When most business owners think about data loss, they picture a hacker in a darkened room breaking through a firewall. But in our experience, the most common causes of significant data loss are far more mundane: an employee leaving without handing over files, a misconfigured cloud storage setting that makes documents publicly accessible, or a well-meaning staff member accidentally deleting a critical folder.
Data Loss Prevention (DLP) is the set of strategies, tools, and policies that prevent sensitive information from leaving your control, whether accidentally or maliciously. And the foundation of any DLP program is access control.
What Are Access Controls?
Access controls are the rules that determine who can see, edit, share, and delete specific information. They answer the question: "Does this person actually need access to this data to do their job?" Most businesses have far more permissive access than they realise, which means that when something goes wrong, the blast radius is larger than it needs to be.
The Principle of Least Privilege
The gold standard in access control is least privilege: every user, system, and application should have access to only the data and resources they need to perform their specific function, and nothing more. It sounds obvious, but implementing it properly requires deliberate design and ongoing maintenance as your team and systems evolve.
Where Australian Businesses Are Getting This Wrong
The most common problems we find during security assessments:
- Shared admin credentials used by multiple people, making it impossible to audit who did what
- Former employees whose accounts are still active weeks or months after they leave
- Cloud storage (OneDrive, SharePoint) with "anyone with the link" sharing enabled by default
- No distinction between employees who need read access and those who need write or delete permissions
Microsoft 365 DLP Tools You Should Be Using
If you're on Microsoft 365 Business Premium or above, you have access to built-in DLP policy tools that can automatically detect when sensitive information (credit card numbers, tax file numbers, medical data) is being shared externally and block or alert on that action. They work well. Most businesses haven't turned them on.
The Practical Starting Point
You don't need a complex DLP program to make meaningful progress. Start with three things: audit who has access to what, implement MFA everywhere, and configure automatic offboarding processes so that when an employee leaves, their access is revoked immediately and completely. These three steps alone would prevent the majority of data loss incidents we respond to.