IT Asset Management for Growing Businesses

Do You Know What You Own?

Most SMEs cannot answer a simple question: how many devices are connected to your network right now? IT asset management (ITAM) is the practice of tracking every piece of technology your business owns or uses — hardware, software, licences, and subscriptions. Without it, you are flying blind.

Poor asset management leads to wasted money on unused software licences, security vulnerabilities from untracked devices, compliance failures when auditors ask for proof of licensing, unplanned downtime when hardware fails unexpectedly, and difficulty scaling because you do not know what you have or what you need.

What Counts as an IT Asset?

An IT asset is anything with a digital component that your business relies on. This includes hardware such as laptops, desktops, monitors, printers, servers, network switches, routers, firewalls, mobile phones, and tablets. Software includes operating system licences, Microsoft 365 subscriptions, line-of-business applications, security tools, and cloud service subscriptions. Network infrastructure covers access points, cabling, UPS systems, and IoT devices (cameras, sensors, smart locks).

If it connects to your network, stores data, or supports business operations, it belongs in your asset register.

Building Your Asset Register

An asset register does not need to be complex. A well-maintained spreadsheet works for businesses with fewer than 50 devices. For each asset, record the asset tag or serial number, device type and model, purchase date and warranty expiry, assigned user or location, operating system and version, installed software, and current status (active, in storage, decommissioned).

For larger businesses or those wanting automation, dedicated ITAM tools like Snipe-IT (open source), Lansweeper, or the asset management features in your RMM platform provide automated discovery, licence tracking, and reporting.

Hardware Lifecycle Management

Every piece of hardware has a useful life. Laptops typically last three to four years in a business environment. Servers last four to five years. Network equipment lasts five to seven years. Running hardware beyond its useful life increases failure risk, reduces productivity (slow devices frustrate staff), and creates security vulnerabilities when the manufacturer stops providing updates.

Plan replacements proactively. Review your asset register quarterly and identify devices approaching end-of-life. Budget for replacements in advance rather than reacting to failures. A rolling replacement program — replacing 25 per cent of your fleet annually — spreads the cost and prevents a situation where everything needs replacing at once.

Software Licence Management

Software licensing is where asset management saves real money. Common waste includes paying for Microsoft 365 licences assigned to departed staff, maintaining subscriptions to tools nobody uses, running different licence tiers when a cheaper one would suffice, and being out of compliance with software agreements (risking audit penalties).

Conduct a licence audit every six months. Compare active subscriptions against active users and usage data. Remove unused licences, downgrade where appropriate, and ensure every licence is allocated to a current employee.

Microsoft 365 Admin Centre provides usage reports that show which users are actively using their assigned services. If a user has not accessed Teams, SharePoint, or Exchange in 90 days, investigate whether they still need the licence.

Disposal and Data Security

When an asset reaches end-of-life, it must be disposed of securely. Hard drives and SSDs contain business data that persists after deletion. Secure disposal methods include certified data destruction (physical shredding of drives), cryptographic erasure (for self-encrypting drives), and NIST 800-88 compliant overwriting. Obtain a certificate of destruction for compliance records. Never dispose of old equipment by simply putting it in the bin or donating it without wiping the data.

ITAM and Security

You cannot secure what you do not know exists. Asset management directly supports security by ensuring every device is accounted for in your endpoint protection and patch management, identifying rogue or unauthorised devices on your network, tracking software versions to confirm all systems are patched and current, and providing the inventory needed for incident response (if a vulnerability is announced, which devices are affected?).

The ASD Essential Eight includes application and OS patching as key controls. Both require a comprehensive asset inventory to implement effectively.

ITAM for Growing Businesses

As your business grows, ad hoc asset management breaks down. The jump from 10 to 50 employees is where most businesses lose track. Implement a formal ITAM process early — it is far easier to maintain a register from the start than to reconstruct one after years of untracked growth.

Integrate asset management into your onboarding and offboarding processes. Every new starter triggers an asset allocation. Every departure triggers an asset return and licence review.

Getting Started

Start with a complete audit of what you have right now. Document every device, licence, and subscription. Identify waste, security gaps, and upcoming replacements. Contact TechAssist to set up IT asset management for your business.

