0day · oday.com.au

SMB Cyber Incident
Response Playbook

For: Australian SMBs Version: 2025 Contact: hello@oday.com.au · 0420 277 414

🚨 Active incident? Go straight to Phase 1 — Contain. Every minute counts. Do NOT attempt to clean up or remove malware before preserving evidence.

Your Emergency Contacts (Fill In Before An Incident)

IT Support / MSP

Cybersecurity Incident Response

Executive / Decision Maker

Legal / Privacy Counsel

Cyber Insurance Provider

ACSC ReportCyber

reportcyber.gov.au
1300 CYBER1 (1300 292 371)

CONTAIN — Stop the bleeding

First 30 minutes

Disconnect affected systems from the network immediately.Pull the ethernet cable or disable Wi-Fi. Do NOT turn the machine off yet — forensic evidence lives in RAM.

Alert your IT support or incident response contact right now.Do not attempt remediation alone. Call Oday on 0420 277 414 if you don't have an IR contact.

Identify the scope: how many systems are affected?Check other workstations, servers, and cloud services for signs of compromise.

Preserve evidence — do NOT delete, clean, or reformat yet.Take photos of error messages. Note exact times. Do not open suspicious attachments again.

Change passwords for all admin and cloud service accounts from a CLEAN device.Use a personal phone or a known-clean machine. Not the affected system.

Enable MFA on all critical accounts if not already in place.

Notify your cyber insurance provider.Do this early — many policies have a notification window (often 24–72 hours) or you may void the claim.

ASSESS — Understand what happened

First 4 hours

Determine the type of incident.Ransomware? Data breach? Phishing? Account takeover? Business email compromise? The response differs.

Identify what data may have been accessed or exfiltrated.Customer PII? Payment data? Employee records? Health information? This determines notification obligations.

Check your backups — are they intact and from before the incident?

Review access logs for the affected period.Email logs, VPN logs, cloud service audit trails (AWS CloudTrail, Microsoft 365 audit log).

Document everything with timestamps.Who discovered it, when, what was observed, actions taken. This is critical for insurance and legal.

NOTIFY — Who do you need to tell?

Within 24–72 hours

🇦🇺 Australian Privacy Act obligation: If you hold personal information and a data breach is likely to cause serious harm, you MUST notify the Office of the Australian Information Commissioner (OAIC) and affected individuals under the Notifiable Data Breaches (NDB) scheme.

OAIC — Notifiable Data Breaches schemeReport at oaic.gov.au if personal information was involved and there's a risk of serious harm. Notify within 30 days of becoming aware.

ACSC ReportCyberreportcyber.gov.au — report all significant cyber incidents to the ACSC.

Australian Federal Police (AFP)If criminal activity is involved (ransomware, fraud, extortion), report to AFP.

Affected customers / individualsIf their personal data was exposed. Draft notification with legal counsel. Be clear about what happened and what to do.

Your bank / payment processorIf payment card data or financial transactions were involved.

Business partners / suppliersIf compromised credentials could affect connected systems.

ERADICATE & RECOVER

Days 1–7

Clean or reimage affected systems from known-good backups.Don't just remove the malware — reimage the full system to ensure nothing is left behind.

Restore from clean backups (pre-incident).Verify backup integrity before restoring. Test restored systems before reconnecting.

Patch the vulnerability that was exploited.If you don't patch the root cause, you'll be attacked again.

Reset ALL passwords — not just affected accounts.Assume credential reuse. Force MFA re-enrolment for all users.

Revoke and re-issue all API keys, certificates, and tokens.

Monitor for 30 days post-recovery.Attackers often leave backdoors. Enhanced logging for at least 30 days.

POST-INCIDENT REVIEW

Within 2 weeks of recovery

Conduct a lessons-learned meeting with all stakeholders.

Document the full incident timeline and root cause.

Update your security controls and policies to prevent recurrence.

Commission a follow-up penetration test.Verify the fix works and no other vulnerabilities were missed. Contact Oday: hello@oday.com.au

Review and update your cyber insurance policy.

Train staff on phishing and social engineering awareness.

✅ Tip: The best incident response is a practised one. Run a tabletop exercise with your team annually using this playbook — before you need it.

SMB Cyber IncidentResponse Playbook