Cyber Incident Response: What to Do in the First 60 Minutes of a Breach
A cyberattack is not an “if” scenario for Australian businesses anymore – it is a “when.” The ACSC receives a cybercrime report every six minutes in Australia. What separates businesses that recover quickly from those that suffer months of disruption, reputational damage, and financial loss is not whether they were attacked. It is whether they had a cyber incident response plan in place before the attack happened. Those first 60 minutes are decisive. Here is what you need to know – and what your business needs to have ready before the worst happens. What Is a Cyber Incident Response Plan? A cyber incident response plan is a documented, pre-approved set of procedures that defines exactly what your team does when a security incident occurs. It removes the paralysis and confusion of trying to make critical decisions under pressure in real time. A complete plan covers: Without this, businesses waste critical time figuring out who to call, what to disconnect, and what to tell customers — while the attackers continue doing damage. Learn how our Business Continuity service ensures rapid recovery after an incident The First 60 Minutes: A Practical Incident Response Timeline When a cyber incident is detected, time is your most critical resource. Here is what the first hour should look like: Minutes 0–10: Detect and Report Minutes 10–20: Contain Minutes 20–40: Assess Minutes 40–60: Communicate and Document See how Netlogyx Managed IT Support provides rapid incident response support Australian Legal and Regulatory Obligations During an Incident Cyber incident response in Australia carries specific legal obligations that businesses must understand before an incident occurs – not after. Notifiable Data Breaches (NDB) Scheme: If your business is covered by the Privacy Act 1988 (generally businesses with turnover over $3M, or those in certain sectors) and a breach is likely to cause serious harm to individuals, you must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable. Ransomware Payment Reporting: From 30 May 2025, certain businesses that pay a ransom are required to report it to the Australian Signals Directorate within 72 hours. ASX-listed companies: Must disclose material cyber incidents to the ASX under continuous disclosure obligations. Not knowing these obligations is not a defence. Your incident response plan must include a legal review checklist so decisions are made correctly under pressure. Building Your Cyber Incident Response Capability Most SMBs do not need a dedicated internal security team to have a strong cyber incident response capability. What they need is: Netlogyx works with clients to develop incident response plans, test them through tabletop exercises, and stand ready as the first call when something goes wrong. Explore our SIEM service for real-time incident detection and alerting Do You Know What to Do If Your Business Is Breached Tonight? Most businesses do not. Netlogyx helps Australian SMBs build and maintain cyber incident response plans that work under real pressure – not just on paper. Frequently Asked Questions Q: How often should we test our incident response plan?A: At minimum, annually – and after any significant change to your IT environment, staff structure, or business operations. Tabletop exercises, where the team walks through a simulated incident scenario, are the most practical and cost-effective testing method. Q: Should we pay a ransom if we are hit with ransomware?A: This is a complex decision that depends on your backup status, the data involved, the attacker group, and legal obligations. It is critical to have your IT provider, legal counsel, and potentially law enforcement involved before making this decision. Paying does not guarantee data recovery and may fund further attacks. Q: What is the biggest mistake businesses make during a cyber incident?A: Trying to handle it without expert help. The second biggest mistake is turning off affected machines before forensic data is captured. Both mistakes compromise your ability to understand what happened and recover fully. The Businesses That Recover Fastest Are the Ones That Planned A cyber incident response plan will not prevent every attack. But it determines how quickly you recover, how much damage is contained, and whether your business survives intact. Netlogyx gives Australian SMBs the planning, tools, and expert support to respond with confidence when it matters most. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MoreEssential Eight Maturity Level 2: The SMB Guide for Australian Businesses
Reaching Essential Eight Maturity Level 2 is the single most impactful cybersecurity investment an Australian SMB can make. The ASD’s Essential Eight framework was built directly from the experience of responding to real cyberattacks on Australian organisations — the same vulnerabilities exploited again and again, turned into a structured set of controls that, when properly implemented, stops the majority of them. Yet the Commonwealth’s own 2025 Cyber Security Posture Report reveals that only 22% of Australian government entities reached Essential Eight Maturity Level 2 across all eight controls. If government entities with dedicated IT teams are struggling, the picture for SMBs without those resources is even more challenging — and the urgency is even greater. What the Essential Eight Maturity Level 2 Framework Actually Covers The framework consists of eight mitigation strategies, each targeting a specific attack vector: 1. Application Control Only approved applications can execute on your systems. This prevents ransomware payloads, unauthorised software, and malicious scripts from running entirely. The ASD rates this as its highest-impact single control. 