The average ransomware payment demanded from Australian small and mid-sized businesses now sits above $200,000 AUD — and that figure does not include the cost of downtime, reputational damage, or regulatory exposure under the Privacy Act 1988. For a Sydney business running on tight margins and lean IT resources, a single successful attack can be existential. Ransomware is no longer a problem reserved for large enterprises or overseas companies; the Australian Cyber Security Centre (ACSC) consistently reports that small businesses are among the most targeted victims precisely because attackers know they are less defended. If your business relies on daily operations running without disruption — and whose doesn’t — this post will give you a clear-eyed picture of the threat and a practical framework for defending against it.
Why Australian Businesses Are Being Targeted
Australia consistently ranks among the top ten most-targeted nations for ransomware in global threat reports. Several factors make Australian businesses attractive: relatively high revenue per employee compared to other markets, a large proportion of businesses still running outdated or poorly configured infrastructure, and a regulatory environment that creates financial urgency around data breaches. The ACSC’s Annual Cyber Threat Report has noted a sustained increase in attacks on professional services, healthcare, retail, and construction sectors — industries heavily represented across Sydney’s business community. Attackers are rational actors; they go where the returns are predictable and defences are weak.
Locally, the concentration of businesses in sectors like legal, accounting, logistics, and property in suburbs such as Surry Hills, Pyrmont, and the Sydney CBD means that a single compromised supplier or shared cloud environment can expose dozens of firms simultaneously. Supply chain attacks — where the ransomware enters through a trusted third party such as a software vendor or IT provider — are increasingly common. The interconnected nature of Sydney’s professional services economy amplifies this risk considerably. If your IT environment has not been audited from the outside in, you may be one trusted vendor relationship away from a serious incident.
How Ransomware Actually Gets In
Understanding the mechanics of an attack is essential to building a sensible defence. The overwhelming majority of ransomware infections in Australia enter through one of three vectors: phishing emails that trick staff into clicking a malicious link or opening an infected attachment; exposed Remote Desktop Protocol (RDP) ports left open on servers or workstations; and unpatched vulnerabilities in software that attackers scan for and exploit automatically. Multi-factor authentication (MFA) failures are also increasingly common — attackers who obtain a valid username and password through credential stuffing or a previous data breach can walk straight in if MFA is absent or poorly configured.
Once inside a network, modern ransomware does not immediately encrypt files. Attackers typically spend days or weeks moving laterally through the environment, escalating their privileges, identifying backup systems, and exfiltrating sensitive data before triggering the encryption payload. This means that by the time you see the ransom note, the attacker has likely already copied your client records, financial data, or intellectual property. Paying the ransom may decrypt your files but will not undo the data theft — and it will not guarantee the decryption key actually works. This is why the strongest form of ransomware protection for a Sydney business is prevention and containment, not recovery alone.
The Regulatory Stakes: What the Privacy Act Means for You
Australian businesses with an annual turnover above $3 million — and certain categories of smaller businesses including health service providers and businesses that trade in personal information — are subject to the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. If a ransomware attack results in unauthorised access to personal information that is likely to cause serious harm to affected individuals, you are legally required to notify both the Office of the Australian Information Commissioner (OAIC) and the affected individuals, typically within 30 days of becoming aware of the breach. Failure to notify can result in civil penalties of up to $50 million for serious or repeated breaches under the amended Privacy Act passed in 2022.
Beyond the direct penalties, the reputational cost of a publicly disclosed breach is substantial. Sydney’s professional services market is relationship-driven; clients choose providers based on trust. A notification letter telling clients their data was exposed in a ransomware attack erodes that trust in a way that is very difficult to rebuild. The investment required to prevent that outcome — proper endpoint protection, network segmentation, documented incident response plans, and tested backups — is a fraction of the cost of managing the aftermath. This is not a theoretical risk calculus; it is the lived experience of businesses that have been through it.
A Practical Ransomware Defence Framework
Effective ransomware protection for a Sydney business does not require exotic technology. It requires disciplined execution of a set of proven fundamentals. The first priority is identity security: every user account should have MFA enforced, especially for email, VPN access, and any administrative console. Privileged accounts — those with administrator rights — should be separated from day-to-day user accounts and subject to stricter controls. Conditional access policies within platforms like Microsoft 365 can enforce MFA requirements based on location, device compliance, and risk signals, making it significantly harder for stolen credentials to be used effectively. Kawco’s Microsoft 365 and cloud services configurations include these controls as standard, not as optional extras.
The second priority is patching discipline. Unpatched operating systems and applications are the raw material of ransomware attacks. A structured patch management programme — one that applies critical security patches within 48 to 72 hours of release and routine patches on a defined monthly schedule — eliminates the majority of known vulnerability exposure. The third priority is network segmentation: separating your servers from your workstations, your guest Wi-Fi from your business network, and ensuring that a compromised laptop cannot directly reach your file server or backup systems. The fourth priority is endpoint detection and response (EDR) tooling that goes beyond traditional antivirus and can identify suspicious behavioural patterns — such as mass file encryption activity — before the damage is complete. Together, these controls form the structural backbone of any credible defence.
