Lost or Stolen Device Response for Brisbane SMBs: Contain the Data Breach Before It Becomes a Notifiable One

Your sales manager rings from a cafe in Fortitude Valley. Their work laptop was in a bag next to their chair; now it isn’t. They were logged into email, the CRM, and the shared drive. You don’t know if the disk was encrypted. You don’t know if the session tokens are still valid. You don’t know whether what was on that device is enough to trigger an OAIC notification — and you have about an hour before that question gets harder, not easier. Lost or Stolen Device Response from Cyber by Exegesis is the engagement that walks a Brisbane SMB through the next four hours, methodically.

The problem

A lost or stolen device is not, by itself, a data breach. It becomes one — and potentially an eligible data breach under the OAIC Notifiable Data Breaches scheme — depending on what was on it, what credentials it held, and how quickly you can revoke access. Most Brisbane SMBs discover at the worst possible moment that:

• They don’t know whether the device had full-disk encryption enabled.
• They don’t know which accounts were signed in, or whether mobile device management can wipe them remotely.
• Nobody has rotated the user’s passwords or revoked their active sessions, so the attacker (if there is one) still has the keys.
• The 30-day OAIC assessment clock has quietly started, and nobody on the team has read Part IIIC of the Privacy Act 1988.

The ACSC Small Business Cyber Security Guide treats device loss as an operational event with a clear sequence of steps. The trouble is that the sequence has to be executed under pressure, by someone who has done it before.

What Lost or Stolen Device Response does

Cyber by Exegesis runs a fixed-scope triage engagement when a phone, laptop, or tablet has been lost or stolen:

• A remote wipe attempt across whatever MDM, Microsoft Intune, Google Workspace, or Apple Business Manager tooling you have — and an honest assessment of what we can and can’t reach.
• Account-recovery sequencing for the affected user: session revocation across Microsoft 365 or Google Workspace, OAuth token review, MFA re-enrolment, and a password rotation across the priority accounts in the right order.
• A data-exposure assessment — what was likely on the device, whether disk encryption was active, and whether the exposure is likely to meet the OAIC threshold for an eligible data breach.
• Report-to-police and insurance support — we draft the incident summary your insurer and the Queensland Police Service will want, in the format they want it.
• A written record of what we did, what we couldn’t do, and what you need to monitor over the next 30 days.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. This engagement is incident triage, not legal advice; if the exposure looks notifiable, we will tell you, and we will point you at the OAIC’s process for the assessment your privacy officer or external counsel needs to run.

How it works

1. You call or message the engagement line. We confirm scope on the spot — what device, what tenant, what data classes were likely on it — and start the clock.
2. We connect to your Microsoft 365 or Google Workspace tenant under read-write admin scope and trigger the remote wipe, session revocations, and MFA resets in sequence.
3. We rotate the affected user’s passwords across the priority accounts (email, identity provider, finance, CRM) and audit for any forwarding rules or OAuth grants the attacker may have already established.
4. We sit with you for 30 minutes to walk through the OAIC NDB threshold question and draft the police and insurance reports.
5. We hand over the written record with a 30-day monitoring checklist and the conditions under which you should re-engage us or escalate to formal incident response.

Why this matters in Brisbane

Brisbane SMBs run on mobile workforces — site visits, client offices, co-working spaces across South Bank, Newstead, and the Valley — and the device loss rate reflects it. The OAIC NDB scheme does not care that the laptop was stolen from a cafe rather than breached by a foreign actor; if personal information was on it and the loss is likely to result in serious harm, the obligation is the same. A Brisbane SMB that can execute a clean device-loss response inside the first few hours is the one that, in most cases, avoids a notifiable breach entirely.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACSC Essential Eight Maturity Model (for the underlying device-hardening controls): https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• Cyber by Exegesis — Lost or Stolen Device Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Lost or Stolen Device Response for Brisbane SMBs

We are sequencing engagements by tenant type (Microsoft 365 first, Google Workspace second) and by MDM posture. Join the waitlist with your tenant and current device-management tooling — we will tell you when we are ready to take a brief from your business and put you on the call-line for live incidents.