credentials, contracts)
• Run Microsoft Purview's content explorer or a free tool like OpenDLP scanner
• Tag or label sensitive files (Confidential, Internal, Public)
• Audit permissions on folders containing sensitive data — remove unnecessary access

Thursday — Lock down access:

• Enable MFA on every account (email, cloud, financial, social)
• Remove local admin rights from daily-use accounts
• Review and reduce privileged account count
• Block legacy authentication protocols

Friday — Document and test:

• Write a one-page incident response plan (who to call, what to do first)
• Simulate a laptop loss — confirm the device is encrypted and can be remotely wiped
• Schedule monthly backup restore tests
• Brief the team on what changed and why

FAQ

Conclusion

Data protection isn't a single product or a one-time project — it's a posture maintained through layered controls, regular testing, and continuous improvement. The four pillars in this playbook (encryption, backups, DLP, and access controls) can all be deployed this week, most at zero cost, and together they address the most common breach vectors facing Australian businesses today.

Start with the checklist. Enable encryption on Monday. Test your backups on Tuesday. By Friday, you'll have measurably reduced your data breach risk and built a foundation you can iterate on.

Ready to go deeper? Visit consult.lil.business for a free cybersecurity assessment tailored to your business size, industry, and risk profile.

References

1. NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices
2. ACSC — Backing Up Your Data and Systems Guidance
3. CIS Controls v8 — Control 3: Data Protection
4. Microsoft Purview Data Loss Prevention Documentation
5. VeraCrypt — Free Open-Source Disk Encryption Software

Verifier warning: verifier could not run (PluginLlmTrustError).