When IT security consultants talk about data leakage protection, they usually mean tools: endpoint DLP agents, cloud access security brokers (CASBs), email gateways with content inspection, network monitoring appliances. The total cost easily reaches six figures — before you hire the team to manage it all.

Most small and medium businesses look at that price tag and conclude that data leakage protection isn't for them.

They're wrong — but not in the way the security vendors want them to be.

The 80/20 of data leakage

The most common causes of data leakage in SMBs aren't sophisticated cyberattacks. They're mundane operational failures:

  • An employee leaves, and their access is never revoked. They can still log in to the CRM, download customer lists, and access company email — weeks or months after departure.
  • A cloud service is set to "anyone with the link" sharing. A Google Drive folder, a Notion workspace, a SharePoint site — one misconfigured sharing setting and your data is accessible to anyone who stumbles on the URL.
  • Backups are unencrypted. The NAS in the server room has a complete copy of everything, and the disk encryption is "unknown" or "not configured."
  • BYOD without policies. Employees access company email and files from personal phones without encryption, screen locks, or remote wipe capability. If a phone is lost, all that data goes with it.
  • No data processing agreements. A third-party service processes your customer data, but there's no DPA in place. If they mishandle the data, you're liable — and you don't even know what data they have.

None of these require a DLP tool to fix. They require visibility.

What visibility means in practice

Visibility is knowing the answers to five questions:

  1. What services does my organisation use? Not just the ones IT manages — all of them. The project management tool the marketing team signed up for. The file-sharing service the warehouse uses. The messaging app everyone switched to during COVID.

  2. What data does each service hold? Customer names and addresses? Financial records? Employee health data? Classified business intelligence? The sensitivity of the data determines the severity of a leak.

  3. Who can access each service? Which roles, which people? Are there shared accounts? Are there accounts that haven't been used in months?

  4. What devices are used to access data? Company laptops with disk encryption and MDM? Personal phones with no security controls? Shared workstations in the warehouse?

  5. Where does data flow? Which services send data to other services? Are there cross-border transfers? Are backups properly configured?

Turning visibility into protection

Once you can answer these five questions, you can take targeted action — no enterprise budget required:

Encrypt what matters

If you know which devices access sensitive data, you can ensure those devices are encrypted. Disk encryption is free on every modern operating system (BitLocker on Windows, FileVault on macOS, LUKS on Linux). The hard part isn't enabling encryption — it's knowing which devices to prioritise.

Revoke what's unnecessary

If you know who accesses what, you can run periodic access reviews. Remove access for departed employees. Reduce access for people who changed roles. Eliminate shared accounts.

Access reviews don't cost money. They cost attention — and that attention is only possible when you have a clear picture of who has access to what.

Secure your backups

If you've documented your backup flows — where backups go, how often, whether they're encrypted, whether they're offsite — you can verify compliance with a proper backup strategy.

A 3-2-1 backup strategy (3 copies, 2 different media types, 1 offsite) is the industry standard. But it only works if you've actually documented and verified it.

Address vendor risks

If you've mapped your third-party services, you can check: is there a DPA in place? When does it expire? What's the vendor's lock-in level? Can you export your data?

A vendor without a DPA is a data leakage risk by definition — you don't have contractual control over what they do with your data.

Score and prioritise

Not all risks are equal. A service processing special category health data accessed from unencrypted BYOD devices is a higher risk than an internal project management tool used by three people.

Risk scoring lets you focus on what matters most. Classify each service by data sensitivity, access patterns, device security, and backup compliance. Address the high-risk items first.

What a real data leakage protection programme looks like for an SMB

  1. Week 1: Document all services, using templates for common ones (Microsoft 365, Google Workspace, Salesforce, etc.).
  2. Week 2: Map users to services. Document which roles access which systems.
  3. Week 3: Assess devices. Document encryption, MDM, update policies.
  4. Week 4: Document data items with classifications, legal bases, and retention periods.
  5. Month 2: Map data transfers and backup flows. Assess backup strategy compliance.
  6. Month 3: Run your first access review. Fix the obvious gaps.
  7. Ongoing: Review quarterly. Update when services, people, or data change.

Total cost: your time plus a documentation tool. No DLP agents, no CASBs, no six-figure contracts.

The tool that makes this manageable

Readmodel® is built specifically for this approach. It provides 200+ service templates so you don't start from scratch, maps data flows with an interactive graph, automatically scores risks based on data sensitivity and security controls, checks backup strategy compliance against standards like 3-2-1, assesses device security posture, and generates AI-powered analysis reports.

The risk register shows you exactly where your data leakage risks are — sorted by severity, with actionable items. The ROPA export handles GDPR compliance as a byproduct.

You don't need an enterprise budget for effective data leakage protection. You need to know what you have. Everything else follows from that.