TL;DR

Most data breaches exploit gaps that basic controls — full-disk encryption, verified backups, and least-privilege access — would have neutralised. This playbook covers four pillars you can deploy in under a week: encryption at rest and in transit, the 3-2-1 backup rule, Data Loss Prevention policies, and access control frameworks, with tool recommendations and cost estimates for SMB budgets.


Why Most Data Breaches Are Preventable

The Australian Cyber Security Centre reports that the majority of incidents affecting small and medium businesses stem from inadequate foundational controls — unencrypted devices, absent or untested backups, and excessive user permissions. You don't need a seven-figure security budget. You need the basics done properly, starting now.

The four pillars below map directly to CIS Controls v8 (Controls 3, 6, 11, and 13) and align with NIST SP 800-111 guidance for storage security. Each section includes specific tools, cost estimates, and a same-week deployment path.


Pillar 1: Encryption — At Rest and In Transit

Encryption is the single control that turns a stolen laptop from a breach notification into a non-event. If the disk is encrypted, the data is gibberish without the key.

At rest (endpoints and servers):

  • Windows: BitLocker is built into Pro and Enterprise editions. Turn it on via Settings → Privacy & Security → Device Encryption. Zero additional cost.
  • macOS: FileVault is built-in. System Settings → Privacy & Security → FileVault. Zero cost.
  • Linux servers and workstations: VeraCrypt (free, open-source) creates encrypted volumes. LUKS is the native Linux full-disk option.
  • Cloud storage: Enable server-side encryption (SSE-S3 or SSE-KMS on AWS, Azure Storage Service Encryption). Most providers enable this by default now — verify it hasn't been disabled.

In transit (network and API traffic):

  • Enforce TLS 1.2 minimum across all web services, APIs, and email (SMTP with STARTTLS).
  • Use a VPN (WireGuard or Tailscale — free for small teams) for remote access instead of exposing services directly.
  • Force HTTPS everywhere with HSTS headers.

Cost: $0 for built-in OS encryption. Cloud KMS keys run $1-3/month per key. A Tailscale plan for up to 100 devices is free.

This week: Run a quick audit. Open BitLocker/FileVault settings on every company device. If any show "Off," that's your first fix. For servers, verify LUKS or cloud encryption is active — don't assume.


Pillar 2: The 3-2-1 Backup Rule

The 3-2-1 rule is dead simple and survives almost any disaster: 3 copies of your data, on 2 different media types, with 1 copy off-site. The ACSC explicitly recommends this pattern in its backup guidance for organisations.

What this looks like in practice:

Copy Media Location
Primary Production disk/server On-prem or cloud
Secondary External drive or NAS Same site, different device
Tertiary Cloud backup or tape Off-site / different region

Tool picks by budget:

  • $0–$10/month: Backblaze Personal Backup ($9/month per computer) for workstations. Duplicati (free) backing up to AWS S3 Glacier Deep Archive (~$1/TB/month).
  • $50–$100/month: Veeam Backup & Replication Free Edition for up to 10 VMs. Pair with Backblaze B2 ($6/TB/month) for off-site.
  • $150–$200/month: Veeam Community Edition + a Synology NAS (one-time ~$500) + cloud replication. Covers most 20-50 person businesses.

Critical step most businesses skip: Verify backup integrity. A backup that has never been restored is not a backup — it's a wish. Schedule a monthly restore test. Pull a random file and confirm it opens. Quarterly, do a full VM restore to a test environment.

This week: Count your backup copies. If you're at one (or zero), sign up for Backblaze or install Veeam today. Then run your first restore test — even if it's just one file.


Pillar 3: Data Loss Prevention (DLP)

DLP stops sensitive data from walking out the door — whether through accidental email attachment, cloud upload, or USB copy. For SMBs, full enterprise DLP is overkill. Start with classification and policy-based controls.

Microsoft Purview DLP (included in Microsoft 365 Business Premium, ~$30/user/month) covers:

  • Email and Teams message scanning for credit card numbers, tax file numbers, and custom sensitive data patterns.
  • Policy tips that warn users before they send sensitive content externally.
  • Endpoint DLP that blocks or audits file actions (copy to USB, upload to personal cloud).

For environments not on Microsoft 365:

  • Varonis (starts ~$1,500/year for small deployments) maps where sensitive data lives and flags overexposed permissions. Think of it as a data classifier that tells you exactly where your risk is.
  • Google Workspace: Native DLP is available in Enterprise editions. For Business Starter/Standard, use third-party add-ons like Cyberhaven or Nightfall.
  • Linux/open-source: OpenDLP (free) for scanning file systems for PCI/PII data patterns.