Backups Are Not a Substitute for Prevention — But They Are Non-Negotiable
There is a dangerous misconception in some businesses that having backups means they are covered for ransomware. Backups matter enormously, but they are not a get-out-of-jail-free card. If your backups are connected to the same network as your production systems, a sophisticated attacker will find and encrypt or delete them before triggering the main payload. Effective backup architecture requires at least one copy of your data to be air-gapped or immutable — meaning it cannot be altered or deleted by anything or anyone connected to your live environment. The widely referenced 3-2-1 rule (three copies of data, on two different media, with one offsite) remains a solid baseline, but immutability is now a critical addition to that framework.
Equally important is testing. A backup that has never been restored is a backup you cannot trust. Restoration tests should be conducted at least quarterly for critical systems, and the results should be documented. You need to know not just that the backup exists, but how long a full restoration takes — because that number directly determines your maximum downtime in a worst-case scenario. For most Sydney businesses, even 24 hours of complete system unavailability represents a significant financial loss. Kawco’s approach to backup and business continuity is built around these principles: tested recovery, immutable storage, and documented recovery time objectives that are reviewed regularly, not just set and forgotten.
Frequently Asked Questions
How much does ransomware protection typically cost for a small Sydney business?
For a small Sydney business with 10 to 30 users, a properly structured ransomware defence — covering endpoint protection, MFA enforcement, managed patching, and a tested backup solution — typically costs between $60 and $120 per user per month as part of a managed IT arrangement. This compares very favourably to the average cost of a ransomware incident, which ACSC data and industry estimates suggest routinely exceeds $50,000 to $200,000 AUD for small businesses once downtime, recovery, and notification obligations are factored in. The upfront cost of prevention is predictable; the cost of a breach is not.
Should I pay the ransom if my business is attacked?
The general guidance from the ACSC and the Australian Federal Police is not to pay the ransom. Payment does not guarantee you will receive a working decryption key, and it does not undo any data that has already been exfiltrated. There is also evidence that businesses that pay are more likely to be targeted again, as they are flagged as willing payers. The better path is to engage a reputable incident response firm immediately, notify your managed IT provider, and work from your tested backups while preserving forensic evidence. This is one reason having a documented incident response plan before an attack occurs is so important — making those decisions under pressure, without a plan, leads to costly mistakes.
Is ransomware covered by cyber insurance in Australia?
Many Australian cyber insurance policies do provide cover for ransomware-related losses, including ransom payments (subject to insurer approval), business interruption costs, and breach notification expenses. However, insurers are increasingly scrutinising the security posture of applicants and policyholders. Businesses without MFA, documented patching processes, or tested backups are finding their claims disputed or their premiums substantially increased. Obtaining cyber insurance is worthwhile, but it should complement a strong security posture, not substitute for one. Speak to a specialist cyber insurance broker and be honest about your current controls.
How does managed IT support differ from just having an internal IT person for ransomware protection?
An internal IT person typically handles a broad range of day-to-day tasks and may not have the specialised security skills, tooling, or time to maintain a proactive ransomware defence. A managed IT provider brings a team with defined responsibilities, vendor relationships for security tooling, and structured processes like 24/7 monitoring and rapid patch deployment that a single internal hire cannot replicate at the same cost. That said, the two are not mutually exclusive — many Sydney businesses benefit from having an internal IT coordinator who works alongside a managed provider. The key question is whether your current arrangement includes regular security reviews, tested backups, and documented incident response — not just helpdesk support. Kawco’s managed IT support is structured around exactly these responsibilities.
What should I do right now if I think my business is at risk?
Start with three immediate actions. First, verify that MFA is enabled on every user account that accesses email, cloud services, or remote systems — this single control stops a large proportion of attacks cold. Second, confirm that your backups are running, tested, and include at least one copy that is offsite or immutable. Third, check when your systems last received security patches; if any critical patches are more than two weeks outstanding, that is a priority item. If you are unsure about any of these three things, that uncertainty itself is a signal that a professional IT security review is overdue. These are not advanced measures — they are the baseline, and many Sydney businesses have not yet reached it.
How Kawco Can Help
Kawco is a managed IT provider based in Alexandria, Sydney. Since 2019, we have worked with Sydney businesses that want technology environments built on structure and accountability rather than reactive fixes. Ransomware protection is not a product we sell — it is a discipline embedded across everything we do, from how we configure Microsoft 365 tenants and enforce identity policies, to how we design backup architectures and document recovery procedures. If you want an honest assessment of where your business stands on ransomware readiness, we are straightforward about what we find and practical about what needs to change.
If you would like to talk through your current situation — without a sales pitch — get in touch with the Kawco team. We work with businesses across Sydney and can usually give you a clear picture of your exposure and a realistic path forward within the first conversation.