Backup and Ransomware Preparedness for Adelaide SMBs: Know You Can Restore Before You Have to Tell the OAIC

Your bookkeeper calls on a Monday morning to say the shared drive is full of files with strange extensions and a README.txt demanding payment. Your file server is encrypted. Your accounting system is locked. Somewhere in the back of your head you remember that the backup runs nightly to a NAS sitting two metres from the server — and the attacker had domain admin for at least a weekend. Now you have two problems: a restore you are not sure will work, and a data breach you may have to notify to the OAIC. Backup and Ransomware Preparedness from Cyber by Exegesis is the engagement that sorts both before the Monday morning call.

The problem

The ACSC Small Business Cyber Security Guide is blunt: backups are the single control that decides whether a ransomware incident is a bad week or an extinction event. Most Adelaide SMBs have a backup. Very few have a backup chain that is frequent enough, immutable, separated off-site, and — the part almost nobody tests — actually restore-tested end-to-end. The NAS in the server cupboard does not count if the attacker had time to encrypt it. The cloud sync does not count if it propagated the encrypted files. The tape rotation does not count if no one has tried to read a tape in eighteen months.

The second problem is the one most SMBs underestimate. A ransomware incident where personal information was accessed or exfiltrated is very likely an eligible data breach under the OAIC Notifiable Data Breaches scheme. That triggers a 30-day assessment clock, notification obligations to OAIC, and notification to affected individuals. You cannot run that process competently from a standing start at 8am on a Monday. It has to be sketched out before the incident.

What Backup and Ransomware Preparedness does

Cyber by Exegesis runs a fixed-scope engagement that reviews your backup chain and your ransomware response plan together, because in practice they are the same problem:

• A review of your backup chain across all in-scope systems — frequency, immutability (or lack of it), off-site separation, retention, and whether anyone has actually restored from it in the last 12 months.
• A documented restore test on one critical system, end-to-end, so you know the recovery time objective is real and not aspirational.
• A short written ransomware response plan covering containment, evidence preservation, the OAIC NDB assessment decision tree, and who calls whom in the first four hours.
• A 90-minute tabletop exercise with your leadership team walking through a realistic ransomware scenario — including the data-breach notification fork in the road.
• A written report identifying gaps, prioritised remediation, and a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. This engagement is preventive and preparatory. We are not your MSP and we are not your incident responder on the day; we make sure that when the day comes, your MSP and your team know what to do.

How it works

1. We confirm the engagement scope on a short call, identify the in-scope systems (file shares, line-of-business applications, email tenant, accounting platform), and request read-only access to your backup console.
2. We pull the current backup configuration and retention state into a baseline report and identify the single highest-risk gap.
3. We run a documented restore test on one critical system together with your IT provider, measuring actual recovery time rather than the vendor’s marketing number.
4. We draft the ransomware response plan, including the OAIC NDB assessment decision tree for the data-breach fork.
5. We run the 90-minute tabletop exercise with your leadership team and leave you with the written report and the 90-day review window.

Why this matters in Adelaide

Adelaide’s SMB base skews toward professional services, healthcare, manufacturing, and defence-adjacent suppliers — sectors where the data on the file server is often health information, client records, or contractually sensitive material. That changes the OAIC NDB calculus: a ransomware event that touches a health-services SMB in Adelaide is almost always an eligible data breach, regardless of turnover thresholds, because health information is in scope under the Privacy Act. An Adelaide SMB that has restore-tested its backups and pre-drafted its NDB assessment process turns a potential public notification incident into a private operational one. That is the difference this engagement is designed to make.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACSC Essential Eight Maturity Model (regular backups is one of the eight): https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Backup and Ransomware Preparedness (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Backup and Ransomware Preparedness for Adelaide SMBs

We are sequencing engagements by sector and by backup platform. Join the waitlist with your sector, current backup product, and approximate seat count — we will tell you when we are ready to take a brief from your business.