Backup and Ransomware Preparedness for Australian SMBs: Know You Can Restore — Before You Need To

Your office manager comes in on a Monday and nothing opens. File shares are encrypted, the line-of-business app throws errors, and there is a text file on every desktop with a payment demand and a countdown. You call your IT provider. They say there are backups. Nobody can tell you, with confidence, when those backups were last tested, whether the attacker reached them too, or whether the data inside them includes customer records you are now obligated to think about under the OAIC Notifiable Data Breaches scheme. Backup and Ransomware Preparedness from Cyber by Exegesis is the engagement designed to answer those questions before Monday morning.

The problem

Most Australian SMBs believe they have backups. Far fewer have backups that are frequent enough, immutable enough, separated off-site, and — most importantly — restore-tested against a realistic ransomware scenario. The ACSC Small Business Cyber Security Guide is explicit that backups are only useful if they are kept disconnected from the systems they protect and if a restore has actually been rehearsed.

The second problem is a legal one. A ransomware incident is not only an availability event. If the attacker exfiltrated personal information before encrypting — which is now the default playbook — the SMB is dealing with an eligible data breach under the OAIC NDB scheme, and the clock on assessment and notification to the OAIC and affected individuals has already started. SMBs without a rehearsed response plan tend to discover this obligation late, under pressure, while also trying to restore operations.

What Backup and Ransomware Preparedness does

Cyber by Exegesis runs a fixed-scope engagement that addresses both the technical and the regulatory dimensions:

• A review of your backup chain — frequency, immutability, off-site separation, and retention — against the practical guidance in the ACSC Small Business Cyber Security Guide.
• A documented restore test of one critical system, end-to-end, so “we have backups” becomes “we restored this system in this many hours”.
• A written ransomware response plan covering containment, communications, decision-making on payment, and engagement with the ACSC and your insurer.
• An OAIC NDB scheme readiness check — who decides whether a breach is eligible, who drafts the notification, what evidence you keep — sized for an SMB without a privacy officer.
• A 90-minute tabletop exercise walking your owner, IT lead, and one operations person through a realistic ransomware-plus-exfiltration scenario.
• A short written report with what is in place, what is missing, and a prioritised remediation list.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is preparedness. We set the controls and rehearse the plan; we are not your incident-response retainer.

How it works

1. We confirm scope on a short call, identify the critical systems and the data classes they hold, and request read-only access to your backup console and a current asset list.
2. We pull a baseline of the backup chain — frequency, immutability, off-site copy, last successful restore — and map it against ACSC guidance.
3. We pick one critical system with you and run a documented restore test into an isolated environment, timing each step.
4. We draft the ransomware response plan and the OAIC NDB scheme readiness notes, sized to your business.
5. We run the 90-minute tabletop exercise and leave you with the written report and a 90-day review window.

Why this matters in Australia

Ransomware affecting Australian SMBs is no longer a pure encryption event — exfiltration first, encryption second is the standard pattern, which means almost every ransomware incident at an SMB holding customer PII is also a candidate eligible data breach under the OAIC NDB scheme. Australian SMBs over the $3M turnover threshold, and those in covered sectors regardless of turnover, are directly in scope. Knowing you can restore is half the answer; knowing what you must tell the OAIC and your customers, and when, is the other half. Rehearsing both before an incident is materially cheaper than discovering them during one.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACSC Essential Eight Maturity Model (regular backups is one of the eight mitigation strategies): https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• Cyber by Exegesis — Backup and Ransomware Preparedness (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Backup and Ransomware Preparedness for Australian SMBs

We are sequencing engagements by sector and by backup platform. Join the waitlist with your sector, approximate headcount, and current backup product — we will tell you when we are ready to take a brief from your business.