Backup and Ransomware Preparedness for Sydney SMBs: Restore Cleanly, Notify Correctly, Keep Trading

Your server room phone rings on a Tuesday morning and the message is the one every Sydney SMB owner dreads: files are encrypted, a ransom note is on every desktop, and your operations manager is asking whether the backups are any good. You think they are. Nobody has actually restored from them in eighteen months. And underneath the operational question sits a legal one — if customer data was accessed or exfiltrated, you may have an eligible data breach to notify under the OAIC’s NDB scheme within 30 days. Backup and Ransomware Preparedness from Cyber by Exegesis is the engagement that answers both questions before the Tuesday call.

The problem

Ransomware in Australia has shifted from pure encryption to double extortion — attackers exfiltrate data first, then encrypt. That means a ransomware event is now almost always a data breach event as well, and for any SMB with turnover above $3M (or in a covered sector) the OAIC’s Notifiable Data Breaches scheme applies. The control gap most Sydney SMBs carry is not whether backups exist — they almost always do — it is whether those backups are immutable, separated from the production network, and tested by restore.

The ACSC Small Business Cyber Security Guide is direct about this: backups that share credentials with production, sit on the same network, or have never been restore-tested are not really backups. They are hope. And the OAIC’s published guidance on the NDB scheme makes clear that the 30-day assessment clock starts when you become aware of the suspected breach — not when you finish arguing about it. An SMB that has not pre-decided who assesses, who notifies, and how restore works will burn that clock on chaos.

What Backup and Ransomware Preparedness does

Cyber by Exegesis runs a fixed-scope engagement targeting the backup chain and the response plan together:

• A review of your backup chain across frequency, immutability (or at minimum offline/air-gapped separation), off-site separation, and credential isolation from production.
• A documented restore test — we pick a representative system and actually restore it to a sandbox, timing the recovery and noting what breaks. Most SMBs have never seen this number.
• A ransomware response plan written specifically for your business: who calls whom, who is authorised to disconnect, who briefs staff, who engages legal counsel, and who triggers the OAIC NDB assessment.
• A 90-minute tabletop exercise walking your leadership team through a realistic Sydney SMB ransomware scenario, including the data-breach notification decision tree.
• A short written report covering backup-chain gaps, restore-test timings, response-plan gaps, and a prioritised remediation list.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is preparedness. We set the controls, run the rehearsal, and document the plan; we are not your IT provider and we are not your incident-response retainer.

How it works

1. We confirm engagement scope on a short call, identify your in-scope systems and data classes (especially personal information), and request read-only access to your backup tooling and a current asset inventory.
2. We review the backup chain against the ACSC Small Business Cyber Security Guide’s backup expectations and document the gaps.
3. We run a restore test against a representative system to a sandbox environment and record actual recovery time and integrity.
4. We draft the ransomware response plan with your operations lead — including the OAIC NDB assessment trigger and the 30-day clock — and walk it through the leadership team in a 90-minute tabletop exercise.
5. We deliver the written report with prioritised remediation and a 90-day review window.

Why this matters in Sydney

Sydney concentrates Australia’s data-rich SMBs — medical practices, allied health, professional services, education providers, member organisations — that hold large volumes of personal information and fall squarely within the OAIC NDB scheme. A ransomware event in any of these businesses is also, almost certainly, an eligible data breach. Sydney SMBs that have pre-decided their restore process and their NDB assessment trigger keep trading and notify correctly. Sydney SMBs that haven’t burn the first week of the 30-day clock working out who is in charge — and that is the week regulators, customers, and staff judge you on.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACSC Essential Eight Maturity Model (regular backups is one of the eight mitigation strategies): https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACCC Scamwatch (for related extortion and ransom-payment scam patterns): https://www.scamwatch.gov.au/
• Cyber by Exegesis — Backup and Ransomware Preparedness (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Backup and Ransomware Preparedness for Sydney SMBs

We are sequencing engagements by sector and by backup tooling in use. Join the waitlist with your sector, employee count, and current backup product — we will tell you when we are ready to take a brief from your business.