Backup and Ransomware Preparedness for Australian SMBs: Know You Can Restore Before You Have To

It’s a Tuesday morning. Your office manager rings to say nobody can open any files — every document has a strange new extension, and there’s a text file on the desktop with a Bitcoin wallet address and a deadline. Your IT person says the backups are “running” but has never actually restored from them. You don’t know if your customer database is recoverable, whether the attacker also exfiltrated data (which would trigger the OAIC), or how long your business can operate without its files. Backup and Ransomware Preparedness from Cyber by Exegesis is the engagement designed to answer those questions before the ransom note arrives.

The problem

Ransomware is consistently among the highest-impact cyber threats facing Australian SMBs. The ACSC Small Business Cyber Security Guide is direct about the control that matters most: regular, tested backups that an attacker cannot reach from a compromised admin account. The problem is that most SMBs have a backup product but not a backup chain — they have never confirmed that backups are immutable, separated off-site, and actually restorable inside a useful timeframe.

The second problem is the response plan. When ransomware hits, decisions need to be made in hours, not days: do you isolate the network, when do you call your insurer, who decides whether to engage a negotiator, and at what point does the OAIC need to be notified under the Notifiable Data Breaches scheme because personal information was likely accessed? Most Australian SMBs have never written these decisions down, let alone walked through them as a team.

What Backup and Ransomware Preparedness does

Cyber by Exegesis runs a fixed-scope engagement targeting ransomware survivability:

• A review of your backup chain against four criteria from the ACSC Small Business Cyber Security Guide: frequency (how often), immutability (can an attacker with admin credentials delete or encrypt the backup), off-site separation (is at least one copy physically and logically isolated), and restore-tested (have you actually restored a representative system end-to-end recently).
• A test restore of one critical system, timed and documented, so you have a real recovery-time number instead of a vendor brochure number.
• A written ransomware response plan covering isolation, internal communications, insurer notification, OAIC assessment under the Notifiable Data Breaches scheme, and the decision-making chain for engaging external help.
• A 90-minute tabletop exercise walking your leadership team through a realistic ransomware scenario, with the response plan in hand, so the first time you use it is not during a live incident.
• A short written report with what was tested, what was found, and a 90-day review window.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is preparedness, not incident response. We set the controls and rehearse the plan; if the worst happens later, you walk into it with a tested chain and a team that has already had the hard conversations.

How it works

1. We confirm scope on a short call, identify your critical systems (typically file storage, finance, email, and one line-of-business application), and request read-only access to your backup tooling.
2. We pull the current backup configuration into a baseline report against the four ACSC criteria and flag the gaps.
3. We run a timed test restore of one critical system into an isolated environment and document the actual recovery time.
4. We draft the ransomware response plan with you, including the OAIC notification decision tree, and confirm escalation contacts (insurer, IT provider, legal).
5. We run the 90-minute tabletop with your leadership team and leave you with the written report, the response plan, and the 90-day review window.

Why this matters in Australia

Australian SMBs sit inside a specific regulatory and threat environment. The Notifiable Data Breaches scheme — Part IIIC of the Privacy Act 1988 — requires notification of eligible data breaches to the OAIC and affected individuals, and modern ransomware incidents routinely involve data exfiltration that triggers that obligation. At the same time, the ACSC continues to identify ransomware as a top-impact threat for Australian businesses. An SMB anywhere in Australia — from a Brisbane manufacturer to a regional accounting practice in Tasmania — needs the same two things: a backup chain it has actually restored from, and a response plan it has actually walked through. Neither requires expensive tooling. Both require the discipline to test before the incident, not during it.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACSC Essential Eight Maturity Model (regular backups is one of the eight mitigation strategies): https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Backup and Ransomware Preparedness (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Backup and Ransomware Preparedness for Australian SMBs

We are sequencing engagements by sector and by backup platform. Join the waitlist with your sector, approximate headcount, and current backup tooling — we will tell you when we are ready to take a brief from your business.