2. Patch Applications Known vulnerabilities in applications are exploited rapidly — sometimes within hours of a proof-of-concept being published. This control requires internet-facing services to be patched within 48 hours of a critical patch release at Maturity Level 2. 3. Configure Microsoft Office Macros Malicious macros remain a primary delivery mechanism for ransomware. Macros should be disabled by default and allowed only for explicitly trusted, digitally signed documents. 4. User Application Hardening Remove unnecessary functionality and default features from applications that attackers can exploit — including browser plugins and legacy browser extensions. 5. Restrict Administrative Privileges The principle of least privilege: users should have only the access they need for their role. Administrative accounts should be used only when administrative tasks are being performed. 6. Patch Operating Systems Operating system vulnerabilities are as critical as application vulnerabilities. Systems running unsupported operating systems — still common among Australian SMBs — have unpatched vulnerabilities that can never be fixed. 7. Multi-Factor Authentication (MFA) The ASD’s updated Essential Eight requires phishing-resistant MFA — a higher standard than SMS codes or basic authenticator apps. Passkeys and hardware security keys provide the highest level of protection. 8. Regular Backups Backups should be current, tested, encrypted, and include offline or immutable copies that cannot be deleted by ransomware. Where Australian SMBs Are Failing on Essential Eight Maturity Level 2 Analysing the 2025 government posture report and industry data, the three most common gaps in Essential Eight implementation for SMBs are: MFA adoption and quality: Many businesses have implemented basic MFA using SMS codes, which can be bypassed through SIM-swapping attacks and phishing-in-the-middle techniques. The ASD now requires phishing-resistant MFA at Level 2. According to the CyberCX 2026 Threat Report, attackers are bypassing most MFA solutions through adversary-in-the-middle session hijacking using low-cost phishing kits. Patching speed: The ASD requires critical patches on internet-facing services within 48 hours. Many SMBs patch on a weekly or monthly schedule at best. The ACSC observed more than 120 incidents associated with attacks on edge devices in FY2024-25, of which 96% were successful. Application control implementation: This is the most technically complex of the eight controls and the one most commonly absent from SMB environments. Without it, ransomware payloads can execute freely once they reach an endpoint The Business Case for Achieving Essential Eight Maturity Level 2 The financial case for Essential Eight implementation is straightforward: Average small business cybercrime cost: $56,600 per incident (up 14% in FY2024-25) Average medium business cybercrime cost: $97,200 per incident (up 55%) Businesses at Essential Eight Maturity Level 2 experience dramatically fewer incidents Cyber insurance now requires demonstrable Essential Eight maturity before honouring claims Beyond insurance, ASIC has taken enforcement action against financial services firms that failed to implement adequate cybersecurity measures under their licence obligations. Reasonable cybersecurity is now a legal expectation, not just a best practice recommendation. How to Reach Essential Eight Maturity Level 2: A Practical Path for SMBs Month 1-2: Foundation Enable phishing-resistant MFA on email, VPN, admin accounts, and cloud platforms Audit and inventory all systems for legacy or unsupported software Implement automated patching for all internet-facing systems Review and document current backup procedures Month 3-4: Technical Controls Deploy endpoint detection and response (EDR) across all devices Implement application allowlisting on servers and critical endpoints Configure Microsoft Office macro controls Set up centralised logging Month 5-6: Validation Conduct a formal Essential Eight assessment against ASD maturity criteria Test backup restoration procedures Run staff phishing simulations Document your maturity baseline for insurance and compliance purposes The ACSC Essential Eight Explained: A Plain-English Guide for Australian Business Owners Vulnerability Management Services – Find Weaknesses Before Attackers Do AI-Powered Endpoint Protection with SentinelOne – Netlogyx Essential Eight Implementation Is Not Optional for Australian Businesses That Want to Survive a Cyber Incident. Netlogyx guides SMBs through Essential Eight assessment and implementation with a practical, phased approach that fits your budget and operational reality. Receive an honest Essential Eight maturity assessment Get a prioritised, costed remediation roadmap Implement at a pace that fits your business Frequently Asked Questions Q: Is the Essential Eight mandatory for SMBs? A: The Essential Eight is mandatory for non-corporate Commonwealth entities at Maturity Level 2. For private sector businesses, it is currently voluntary, but the regulatory environment is tightening rapidly. ASIC has taken enforcement action against businesses that lack adequate cybersecurity under financial licence obligations, and the standard courts are applying is increasingly aligned with Essential Eight Level 2. Q: How long does it take to reach Essential Eight Maturity Level 2? A: For most SMBs starting from a baseline of limited controls, reaching Level 2 across all eight strategies takes between three and nine months, depending on existing infrastructure, budget, and staff readiness. The phased approach above is designed to deliver meaningful risk reduction at every stage, not just at completion. Q: My business is small. Do I really need all eight controls? A: The eight controls are interdependent — each addresses a different attack vector, and gaps in any one create exposure even if the others are well-implemented. The practical starting point is always MFA, patching, and
Read More