The Data Protection Playbook: Encrypt, Back Up, Lock Down — Before It's Too Late

Why Most SMBs Get Data Protection Wrong

The Australian Cyber Security Centre reported that the average cost of a data breach for Australian businesses continues to climb, yet many SMBs treat data protection as a "set and forget" exercise. The reality: encryption sits half-configured, backups haven't been tested since installation, and access controls default to "everyone gets admin because it's easier." That convenience tax comes due the moment an attacker — or a disgruntled employee — walks through the door.

The good news: you don't need a six-figure security stack. You need discipline around four pillars.​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍

​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌‌​​‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌‌​​‌‌

Pillar 1: Encryption at Rest and in Transit

Encryption is your last line of defence. If every other control fails, encrypted data is useless to an attacker without the key. NIST SP 800-111 provides comprehensive guidance on encrypting storage devices, and the implementation is more straightforward than most business owners expect.

At rest (data sitting on devices):

• Windows endpoints: Enable BitLocker. It's built into Windows 10/11 Pro and requires zero additional spend. Back up the recovery key to Active Directory or a secure password manager — losing that key means losing the data.
• macOS endpoints: FileVault achieves the same result, also built in, also free.
• External drives and USB sticks: Use VeraCrypt (free, open-source) to create encrypted volumes. This prevents the "left a USB on the train" scenario from becoming a notifiable breach.
• Servers and cloud storage: Enable encryption at the storage layer. AWS EBS, Azure Disk Storage, and Google Persistent Disks all support encryption-at-rest with no performance penalty.

In transit (data moving between systems):

• Enforce TLS 1.2 or higher on all web services, email (SMTPS, IMAPS), and file transfers. Disable TLS 1.0 and 1.1 entirely — they're deprecated for good reason.
• Use a VPN for remote access. WireGuard is free, fast, and simpler to configure than OpenVPN. Tailscale builds on WireGuard and handles key management for you.
• Enforce HTTPS everywhere. Tools like Let's Encrypt make TLS certificates free; there's no excuse for plaintext HTTP in 2026.

Cost: $0 for BitLocker/FileVault/VeraCrypt. Cloud-managed encryption (Azure Information Protection, for example) starts around $2–$5 per user/month.

Pillar 2: The 3-2-1 Backup Rule

The ACSC's backup guidance is unambiguous: follow the 3-2-1 rule. Three copies of your data, on two different media types, with one copy stored off-site. Here's what that looks like in practice:

Copy	Medium	Location	Tool	Cost
Primary	Production storage	On-prem or cloud	Your existing system	—
Secondary	NAS or external drive	Same site, different device	Veeam Backup Free Edition	$0
Tertiary	Cloud object storage	Off-site (different region)	Backblaze B2	~$6/TB/month

Implementation steps:

1. Automate everything. Manual backups are forgotten backups. Veeam Community Edition (free for up to 10 instances) handles VMware, Hyper-V, and physical servers with scheduled jobs and email alerts on failure.
2. Test restoration monthly. A backup you can't restore is not a backup — it's a false sense of security. Pick a file, restore it to a test location, verify the contents. Log the result. This takes 10 minutes and saves you from discovering corrupt backups during a crisis.
3. Immutable backups for ransomware resilience. Both Backblaze B2 and Wasabi support Object Lock (WORM — write once, read many). This means even if an attacker compromises your primary credentials, they cannot delete or encrypt your backup copies. Enable it.
4. Document the recovery procedure. When the server is down and the phone is ringing, you don't want to be Googling "how to restore Veeam backup." Write a one-page runbook: where backups live, how to access them, who has the credentials, what the RTO (Recovery Time Objective) target is.

Cost: $0–$60/month for most SMBs depending on data volume. Backblaze B2 at ~$6/TB/month is genuinely difficult to beat.

Pillar 3: Data Loss Prevention (DLP)

DLP answers a simple question: "Who is allowed to send what data, where?" Without it, any employee can email a customer database to their personal Gmail, upload financials to a random cloud drive, or copy sensitive files to a USB stick — and you'd never know.

Start with classification before prevention. You can't protect what you haven't identified.