Every New Starter and Every Leaver Is a Security Event

When a new employee joins your business, they need access to email, files, applications, and devices. When someone leaves, all that access must be revoked — completely and immediately. Get this wrong, and you expose your business to data breaches, unauthorised access, and compliance failures.

For Australian SMEs, onboarding and offboarding are often informal. A manager sends a request to IT, accounts are created ad hoc, and when someone leaves, their access lingers for days or weeks. This is a significant security risk that grows with every employee transition.

The Cost of Getting It Wrong

Former employees with active accounts are a documented threat vector. Whether through malice or negligence, ex-staff with access to business systems can download client data, delete files, access financial information, or send emails on behalf of the company. Even without malicious intent, an orphaned account is a target for attackers — nobody monitors it, and the credentials may have been compromised without anyone noticing.

On the onboarding side, delays in provisioning mean new staff cannot work effectively on day one. They borrow colleagues’ credentials, use personal email for work communication, and create workarounds that bypass security controls.

IT Onboarding Checklist

A standardised onboarding process ensures every new starter is set up consistently and securely.

Before day one: Create user accounts in Microsoft 365 (or your identity platform). Assign appropriate licences based on role. Set up email with correct signature template. Configure group memberships and access permissions based on role. Enrol in MFA. Prepare and configure device (laptop, phone) with required software and security policies. Add to relevant Teams channels and SharePoint sites.

Day one: Hand over device with login credentials (temporary password requiring immediate change). Walk through MFA setup. Provide access to key systems (job management, accounting, CRM). Deliver security awareness briefing — cover phishing, password policy, and reporting procedures. Document all access granted.

First week: Verify all systems are working correctly. Address any access gaps. Confirm the new starter can work effectively from all required locations (office, home, field).

IT Offboarding Checklist

Offboarding must happen quickly — ideally within hours of the departure being confirmed.

Immediately on departure: Disable the user account (do not delete — you may need it for legal or compliance reasons). Reset the password. Revoke all active sessions and tokens. Disable MFA enrolment. Redirect email to a designated colleague or shared mailbox. Revoke VPN and remote access. Remotely wipe company data from personal devices (if using BYOD with MDM). Collect physical devices, access cards, and keys.

Within 24 hours: Review and reassign any shared resources or permissions the departing employee managed. Transfer ownership of files, Teams channels, and shared mailboxes. Remove from all group memberships and distribution lists. Revoke access to third-party SaaS applications (accounting software, CRM, job management).

Within 30 days: Archive the user’s mailbox and OneDrive for retention purposes. Review access logs for any unusual activity in the period leading up to departure. Document the offboarding for compliance records.

Role-Based Access Control

The onboarding and offboarding process is simpler and more secure when you use role-based access control (RBAC). Instead of configuring access individually for each person, define standard access profiles for each role in your business.

For example, an “Accounts Payable” role might include access to Xero, the finance SharePoint site, and the AP shared mailbox. When a new AP staff member joins, you assign the role — all access is configured automatically. When they leave, revoking the role removes all access in one action.

Microsoft 365 and Azure AD support dynamic groups and access packages that automate much of this process.

Third-Party Application Access

Do not overlook SaaS applications. Staff often have accounts in tools beyond your core IT systems — project management platforms, design tools, social media accounts, industry-specific software. Maintain a register of all third-party applications and which staff have access. Include these in your onboarding and offboarding checklists.

Automation

For businesses with frequent employee turnover — trades and construction businesses during busy seasons, for example — manual onboarding and offboarding is time-consuming and error-prone. Automation tools can create and disable accounts based on triggers from your HR system, assign access based on department and role, send automated notifications to IT, HR, and the departing employee’s manager, and generate compliance reports showing access changes.

Microsoft 365 lifecycle workflows and tools like JumpCloud provide this automation at an SME-appropriate scale and cost.

Get Your Process Right

A documented, consistent onboarding and offboarding process protects your business and improves the employee experience. Contact TechAssist to set up or review your IT onboarding and offboarding procedures.

The Server vs Cloud Decision

Should your business run its own servers or move everything to the cloud? It is the most common infrastructure question Australian SMEs face, and the answer is rarely all-or-nothing. The right approach depends on your workloads, compliance requirements, budget, and growth plans.

