Securing a Melbourne Service Business Against Ransomware

The Challenge

The attack came through a phishing email opened by one of the company's field technicians. Within hours, the ransomware had encrypted the firm's job management system, customer database, and shared network drives. Three days of operations were lost while the owner attempted to manage the situation, eventually paying a significant recovery fee to regain access to some, but not all, of their data. The financial cost of the attack was substantial. The reputational cost, with clients aware their records had been compromised, was harder to quantify.

The root causes were straightforward in hindsight. There had been no endpoint protection beyond a basic consumer antivirus product on some machines. Email had no filtering or anti-phishing controls. No staff had ever received security awareness training. The backup system consisted of a scheduled copy to a network drive, which the ransomware also encrypted. The firm had no offsite backup and no tested recovery procedure.

The owner's first instinct after the attack was to spend heavily on the most visible security products available. Before committing to any particular solution, they engaged SuperStack IT for an independent assessment. The assessment provided a prioritised view of the actual risks and a proposed remediation approach that would meaningfully reduce attack surface without unnecessary complexity or expense.

The business was also concerned about cyber insurance. Their existing policy had paid out less than expected during the incident, and the insurer had identified multiple control failures as partial grounds for the reduced payout. Renewing at similar coverage levels would require documented evidence of improved controls.

The Solution

SuperStack IT implemented a layered security architecture aligned with the Essential Eight framework, the Australian Cyber Security Centre's baseline controls for small and medium businesses. The implementation was prioritised in three phases, addressing the highest-risk areas first and building toward full Maturity Level 2 compliance over six months.

Phase one addressed the immediate gaps: Defender for Business was deployed across all endpoints within the first week, replacing the ineffective consumer antivirus products. Multi-factor authentication was enabled across all accounts. A new backup solution was implemented with automated daily backups to Azure Blob Storage with immutable backup policies, meaning ransomware or accidental deletion cannot affect the backup copies. The first offsite recovery test was completed in the same week.

Phase two addressed the remaining Essential Eight controls: application control policies were implemented on all workstations, email filtering and advanced anti-phishing were configured, and a patch management schedule was established with critical security patches applied within 48 hours of release.

Phase three focused on the human element. All 15 staff completed a tailored security awareness training programme that used examples relevant to their specific business context, not generic corporate scenarios. A quarterly simulated phishing programme was established, with results reviewed and used to target further training. The phishing simulation click rate, which began at 35% in the first test, dropped to under 5% by the fourth quarter.

The Results

The transformation in the firm's security posture was significant, but the owner noted that the most unexpected benefit was the change in staff behaviour and awareness. People who had never thought about phishing emails before now approached suspicious messages with appropriate scepticism, reported them, and asked questions. The security culture that had been entirely absent before the attack had been deliberately built and was now self-sustaining.

Client Testimonial

“I wouldn't wish a ransomware attack on anyone. But going through it and rebuilding properly means we now have more confidence in our IT security than most businesses our size. We know our backups work because we test them. We know our staff are aware because we measure it.”