Lightweight DLP checklist:

  1. Inventory where sensitive data lives (customer records, financials, credentials).
  2. Classify data into tiers: Public, Internal, Confidential, Restricted.
  3. Apply labels (Microsoft Information Protection labels, or manual folder structures with access controls).
  4. Set policies: block Confidential+ from external email, restrict USB writes on endpoints, alert on bulk downloads.

Cost: Microsoft 365 Business Premium includes DLP at ~$30/user/month. OpenDLP is free. Varonis is a bigger investment but automates classification at scale.

This week: Run OpenDLP or Microsoft's built-in content explorer against your file servers. The results — where credit card numbers and tax IDs are stored in plain text — will sharpen your priorities fast.


Pillar 4: Access Controls — Least Privilege, Zero Trust

Overprivileged accounts are the #1 reason lateral movement works. An attacker phishes one user and inherits their permissions — which, in most SMBs, include local admin and access to every shared drive.

Implement these controls, in this order:

  1. Remove local admin rights. 80% of malware requires admin to install. Use standard user accounts for daily work. IT staff get admin only on dedicated admin workstations. (CIS Control 6.1)
  2. Enforce MFA everywhere. Phishing-resistant MFA (FIDO2 keys, ~$30-$70 each from Yubico) for admin and privileged accounts. Microsoft Authenticator push for standard users. No SMS-based MFA — it's phishable.
  3. Implement role-based access control (RBAC). Define roles (Finance, Operations, Sales, IT) and assign permissions to roles, not individuals. When someone changes roles, their access changes with them.
  4. Review access quarterly. Disable accounts within 24 hours of offboarding. Audit group memberships for accumulation ("privilege creep").
  5. Zero Trust network segmentation. Tailscale or ZeroTier (both free for small teams) creates identity-based network access. Users see only the services they're authorised for — not the entire network.

Cost: Yubico keys $30-70/user. Tailscale free for up to 100 devices. RBAC requires time, not money — define roles in Active Directory, Entra ID, or Google Workspace admin console.

This week: Audit who has local admin. On Windows, open Computer Management → Local Users and Groups → Administrators. Remove everyone who doesn't absolutely need it. Count on pushback — push through it.


FAQ

Is built-in encryption (BitLocker/FileVault) sufficient for compliance? Yes, for most frameworks including the Australian Privacy Act's "reasonable steps" requirement and GDPR's encryption recommendation. Both meet NIST SP 800-111 guidelines for storage encryption. Ensure recovery keys are backed up to Active Directory or your organisation's key management system — losing the key means losing the data.

How often should I test backup restores? Monthly for file-level restores. Quarterly for full system or VM restores. Document each test with the date, what was restored, and whether it succeeded. This documentation is evidence for auditors and insurers that your backup strategy is operational, not theoretical.

What's the minimum DLP for a 10-person business? Microsoft 365 Business Premium's built-in DLP policies are the best starting point — no additional cost if you're already on that plan. Enable the default policies for financial data and personal information. For non-Microsoft environments, start with OpenDLP scanning for PII, then block USB mass storage on endpoints via Group Policy.

Do I need Zero Trust if I'm a small business? The principles, yes — the enterprise product stack, no. Zero Trust means "never trust, always verify." For SMBs, that translates to MFA on everything, no local admin, identity-based network access (Tailscale), and limited lateral movement. You don't need a $50K Zscaler deployment to get 80% of the benefit.


Conclusion

Data protection isn't a project with a finish line — it's a set of habits. Encrypt every disk. Back up to three locations and test restores regularly. Classify your data and set policies that prevent it from leaking. Lock down access to the minimum each role requires. These four pillars, done consistently, stop the vast majority of breaches that hit SMBs.

Start with the quick-win checklist: encrypt endpoints today, count your backup copies tomorrow, scan for exposed sensitive data this week, and strip local admin from every account that doesn't need it. Each step takes hours, not months.

Need help prioritising? Visit lil.business/book for a free cybersecurity assessment tailored to your business size and industry.


References

  1. NIST SP 800-111 — Guide to Storage Encryption Technologies for End User Devices
  2. ACSC — Backup and Recovery Guidance for Organisations
  3. CIS Controls v8 — Data Protection Benchmarks
  4. ACSC — Essential Eight Maturity Model

Need to prove security trust?

Start with qualified triage. We verify authority, minimise access, define scope, and focus on evidence that helps with insurers, customers, tenders, boards, auditors, and AI governance reviewers.

Start Qualified Triage