• Microsoft Purview DLP (included in Microsoft 365 E3/E5, or as an add-on for Business Premium) provides policy templates for credit card numbers, tax file numbers, health records, and custom patterns. Start with the built-in templates — they catch 80% of issues with 20% of the effort.
• Varonis excels at data classification and access auditing. It scans file servers, SharePoint, and cloud storage to find overexposed sensitive data (think: a spreadsheet with 10,000 customer records that 200 people can access when 3 should). Varonis starts around $3,000/year, making it better suited for organisations with 50+ employees or compliance obligations.
• For leaner teams, Microsoft Information Protection (built into M365 Business Premium at ~$30/user/month) lets you label documents as Confidential, Internal, or Public — and DLP policies then enforce rules based on those labels.

Quick-win DLP policy to deploy this week:

1. Block emails containing credit card numbers or TFNs to external recipients.
2. Block uploads of files labelled "Confidential" to unapproved cloud services.
3. Alert (don't block yet) when large volumes of files are accessed outside business hours — this catches both exfiltration and compromised accounts without disrupting legitimate work.

Pillar 4: Access Controls That Actually Work

CIS Controls v8 (Control 6: Access Control Management) is blunt: implement least privilege, use multi-factor authentication everywhere, and review access regularly. Here's the practical breakdown:

Least privilege: Every user gets the minimum access required to do their job. No exceptions for "it's easier." Use role-based access control (RBAC) groups in Active Directory or Entra ID so you're managing permissions by role, not by individual.

Multi-factor authentication (MFA): Enforce it on every account that touches sensitive data — email, VPN, cloud consoles, admin panels. Microsoft estimates that MFA alone blocks over 99.9% of account compromise attacks. Use authenticator apps or hardware keys (YubiKey, ~$50 each), not SMS — SIM swapping is still a viable attack vector.

Access reviews: Every 90 days, pull a report of who has access to what. Specifically check:

• Former employees whose accounts are still active
• Admin accounts that shouldn't be admin
• Shared accounts with no individual accountability
• Service accounts with passwords that haven't been rotated

Privileged Access Management (PAM): For organisations with compliance requirements, tools like CyberArk or Delinea (formerly Thycotic) manage and audit privileged credentials. For SMBs, start with Entra ID Privileged Identity Management (PIM) — available in P2 licensing — which requires just-in-time activation for admin roles instead of standing admin access.

Cost: MFA via authenticator apps is free. YubiKeys are ~$50/user (one-time). Entra ID P2 with PIM is ~$13/user/month. The ROI of preventing a single breach makes these numbers trivial.

Quick-Win Checklist: What to Do This Week

• Verify BitLocker or FileVault is active on every endpoint — run manage-bde -status (Windows) or fdesetup status (macOS)
• Generate a recovery key report and store it somewhere other than the encrypted device itself
• Enforce TLS 1.2+ on all external-facing services — use SSL Labs (ssllabs.com/ssltest/) to verify
• Configure automated backups with Veeam or equivalent and set email alerts for failures
• Test a single file restore and document the result
• Enable Object Lock / immutability on off-site backup storage
• Deploy one DLP policy: block credit card numbers in outbound email
• Enforce MFA on all accounts with access to sensitive data
• Pull an access review report and flag former employees, over-permissioned accounts, and unrotated service account passwords
• Label your top 10 most sensitive documents with classification labels

FAQ

Conclusion

Data protection isn't a product you buy — it's a discipline you practise. Encrypt your endpoints. Back up your data in three places and test restoration. Classify your sensitive files and set DLP policies to catch the obvious exfiltration paths. Lock down access with MFA and least privilege. None of this requires a massive budget or a dedicated security team. It requires a week of focused effort and the discipline to maintain it.

Start with the checklist above. Do one item per day. In two weeks, your data protection posture will be stronger than the majority of businesses in your sector.

Need help figuring out where to start? Visit consult.lil.business for a free cybersecurity assessment — we'll map your current gaps and prioritise the fixes that matter most.

References

1. NIST SP 800-111: Guide to Storage Encryption Technologies for End User Devices — Foundational guidance on encrypting data at rest across endpoint devices.
2. ACSC Backup and Recovery Guidance — The Essential Eight mitigation strategies including backup and recovery practices for Australian organisations.
3. CIS Controls v8 — The Center for Internet Security's prioritised set of cybersecurity actions, including Control 3 (Data Protection) and Control 6 (Access Control Management).