cybersecurity

When Your Backup Failed — And Other Lessons in Restoring

By The Most Secure Man Alive

By The Most Secure Man Alive | WISECLICK Ambassador

"Most owners I know think about cybersecurity as a wall. I think about it as a procedure.

The wall is part of it. So is what you do at 3am when the wall has been breached."

One of our members rang me on a Monday morning, six weeks ago.

It's the kind of call I'm always glad happens early.

She runs a small practice — herself and one part-time staff member. She'd come in early to send invoices, opened her laptop, and found a screen she hadn't seen before. White text on a black background. Pay in Bitcoin within 72 hours or lose everything.

She hadn't known anyone whose business this had happened to. She'd read about it. Nothing in the reading had prepared her for the specific feeling of seeing it on her own screen.

She did one thing right immediately. She rang someone.

That was the move that made the rest of it survivable.

This is a post about that — and about three other businesses I've watched recover from cyber incidents in the last eighteen months. None of them lost their businesses. Two of them came out stronger than before. The pattern that separated the quick recoveries from the long ones wasn't luck. It was preparation.

Most of which can be done in an afternoon.

How small businesses in Australia actually recover from a cyber attack

There is a story the cybersecurity industry likes to tell. It goes: you get hit, you panic, you lose everything, you close down. The numbers in the industry's reports back this story up — "60% of small businesses close within six months of a cyber attack."

The number is true, more or less. The story it tells isn't.

What actually closes those businesses isn't the attack. It's what wasn't in place before the attack.

The member I mentioned didn't lose her practice. She lost three days of operating revenue, paid for a few days of consultant time, and had a very bad Monday and Tuesday. By Thursday afternoon she was sending invoices again. By Friday her clients had been told what had happened, in plain English, and most of them thanked her for the heads-up. The story she now tells about it is, frankly, a better story than the one she'd been telling about her business before.

The pattern repeated across the other three businesses I watched: a freight broker in Western Sydney, a two-person legal practice in Adelaide, and a consulting firm with five staff in Melbourne. All hit. All recovered. None catastrophically.

What did they have in common?

Three things. None of them complicated.

The three things to do now to make recovery survivable

This is not generic advice. These are the three things — drawn from Australian Signals Directorate guidance and from watching real recoveries — that separate businesses that bounce back from businesses that don't.

One. Test your backups. Once a year, minimum.

You almost certainly have a backup of something. Most businesses do. The question that catches owners out is whether the backup actually works.

The ASD's Essential 8 framing on this is direct: backups must be tested at least annually, and ideally after every significant system change.

The test is simple. Pick a folder you backed up last week. Pretend the original has been destroyed. Try to restore the folder to where it should be. Time how long it takes. Note whether anything fails.

The first time most owners do this, something fails. That is the entire point of testing — finding the gap before you actually need it.

The freight broker discovered, three days into a ransomware incident, that his backups had stopped running six months earlier. Nobody had noticed because nobody had ever tried to restore from them. He recovered, but the recovery cost him an extra two days and a fair bill from his IT provider. If he'd run a restore test in January, he'd have caught the silent failure when it happened.

Two. Keep one copy offline. Or immutable.

A backup that lives on the same system as the original is not a backup. It is a copy.

The Essential 8 ML1 standard is clear: backups must be unable to be modified or deleted by ransomware.

In practical terms, this means one of two things: a physical drive you disconnect after each backup, or a cloud backup with immutability turned on. Either works. Neither requires you to know what immutability means, only that you've asked your IT person to confirm it's on.

The legal practice in Adelaide had cloud backups on the same Microsoft 365 tenant that got compromised. The backups encrypted with the rest of the data. They had to negotiate with the attackers. It took them out for eleven days.

The consulting firm in Melbourne had cloud backups on a separate provider with immutability enabled. Their full restore took six hours.

The difference between eleven days and six hours was one decision, made years earlier, about where the backup actually lived.

Three. Write down who calls whom in the first hour.

This is the simplest of the three. It is also the most ignored.

When an incident happens, the owner has about ninety seconds of clear thinking before the adrenaline arrives. Anything that requires looking up phone numbers, finding insurance documents, or making decisions while panicked will not happen.

The fix is a single page, kept somewhere not on the affected systems.

What goes on the page:

  • The first person to call (your IT provider, MSP, or — if you're a WISECLICK member — WISE ASSIST)
  • The second person to call (your insurer's incident hotline, if you have cyber insurance)
  • The reference number for your cyber insurance policy
  • The person at your bank to call about freezing accounts if money has moved
  • One trusted client or supplier to notify early (because the rest will hear regardless, and hearing from you first is the better version)

That's it. The page exists to make the first hour survivable. Everything after the first hour can wait three minutes while you think.

The member I mentioned had this page. She'd written it eight months earlier on a quiet Tuesday afternoon. It's the reason her Monday was a bad Monday and not a closed business.

