Data Protection & Management

Data is the lifeblood of any small business, encompassing customer details, sales records, and proprietary information. Unfortunately, approximately 80% of SMBs do not use active data protection, leaving them exposed to ransomware and theft that can result in business failure within six months of a breach.

1. Identify and Classify: Know What You Have

You cannot protect what you don’t know exists. The first step is to perform a data stocktake.

  • Create an Inventory: List every system, service, and device your business uses, including personal mobile devices (BYOD) and cloud services like Google Drive or iCloud.

  • Classify Your Data: Not all data is equal. Categorize information to prioritize your defense budget:

    • Highly Confidential: Passwords, credit card numbers, and health records whose disclosure could cripple the business.

    • Sensitive: Internal marketing plans or payroll records.

    • Internal Use Only: Standard business communications.

2. The Gold Standard: The 3-2-1 Backup Rule

Backups are your last line of defense. If ransomware encrypts your files, a reliable backup allows you to recover without paying a ransom.

  • Follow 3-2-1: Maintain three (3) copies of your data, on two (2) different types of media (e.g., cloud and local drive), with one (1) copy stored offsite or offline.

  • Automate and Air-Gap: Set backups to occur automatically and daily. Crucially, ensure at least one backup is disconnected (air-gapped) from the network so ransomware cannot infect it while it's plugged in.

  • Test Your Backups: Don't assume they work. 58% of backups fail when needed. Periodically attempt to restore a random file to ensure the process is valid.

3. Encryption: Protecting Data "On the Move"

Encryption scrambles your data into a format that is unreadable without a key, ensuring that even if a device is stolen, the information remains secure.

  • Full-Disk Encryption: Use built-in tools like Windows BitLocker or Apple FileVault to protect every business laptop and mobile device.

  • Secure Removable Media: Encrypt USB sticks and portable hard drives, as these are high-risk targets for physical loss.

  • Email and Transfer: Use encrypted file-sharing methods or email encryption when sending sensitive documents outside your company.

4. Access Control: The Principle of Least Privilege

Most employees do not need access to all business data. Restricting access minimizes the damage if a single account is compromised.

  • Need-to-Know Basis: Grant employees the bare minimum permissions required to perform their roles.

  • Manage Administrative Rights: Users should work on standard accounts for daily tasks; administrative accounts should only be used for system changes.

  • Offboarding Protocol: When an employee leaves the company or a provider relationship ends, revoke all access and delete their accounts immediately.

5. Secure Disposal: The End of the Lifecycle

Emptying the "recycle bin" does not permanently delete data.

  • Factory Resets: Perform a secure wipe or factory reset on all business devices before selling, trading, or disposing of them to ensure strangers cannot access old files.

  • Physical Destruction: If a drive or media (like a CD or USB) is no longer usable, have it shredded or physically destroyed.

Data Protection Checklist

  • [ ] Asset inventory completed, including mobile devices and cloud apps.

  • [ ] 3-2-1 backup strategy implemented with at least one offline copy.

  • [ ] Backup restoration tested within the last 30 days.

  • [ ] Full-disk encryption enabled on all company laptops and phones.

  • [ ] Employee access restricted using the "least privilege" model.

  • [ ] Secure disposal policy in place for retired hardware.

Next Step: Protecting the data is only half the battle. Your employees must be trained to recognize the threats that try to bypass these controls. See Guide 3: Workforce Awareness and Culture.

Back

© 2026 All rights reserved.