DATA BREACH RESPONSE
A practical data breach response plan for Sydney small businesses
A data breach can happen to any business, regardless of size. For Sydney small businesses, the difference between a manageable incident and a catastrophic one comes down to preparation.
Under Australia's Notifiable Data Breach (NDB) scheme, businesses must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a breach is likely to result in serious harm. This applies to any business with an annual turnover of more than $3 million, as well as smaller businesses that handle health information, tax file numbers, credit reporting data, or employee records. For many Sydney businesses operating in professional services, healthcare, or finance, that threshold is easily met.
The OAIC received over 1,000 data breach notifications in the 2024-2025 financial year, and the trend continues upward. Malicious or criminal attacks remain the leading cause, accounting for roughly two-thirds of all breaches. The remainder come from human error, things like emails sent to the wrong recipient, misplaced hard drives, or improperly configured cloud storage permissions that expose client files to the public internet.
For a 20-person Sydney business, the realistic cost of a data breach sits between $120,000 and $250,000 once you account for downtime, forensic investigation, legal fees, client notification, and the long tail of reputation repair. The businesses that recover fastest are the ones that had a response plan in place before the breach occurred. Working with an experienced IT security provider to build that plan is one of the most practical steps a business owner can take.
FIRST 72 HOURS
What to do in the first 72 hours after a data breach
Speed matters. These are the steps your business should take immediately after discovering a breach, in the order they should happen.
1. Contain the breach immediately
Isolate affected systems and disconnect compromised devices from the network. Change passwords for any accounts that may have been exposed, starting with email, cloud storage, and any administrator accounts. Do not shut down servers or delete files, as this destroys forensic evidence your IT team will need to determine the attack vector. Your IT support provider should be the first call you make.
2. Assess the scope and impact
Determine what data was accessed or exfiltrated, how many individuals are affected, and whether the breach is still ongoing. Check server logs, email forwarding rules, cloud storage access records, and active user sessions. Document everything with timestamps. This assessment forms the basis of your NDB notification and informs legal strategy.
3. Engage legal counsel
Contact your lawyer before making any external communications. Legal privilege protects your internal investigation. Your lawyer will help determine whether the breach meets the "serious harm" threshold for mandatory notification under the NDB scheme and will guide you through the OAIC reporting process within the required 30-day assessment period.
4. Notify affected individuals and the OAIC
If the breach meets the notification threshold, inform affected individuals about what happened, what data was involved, and what steps they should take to protect themselves. Be direct and avoid technical jargon. Include contact details for further questions and a clear summary of the remediation steps your business is taking to prevent recurrence.
WHO TO CALL
When to call your IT provider and when to call your lawyer
Both play critical roles after a breach, but their responsibilities are different. Knowing who handles what saves valuable time when it matters most.
As a general rule: call your IT support provider first to contain the breach and protect your systems, then call your lawyer to manage the legal and regulatory response.
Your IT support provider handles
- Containing the breach and isolating affected systems
- Identifying how the attacker gained access
- Patching vulnerabilities to prevent further damage
- Recovering data from backups where possible
- Collecting and preserving forensic evidence
- Strengthening security controls after the incident
- Monitoring for signs of persistent or secondary attacks
Your lawyer handles
- Advising on NDB reporting obligations and timelines
- Assessing legal liability and exposure to claims
- Drafting notification letters to affected individuals
- Managing communication with the OAIC and regulators
- Reviewing cyber insurance claims and coverage
- Handling any litigation or complaints that follow
- Establishing legal privilege over the investigation
REALISTIC COSTS
What a data breach actually costs a small Sydney business
These figures are based on typical incidents across Australian small businesses in 2025 and 2026. Costs vary depending on the type of data involved, the speed of response, and whether a recovery plan was already in place.
$40-80K
Downtime and lost productivity (2-4 weeks average)
$20-50K
Forensic investigation and remediation
$15-40K
Legal fees and regulatory compliance
$30-60K
Reputation damage and lost clients
Source: Estimates based on OAIC breach reports, IBM Cost of a Data Breach (ANZ), and incident response case data from Australian MSPs. Individual costs depend on sector, data type, and response speed.
REDUCING BREACH IMPACT
How Essential Eight and SMB1001 compliance reduce breach damage
Businesses that invest in compliance frameworks before a breach occurs consistently recover faster and spend significantly less on remediation.
