TL;DR: How you respond in the first hour of a cyber breach determines whether it costs you thousands or hundreds of thousands of dollars. This playbook gives you a clear, sequenced response procedure for the three most common SMB breach scenarios: ransomware, Business Email Compromise, and data theft. Print it and keep a physical copy — you may not be able to access it when you need it most.
The Single Most Important Thing to Know Before a Breach
Incident response plans that exist only as digital documents are useless in a ransomware attack. When your systems are encrypted, you cannot access the SharePoint page where you stored the response plan. You cannot reach the Teams channel where you pinned the IT provider’s number. You cannot log into the password manager where you stored the insurance company’s contact details.
Print this playbook. Store it in a physical folder in your office. Tell at least three people where it is.
This is not optional advice. This is the single most important preparation step you can take.
Understanding the Three Scenarios
Scenario 1: Ransomware
Ransomware is malicious software that encrypts your files and demands payment for the decryption key. Modern ransomware attacks are typically “double extortion” — the attacker encrypts your data AND exfiltrates a copy, threatening to publish sensitive information if you do not pay.
Signs you are experiencing ransomware:
- Files have been renamed with an unusual extension (e.g.,
.locked,.encrypted, or a random string) - A ransom note has appeared on the screen or in file folders (typically
README.txtorHOW_TO_DECRYPT.txt) - Systems are running unusually slowly (encryption in progress)
- Your IT monitoring alerts are triggering multiple device alarms simultaneously
- You cannot open files that you could open yesterday
Scenario 2: Business Email Compromise (BEC)
BEC occurs when an attacker gains access to a business email account — either by compromising the account directly or by creating a convincing lookalike account — and uses it to redirect payments, steal data, or manipulate business relationships.
Signs you are experiencing BEC:
- A payment was made to an unusual bank account following an email instruction
- An employee reports receiving an email “from the CEO” asking for unusual action
- You discover email forwarding rules you did not set up
- External parties report receiving emails from your domain that you did not send
- Microsoft 365 security alerts for suspicious sign-in activity
Scenario 3: Data Theft / Unauthorised Access
Data theft involves an attacker gaining access to your systems and copying sensitive data without your knowledge. It may be discovered immediately (by an intrusion detection system) or weeks later (by an employee noticing unusual activity or an external notification).
Signs you may have experienced data theft:
- Unusual large downloads in SharePoint or OneDrive audit logs
- Login activity from unexpected locations or at unusual times
- External notification from a partner, client, or law enforcement
- Data appearing on dark web forums or in external systems
- Unusual outbound network traffic volumes
Scenario 1 Response: Ransomware
First 15 Minutes — Contain
Your only objective in the first 15 minutes is to stop the spread. Do not try to understand what happened. Do not try to negotiate. Contain first.
- Disconnect affected devices from the network immediately — unplug network cables, turn off Wi-Fi. Do not shut down the device (forensic evidence may be lost).
- Alert your IT provider immediately — phone call, not email or Teams (these may be compromised). Have their emergency number written in this document: _______________
- Identify which devices are showing symptoms — walk the floor and check. Separate affected from unaffected.
- Do not disconnect your internet connection unless instructed to — your IT provider may need remote access to assess unaffected systems.
- Do not pay the ransom yet — payment does not guarantee recovery, may not be legal depending on who the attacker is (OFAC sanctions may apply to certain ransomware groups), and should only be considered after professional advice.
Who to call right now:
- IT Provider (Emergency): _______________
- Managing Director / Decision Maker: _______________
- Cyber Insurance Provider (24hr claims line): _______________
First Hour — Assess
- Identify the scope: how many devices are affected? Which servers? Which data?
- Identify patient zero: which device was first infected? When? (Check event logs on unaffected machines for outbound connections)
- Determine backup status: when was the last backup? Is the backup system affected?
- Determine what data is potentially at risk: client data, financial records, intellectual property?
- Contact your cyber insurance provider — most policies require notification within 24–72 hours of discovery. Delay can void coverage.
- Contact your legal counsel — privilege applies to communications during an incident, which may be relevant if litigation follows
First Day — Communicate
Internal communication:
- Advise all staff that systems are down — give them what they need to communicate with clients
- Advise staff NOT to discuss the incident on social media or with external parties
- Confirm what systems remain operational (typically email if on Microsoft 365 cloud, cloud-based applications)
External communication (guided by legal counsel):
- Notify any clients or partners who may be directly affected (data shared with you that may now be compromised)
- Prepare a holding statement for clients who ask — do not overpromise on timeline or scope
Regulatory notification:
- If personal information may have been accessed: assess notifiable data breach obligations under the Privacy Act 1988. Businesses with revenue over $3M (and some smaller businesses) must notify the OAIC and affected individuals if the breach is likely to result in serious harm.
- Contact the ACSC (Australian Cyber Security Centre) — 1300 CYBER1 — they provide free assistance to Australian businesses experiencing cyber incidents.
