Ransomware does not just encrypt your files. It encrypts your week.
Most small business owners think a cyber attack means a pop-up on a screen and a phone call to their IT person. The reality is messier. It is days of uncertainty, hard decisions made under pressure, and costs that go well beyond the ransom demand. The average cost of a cyber incident for a small business in Australia is over $46,000, and that does not include the time you lose or the clients who quietly move on.
This is what the first 72 hours actually look like, not as a hypothetical, but as the reality businesses face when basic security controls are missing. If you want a structured first-hour response template before you ever need it, our Incident Response 60-Minute Playbook is free.
Hour 0 to 4: Discovery and Chaos
It usually starts with a staff member who cannot open their files. Or a screen that displays a ransom note demanding payment in cryptocurrency. Or an email from a client asking why they received a strange invoice from your account.
The first few hours are confusion. You do not know what has been affected, how it got in, or whether it is still spreading. If you have an IT provider, you call them. If you do not, you are searching the internet for answers while your business is offline.
Every device that connects to your network is now suspect. If the attacker got in through one machine, they may have moved laterally, that is, jumped from one computer to another across your network. Until someone can confirm otherwise, nothing is safe to use.
Your staff are standing around. Phones might still work, but email, files, and any software that runs on your network are unavailable.
Hour 4 to 24: Assessment and Hard Decisions
An incident response specialist, if you can get one at short notice, starts by isolating affected systems. That means pulling devices off the network to stop the spread. It also means your business is still down.
The next step is working out what happened. How did the attacker get in? A phishing email, an unpatched system, a reused password, a remote access tool left open. In most small business incidents, the entry point is something basic that should have been locked down. When the ACSC publishes an alert about an active campaign, our ACSC Alert Response Playbook shows the triage steps to take in the first 24 hours.
Then comes the data question. Has client data been accessed or stolen? If so, you may have obligations under the Notifiable Data Breaches scheme. That means reporting the breach to the Office of the Australian Information Commissioner (OAIC) and notifying every person whose data was affected. This is not optional. It is law.
And then there is the ransom itself. Pay or do not pay. If your backups are gone or were never tested, you may have no other way to recover your data. Law enforcement advises against paying. But when your entire client database is locked and you have no backup, the decision is not academic.
Hour 24 to 72: Recovery and Fallout
Even after the immediate threat is contained, recovery takes days. Systems need to be rebuilt. Data needs to be restored, if it can be. Every application needs to be checked and reinstalled.
During this time, you are also managing the human side. Clients are asking why you are not responding. Staff are anxious. If client data was exposed, you are having uncomfortable phone calls. If you are in a regulated industry, medical, legal, financial, there may be additional reporting obligations.
The costs stack up. Incident response fees. Lost revenue. Staff downtime. Potential fines. Reputational damage that is hard to measure but real.
A business with 20 staff that loses three days of productivity has lost 480 working hours. Add the direct costs of investigation, recovery, and notification, and you are well past the $46,000 average.
What Makes the Difference
The businesses that recover quickly have a few things in common. They have backups that are tested and stored offsite. They have endpoint detection and response (EDR), software that watches for suspicious behaviour on devices and can isolate a compromised machine before the damage spreads. They have multi-factor authentication (MFA) on every account, so a stolen password alone is not enough to get in.
None of these are expensive or complicated. They are basic controls. The Australian Cyber Security Centre publishes a framework called the Essential Eight, eight specific security controls that address the most common attack methods. Most small businesses have implemented one or two of them. The ones that get through incidents without catastrophic damage have implemented most of them.
The difference between a contained incident and a business-threatening crisis is almost always preparation, not luck.
What You Can Do Right Now
You do not need to become a security expert. You need to know where your gaps are and close the obvious ones first.
Start with the basics. Are your backups running, and has anyone tested a restore recently? Is MFA turned on for every account that supports it? Are your systems being patched regularly, meaning security updates are applied, not just ignored? Does anyone monitor your network for unusual activity?
If you are not sure about the answers, that is the problem. A 10-minute IT Maturity Assessment will show you where you stand and where the gaps are. It is free, and it gives you a clear picture, no commitment required.