The Essential Eight, developed by the Australian Cyber Security Centre, provides a prioritised set of mitigation strategies. Businesses that implement even the first three maturity levels, covering application control, patch management, and multi-factor authentication, significantly reduce both the likelihood of a successful attack and the blast radius when one does occur. For Sydney businesses that need a starting point, these three controls alone address the majority of common attack vectors seen in small business breaches across Australia.
SMB1001 certification goes further by establishing a measurable security baseline specifically designed for small and medium businesses. Where the Essential Eight provides a framework, SMB1001 provides a certification pathway that demonstrates to clients, insurers, and regulators that your security controls have been independently verified. For Sydney businesses handling client data, particularly in legal, financial, and healthcare sectors, certification directly improves your position during cyber insurance assessments and can reduce premiums by 15-25% in some cases.
Both frameworks share a common principle: prevention is cheaper than recovery. A business that has already implemented access controls, logging and monitoring, and documented incident response procedures will contain a breach faster, lose less data, and face fewer regulatory consequences than one scrambling to respond from scratch. The breach response plan outlined in this guide is far easier to execute when the underlying security controls are already in place and tested.
BUILDING YOUR PLAN
What a data breach response plan should include
Every Sydney business that handles personal or sensitive data should have a documented response plan. It does not need to be complex, but it does need to exist before you need it.
A practical response plan covers four core areas. Each one reduces the time between discovery and resolution, which directly limits the financial and operational impact on your business.
Contact list
Phone numbers for your IT support provider, legal counsel, cyber insurer, and the OAIC. This list should be accessible offline, not just stored on the systems that may be compromised. Include after-hours and emergency contact numbers.
Roles and responsibilities
Who coordinates the response, who communicates with stakeholders, who handles technical containment, and who makes decisions about shutting down systems. Assign these roles now, not during a crisis when people are stressed and information is incomplete.
Communication templates
Pre-drafted notification emails for affected individuals, internal staff communications, and a holding statement for media inquiries. Having templates ready removes the pressure of writing under stress and ensures you include all legally required information.
Backup and recovery procedures
Know where your backups are, how to restore them, and how long full recovery takes. Test your backups regularly. A backup that has never been tested is not a backup, it is a hope. Your IT support provider should be running restore tests at least quarterly.
COMMON BREACH SCENARIOS
How breaches typically happen to Sydney small businesses
Understanding the most common attack vectors helps you prioritise where to invest your prevention budget. These three scenarios account for the majority of breaches affecting Australian small businesses.
Phishing and credential theft remains the number one attack vector. An employee clicks a link in a convincing email, enters their Microsoft 365 credentials on a fake login page, and the attacker gains access to the entire tenant. From there, they can read emails, access SharePoint files, set up forwarding rules to intercept future correspondence, and launch further phishing attacks from inside the organisation. Multi-factor authentication blocks the vast majority of these attacks, yet many small businesses still have not enabled it across all accounts.
Ransomware has shifted tactics. Rather than just encrypting files and demanding payment, many ransomware operators now exfiltrate data first and threaten to publish it if the ransom is not paid. This means the business faces both a recovery problem and a data breach notification obligation simultaneously. Having offline backups and a tested recovery plan is the difference between a one-week outage and a six-week one.
Misconfigured cloud storage is an increasingly common cause, particularly for businesses that have recently migrated to cloud platforms without adequate IT support. An accidentally public S3 bucket or a SharePoint folder with the wrong sharing permissions can expose thousands of client records without any malicious activity at all. These breaches are entirely preventable with proper cloud configuration and regular access audits.
GET PREPARED
Build your breach response plan before you need it
Milnsbridge helps Sydney businesses build incident response plans, implement Essential Eight controls, and achieve SMB1001 certification. Based in Sydney CBD and Penrith, we support businesses across the metropolitan area with a 20-second average answer time and 98% first-call resolution. A 20-minute conversation could save your business from months of disruption.
Talk to a cyber security specialistAbout the Author
Adrian Weir
Adrian Weir is the Managing Director and founder of Milnsbridge Managed IT Services, with over 30 years of global IT experience spanning Telstra, Citibank, Unilever, and hundreds of Sydney SMBs. A Microsoft Partner since 2002, Adrian leads a team of IT specialists delivering responsive, business-focused managed IT support across Greater Sydney.
Meet the Milnsbridge Team
