Lost or Stolen Device Response for Adelaide SMBs: When a Laptop Walks Out the Door, the Clock Starts on Your NDB Obligations

Your sales manager leaves a laptop in the back of a rideshare on the way home from a client dinner in the CBD. By morning it has not turned up. The laptop has their Microsoft 365 session, a cached copy of a client spreadsheet with names, phone numbers, and a few thousand email addresses, and probably a password manager extension that is still signed in. Someone in your business is now asking the questions that should have been asked six months ago: is the disk encrypted, can we wipe it remotely, do we have to tell the OAIC, and do we tell the affected clients? Lost or Stolen Device Response from Cyber by Exegesis is the engagement designed to answer those questions in hours, not days.

The problem

A lost or stolen device is the most common way an Australian SMB stumbles into the OAIC’s Notifiable Data Breaches scheme. The Privacy Act test is whether the unauthorised access or disclosure is likely to result in serious harm — and a laptop with a cached client list, a phone with SMS-based MFA codes, or a tablet with email and OneDrive sync is a textbook trigger. Most Adelaide SMBs do not have a written response sequence for this. They have a vague intention to “call IT”, a half-configured Microsoft 365 tenant where remote wipe has never been tested, and no one who has read the OAIC NDB statutory clock.

The ACSC Small Business Cyber Security Guide makes the same point in plainer language: prepare before the incident. Know which devices hold what, know how to wipe them, know who you call. The post-incident scramble is where SMBs make the decisions they later regret — including failing to notify when they should have, or notifying badly when they did.

What Lost or Stolen Device Response does

Cyber by Exegesis runs a fixed-scope triage engagement for the first 24-72 hours after a device goes missing:

• Immediate remote wipe sequencing across your Microsoft 365 or Google Workspace tenant, including Intune or Endpoint Manager actions where available, and a check that the wipe actually fired.
• Account-recovery sequencing — we work through the signed-in services on the missing device in priority order (email, password manager, banking, CRM, file sync) and reset, revoke sessions, and rotate as we go.
• Password rotation for the user, with new MFA enrolment on a known-good device, and revocation of any app passwords or persistent tokens.
• Report-to-police support — we help you lodge the report with SA Police and capture the report number for your insurer and for the OAIC assessment.
• An OAIC NDB eligible-data-breach assessment — a short written record of what was on the device, whether the access is likely to result in serious harm, and whether notification to the OAIC and to affected individuals is required.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. The scope here is response, not prevention; if you want the controls hardened before the next device walks, we will scope that separately.

How it works

1. You call or message the engagement line. We confirm the device, the user, and the tenant within the first 30 minutes.
2. We trigger the remote wipe and verify it, then begin account-recovery sequencing in priority order.
3. We work alongside the user to rotate passwords and re-enrol MFA on a replacement device.
4. We help you lodge the police report and capture the documentation your insurer will ask for.
5. We deliver a written NDB assessment within 72 hours — what was on the device, our serious-harm reasoning, and a recommendation on OAIC and individual notification.

Why this matters in Adelaide

Adelaide’s SMB base skews toward defence-adjacent contractors, health and allied-health practices, and professional services firms working into Canberra and the eastern states. Those sectors hold exactly the kind of personal information — health records, security-cleared personnel data, client financials — where the OAIC’s serious-harm threshold is met quickly when a device goes missing. An Adelaide SMB with a tested response sequence answers the OAIC question correctly the first time; one without often discovers, weeks later, that they should have notified and did not.

Sources

• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACSC Essential Eight Maturity Model (for the prevention work that follows): https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• Cyber by Exegesis — Lost or Stolen Device Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Lost or Stolen Device Response for Adelaide SMBs

We are sequencing engagements by tenant type (Microsoft 365 first, Google Workspace second) and by sector. Join the waitlist with your tenant, your sector, and roughly how many devices you issue — we will tell you when we are ready to take a brief from your business.