Business Email Compromise Prevention for Sydney SMBs: Stop the BEC That Turns Into a Notifiable Data Breach

Your bookkeeper’s mailbox gets compromised on a Tuesday. By Thursday the attacker has read three months of client correspondence, pulled identity documents from email attachments, set a quiet forwarding rule, and sent two invoice-redirect emails to your customers from inside your real mailbox. You catch it on the following Monday. Now you have two problems: the money your customers may have lost, and the personal information that just left your control. Business Email Compromise Prevention from Cyber by Exegesis is the engagement designed to close that door before a Sydney SMB has to make the OAIC notification call.

The problem

Most Sydney SMBs think of business email compromise as a payments problem. It is also — and increasingly — a data breach problem. When an attacker gets inside a mailbox, they get the attachments too: driver licences, Medicare numbers, signed contracts, payroll records, client files. If your organisation is covered by the Privacy Act 1988 (turnover above $3M, or in a sector that captures you regardless), unauthorised access to that information can be an eligible data breach under the OAIC’s Notifiable Data Breaches scheme. You have 30 days to assess and, if confirmed, notify the OAIC and every affected individual.

The ACSC Small Business Cyber Security Guide is direct about the controls that prevent this scenario: enforce multi-factor authentication, lock down email authentication (DMARC, SPF, DKIM), audit mailbox and forwarding rules, and tighten the human process around payment changes. ACCC Scamwatch tracks BEC as one of the highest-loss scam categories reported by Australian businesses. The two regulators are looking at the same incident from different angles — and a single weak mailbox can put you in front of both.

What Business Email Compromise Prevention does

Cyber by Exegesis runs a fixed-scope engagement that treats BEC as both a payments and a data-breach risk:

• DMARC, SPF, and DKIM record audit and remediation across your sending domains — moved in measured stages from none to monitor to quarantine or reject.
• A mailbox-rules audit across every staff account, with particular focus on auto-forwarding and transport rules — the persistence mechanism attackers use to exfiltrate attachments quietly for weeks.
• A multi-factor authentication coverage check across your Microsoft 365 or Google Workspace tenant, flagging any accounts (including service and shared mailboxes) that are still password-only.
• A payment-authorisation process redesign so a single email is never enough to change a supplier’s bank details.
• A 45-minute staff training session on invoice-redirect attacks using anonymised Australian SMB examples.
• A short written report mapping what was changed against ACSC Small Business Guide controls, with notes on what would trigger an OAIC NDB assessment if a future incident occurred.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope is preventive hardening. We set the controls and step back; we are not your ongoing IT provider or your incident responder.

How it works

1. We confirm scope on a short call, identify sending domains, and request read-only access to your DNS provider and email tenant.
2. We pull the current DMARC, SPF, DKIM, mailbox-rules, and MFA-coverage state into a baseline report.
3. We propose record and policy changes in two stages and apply them across a one to two week window with no operational disruption.
4. We sit with your accounts person for 30 minutes to redesign the supplier-bank-detail change process and document it.
5. We run the 45-minute staff training and leave you with the written report and a 90-day review window.

Why this matters in Sydney

Sydney concentrates Australia’s professional services SMBs — law firms, migration agents, accountants, brokerages, allied health practices, consultancies — that hold large volumes of client personal information inside email. That is the exact data set the OAIC NDB scheme is designed to protect, and the exact data set a compromised mailbox exposes. A Sydney SMB that hardens DMARC, audits mailbox rules, enforces MFA, and tightens its payment-change process closes the door that both BEC attackers and the OAIC notification timeline depend on.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• Cyber by Exegesis — Business Email Compromise Prevention (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens BEC Prevention for Sydney SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and current email tenant — we will tell you when we are ready to take a brief from your business.