Recovery
- Do not restore from backup onto a system that has not been fully cleaned — ransomware can persist in the environment and re-encrypt restored data
- Engage forensic investigation to determine root cause before restoration
- Restore from last known clean backup — verify file integrity before bringing systems live
- Reset all passwords for all accounts — assume all credentials are compromised
- Enable MFA on any accounts that did not have it before the incident
- Patch the vulnerability that was exploited (usually identified in forensic investigation)
- Brief all staff on what happened and what changed
Scenario 2 Response: Business Email Compromise
Immediate Steps (Within 1 Hour of Discovery)
If a fraudulent payment was made:
- Call your bank immediately — request a recall of the transaction. Time is critical: international transfers become irrecoverable within hours. Domestic transfers may be recoverable for longer but act immediately.
- Note the reference number for the transaction recall
- Report to Australian Federal Police — BEC fraud is a criminal matter. File a report at ReportCyber (reportcyber.gov.au) and contact your local AFP detachment.
- Notify your cyber insurance provider — BEC fraud losses may be covered under cybercrime policy extension
If the account has been compromised:
- Reset the compromised account password immediately — use a device not connected to the compromised email
- Revoke all active sessions (Microsoft Entra ID admin console: select user > Revoke sessions)
- Enable MFA immediately if not already enabled
- Check email forwarding rules — attackers routinely set up auto-forward to external accounts. Remove any rules you did not create.
- Check email folder rules — look for rules that move or delete emails (attackers use these to hide their activity)
- Check sent items and deleted items for evidence of what the attacker did while in the account
- Check for any email sent impersonating the account holder to clients, suppliers, or staff
Assess scope:
- How long was the account compromised? Check sign-in logs in Entra ID for earliest suspicious activity.
- Which contacts may have received malicious emails from the compromised account? Notify them.
- Was any sensitive information in the mailbox? Client data, financial records, credentials?
Email Authentication Check
After a BEC incident, verify your email authentication records are in place:
- Check SPF record for your domain — prevents domain spoofing
- Check DKIM signing is enabled in Microsoft 365
- Check DMARC record — set to at minimum
p=quarantineto reject unauthenticated emails - Check DMARC reporting is enabled so you see ongoing spoofing attempts
See Email Security for Australian Businesses for full configuration guidance.
Scenario 3 Response: Data Theft / Unauthorised Access
Containment
- Identify the compromised account or system and disable/isolate it immediately
- Revoke active sessions for any compromised user accounts
- Change passwords for affected accounts
- If a system was compromised: isolate from network, preserve for forensic analysis
Assessment
- Determine what data was accessed: use Microsoft 365 audit logs, SharePoint audit, Azure AD sign-in logs
- Determine the timeframe: when did access begin? When was it detected?
- Determine the attacker’s method: phishing, credential stuffing, unpatched vulnerability, insider?
- Assess which data categories were affected: personal information, financial data, intellectual property, client data?
Notification
- If personal information of Australian individuals was involved: assess notifiable data breach obligations
- The test is: would this breach be likely to result in serious harm to any individual whose data was accessed?
- If the test is met: notify affected individuals and the OAIC. Legal counsel should guide this notification.
- If you hold health records: additional obligations apply under the My Health Records Act and other legislation — engage legal counsel immediately
Post-Incident: Learning and Strengthening
Every incident — regardless of severity — should result in a documented post-incident review. This is not about blame. It is about understanding what failed and preventing recurrence.
Post-incident review questions:
- How did the attacker get in? (The root cause — phishing, unpatched vulnerability, compromised credentials, etc.)
- How long were they in the environment before detection?
- What would have stopped this attack? (A specific control that was missing or misconfigured)
- What will we change as a result?
- Who needs to be notified of our findings? (Board, insurers, regulators, clients)
Immediate improvements to consider post-incident:
- Multi-factor authentication on all accounts (if not already enabled)
- Endpoint Detection and Response (EDR) — detects attack behaviour that traditional antivirus misses
- Email filtering improvements — Microsoft Defender for Office 365 anti-phishing policies
- Privileged access review — limit who has administrator-level access
- Staff awareness training on phishing and BEC — see Phishing Email Examples Swipe File
Building Incident Response Capability Before You Need It
The businesses that recover fastest from cyber incidents are those that invested in preparedness before an incident occurred. The key elements:
Tested backups: A backup that has never been tested is an assumption. Test restores quarterly, document recovery times, and ensure at least one backup copy is immutable and isolated from the main network.
Documented IT environment: You cannot rebuild your environment from memory. Comprehensive IT documentation — network diagrams, server configurations, software inventory, credentials — is essential for rapid recovery. See Small Business IT Bible for documentation standards.
Cyber insurance: Cyber insurance provides access to incident response professionals, legal counsel, forensic investigators, and (subject to policy terms) loss coverage. Check whether your policy includes first-party coverage for business interruption and data recovery.
Relationships: Your IT provider’s incident response capability matters enormously in the first hours of a breach. Know your provider’s emergency contact number, their incident response process, and their average response time before you need it.
If you want to assess your current incident response readiness or set up proper backups, monitoring, and endpoint protection, book a Right Fit Call with CX IT Services.
For related resources: