Backup and Ransomware Preparedness for Melbourne SMBs: Know You Can Restore — and Know What You Have to Notify

Your office manager comes in on Monday morning and the file server is showing a ransom note. The shared drive is encrypted. The accounting system is encrypted. The “backup” you have been paying for monthly is mounted to the same network and is also encrypted. Somewhere in the next 48 hours you will need to answer two questions: can we restore, and do we have to notify the OAIC because customer personal information was accessed? Backup and Ransomware Preparedness from Cyber by Exegesis is the engagement designed to answer both questions before the Monday morning happens.

The problem

Most Melbourne SMBs believe they have backups. Far fewer have backups that survive a ransomware event. The ACSC Small Business Cyber Security Guide is direct on this: backups must be regular, kept separate from the network they are protecting, and — most importantly — tested by actually restoring from them. The number of SMBs that discover their backup chain was broken only when they tried to restore from it is the recurring pattern in Australian ransomware incidents.

The second problem is the one most SMBs do not think about until the lawyer’s phone call. A ransomware event that involves unauthorised access to personal information is almost always an eligible data breach under the OAIC Notifiable Data Breaches scheme. The clock on notification starts when you become aware, not when you finish investigating. An SMB without a written response plan spends the first 72 hours in panic; an SMB with one spends them executing.

What Backup and Ransomware Preparedness does

Cyber by Exegesis runs a fixed-scope engagement designed for an SMB that has backups in name but has never stress-tested them:

• A review of your current backup chain — frequency, retention, immutability, off-site or off-network separation, and credential separation from your production environment.
• A documented restore test: we pick a representative workload (typically a file share and your accounting system) and actually restore it into an isolated environment to confirm the backup is usable.
• A written ransomware response plan tailored to your business — who calls who, in what order, with phone numbers, including the OAIC NDB scheme decision path for when personal information is involved.
• A 90-minute tabletop exercise walking your leadership team through a simulated ransomware Monday morning, ending with a notification decision.
• A short written report with what was tested, what passed, what failed, and a prioritised remediation list.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. This engagement is preparation, not incident response. We set the controls and the plan; if a real incident hits afterwards, you execute the plan you already have.

How it works

1. We confirm the engagement scope on a short call, identify the systems in scope, and request read-only access to your backup tooling and an inventory of where personal information lives in your environment.
2. We document the current backup chain and identify immutability, separation, and restore-testing gaps against the ACSC Small Business Cyber Security Guide baseline.
3. We run a live restore test of one representative workload into an isolated environment and record the result.
4. We draft the ransomware response plan, including the OAIC NDB scheme decision path, and walk your leadership team through it in a 90-minute tabletop exercise.
5. We leave you with the written report, the response plan, and a 90-day review window to confirm the remediation items have landed.

Why this matters in Melbourne

Melbourne carries a heavy share of Australia’s mid-market professional services, healthcare practices, allied health groups, and not-for-profits — exactly the SMB profiles that hold significant volumes of customer or client personal information without a dedicated security team. For these organisations a ransomware event is rarely just an availability problem; it is almost always an OAIC NDB scheme problem as well. A Melbourne SMB that has tested its restore path and rehearsed its notification decision is in a fundamentally different position on the morning of an incident than one that has not.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACSC Essential Eight Maturity Model (regular backups is one of the eight strategies): https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• Cyber by Exegesis — Backup and Ransomware Preparedness (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Backup and Ransomware Preparedness for Melbourne SMBs

We are sequencing engagements by sector and by backup tooling in place. Join the waitlist with your sector and a one-line description of your current backup setup — we will tell you when we are ready to take a brief from your business.