The first 24 hours — calmly given

If you've just been hit — and the reason you're reading this is because you have, or you're worried you might be — the next 24 hours matter more than the 24 hours before.

Here is what works. Numbered, plain English. Not because numbers calm people down, but because numbered lists are easier to follow when your hands are shaking.

  1. Disconnect the affected machine from the network. Not turn it off — disconnect it. Pull the ethernet cable. Turn off Wi-Fi. This stops the spread to other systems. It does not undo the damage. It limits it.
  2. Do not pay anything. Not yet. The instinct will be there. Resist it for the first hour. The cost of paying is rarely the ransom — it is what paying tells the attackers about you.
  3. Call the first person on your page. If you don't have a page yet, this is exactly why it's worth writing one when things are quiet. For now, the first call is to whoever knows your systems. Their job in the next hour is to assess what's actually been hit and what hasn't.
  4. Document everything you see. Phone photos are fine. The ransom note. The behaviour of the system. The time it started. You will not remember any of it accurately in two days. The documentation is for your insurer, your IT provider, and — if it goes that way — the police.
  5. Notify your insurer if you have cyber insurance. Many policies have a tight notification window — often 24 hours. Missing it can affect or void coverage. Check yours before you need it. The insurer's hotline knows what they're doing — they've handled hundreds of these.
  6. Report it to ReportCyber. This is the ASD's national reporting service at cyber.gov.au. It costs you nothing. It helps the next business that gets hit, and in some cases it can recover funds.
  7. Talk to your clients only when you have something to say. The instinct is to apologise immediately. The better move is to wait until you can tell them what happened and what you're doing about it. Two clear sentences beats a panicked apology email by a wide margin.
  8. Sleep, if you can. The second day is harder than the first. You will be more useful in it if you slept.

Where this fits in the bigger picture

The Essential 8 — Australia's national cybersecurity baseline for small businesses — includes regular backups as one of its eight strategies. Most small businesses I speak to have something resembling backups. Very few have tested them.

The gap between "we have backups" and "we have tested, immutable, off-system backups with a written first-hour procedure" is where most of the catastrophic recoveries happen.

The Essential 8 Gap Assessment shows you exactly where your business stands on this — and the other seven strategies — in plain English.

In about half an hour, you get a plain-English report showing which gaps would actually hurt, which ones are theoretical for a business your size, and what to do about each. The assessment is $149.

The assessment shows you the gaps. The membership closes them. Recovery — when needed — is what the whole system is built to make survivable.

You don't have to wait for an incident to take the assessment. The whole point is that you don't.

Take the Essential 8 Gap Assessment — 30 minutes, $149 →

The member rang again, three weeks later, to tell me she'd tested her backups, written her first-hour page, and slept properly for the first time in months.

I told her that was the whole job.

Stay protected, my friends.
— The Most Secure Man Alive

Get articles like this delivered to your inbox

Frequently Asked Questions

 

How long does a typical cyber attack recovery take for a small business?

For a prepared business with tested backups and an immutable copy: often a matter of hours to a few days. For an unprepared business: weeks, sometimes with permanent data loss. The difference is preparation, not luck.

Should I pay the ransom if I'm hit?

The ASD's official position is to not pay. Paying funds further attacks, provides no guarantee of recovery, and marks your business as one that pays. If your backups are tested and accessible, you almost certainly don't need to.

How often should I test my backups?

ASD's Essential 8 guidance: at least annually, and after any significant system change. In practice: pick a Tuesday afternoon every year, block out 90 minutes, run a restore on a sample folder.

What is an "immutable" backup?

A backup that cannot be modified or deleted, even by someone with full access to your system. Most cloud backup providers offer this as a toggle. The Essential 8 ML1 standard requires it for the regular backups strategy to be properly covered.

Do I need cyber insurance?

Increasingly yes, but the policy fine print matters more than the headline cost. Most policies now require Essential 8 maturity statements at renewal. The Essential 8 Gap Assessment gives you the answer your insurer will eventually ask for.

What should I tell my clients if I get hit?

Two clear sentences when you have facts. The Privacy Act may require notification depending on the data involved. The OAIC and your insurer can advise. Resist the urge to apologise before you have information — silence is better than a panicked email.

What's the first thing to do if I think I might have been hit but I'm not sure?

Disconnect the suspicious machine from the network, then call your IT provider or MSP. Most "I think we might have been hit" reports turn out to be false alarms. The cost of a 30-minute false alarm call is far less than the cost of an undetected attack.

Reading next

What the AI Tool Knows About Your Clients

May 16, 2026
The Most Secure Man Alive

The Small Business Stack — and the Bit Most Owners Quietly Skip

May 29, 2026
The Most Secure Man Alive

Leave a comment

This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.