This guide cuts through the marketing hype from cloud vendors and gives you the practical information needed to make the right decision for your business.

Understanding On-Premises Servers

On-premises servers sit in your office or a colocation facility. Your business owns the hardware, manages the software, and controls the environment.

Advantages: Full control over hardware, software, and data. No dependency on internet connectivity for local access. Predictable performance without shared resource contention. Data sovereignty is straightforward — you know exactly where your data is. Some legacy applications only run on-premises.

Disadvantages: High upfront capital expenditure (a small server setup costs $8,000 to $25,000). Ongoing maintenance costs including hardware replacement, power, and cooling. Requires IT expertise to manage and secure. Limited scalability — adding capacity means buying more hardware. Vulnerable to physical risks such as fire, flood, theft, and power outages. End-of-life hardware creates security risks and unplanned replacement costs.

Understanding Cloud Services

Cloud services run on infrastructure owned and managed by providers like Microsoft (Azure), Amazon (AWS), or Google (GCP). You pay a monthly subscription based on usage.

Advantages: No upfront capital expenditure — operational expense model. Scales up or down based on demand. Built-in redundancy and disaster recovery. Accessible from anywhere with an internet connection. Provider handles hardware maintenance, patching, and physical security. Australian data centre regions available from all major providers.

Disadvantages: Ongoing monthly costs that can increase over time. Dependent on internet connectivity. Data sovereignty requires careful configuration to ensure Australian hosting. Less control over the underlying infrastructure. Vendor lock-in can make switching providers difficult. Some legacy applications do not support cloud deployment.

Common Workloads: Where Each Fits Best

Email and Collaboration

Cloud wins decisively. Microsoft 365 and Google Workspace provide email, file storage, and collaboration tools at a per-user cost that is far lower than running your own Exchange server. The reliability, security, and feature set of cloud email are superior to anything an SME can achieve on-premises.

File Storage

Cloud is the better choice for most businesses. SharePoint, OneDrive, and similar platforms provide secure, version-controlled file storage accessible from any device. For businesses with very large datasets (terabytes of CAD files, for example), a hybrid approach with local NAS storage syncing to the cloud may be more cost-effective.

Line-of-Business Applications

This depends on the application. Modern SaaS applications (Xero, Salesforce, ServiceM8) are cloud-native. Legacy applications (older practice management systems, specialised industry software) may require on-premises servers or hosted desktop environments.

Backup and Disaster Recovery

Cloud is essential. Even if your primary systems are on-premises, your backups should be in the cloud. The 3-2-1 backup strategy (three copies, two media types, one offsite) is easiest to implement with cloud backup solutions.

The Hybrid Approach

Most Australian SMEs end up with a hybrid approach — some workloads in the cloud and some on-premises. A typical hybrid setup might include Microsoft 365 for email and collaboration (cloud), SharePoint for file storage (cloud), a local server for legacy applications that cannot move to the cloud (on-premises), cloud backup for all data (cloud), and VPN for remote access to on-premises resources.

This approach lets you take advantage of cloud benefits where they are strongest while maintaining on-premises infrastructure only where genuinely necessary.

Cost Comparison

A direct cost comparison over five years reveals the true picture. For a 30-user business, on-premises infrastructure including servers, networking, licensing, and IT support typically costs $80,000 to $120,000 over five years. An equivalent cloud setup with Microsoft 365 Business Premium and Azure-hosted services costs $60,000 to $90,000 over the same period.

Cloud typically wins on total cost of ownership, but the margin depends on your specific requirements. The key difference is cash flow: on-premises requires large upfront investments, while cloud spreads costs evenly as a monthly expense.

Migration Planning

Moving from on-premises to cloud is a project that requires careful planning. A rushed migration creates downtime, data loss, and frustrated staff. The process should include a thorough inventory of current systems and dependencies, identification of which workloads move to cloud and which remain, a pilot migration with a small group of users, a phased rollout with rollback plans, staff training on new systems, and decommissioning of old infrastructure.

Making the Decision

There is no universal right answer. The best infrastructure strategy is the one that matches your business requirements, budget, and growth trajectory. Do not let a vendor push you into a solution that does not fit. Contact TechAssist for an infrastructure assessment that gives you clear, unbiased recommendations.

Remote Work Is Here to Stay

The shift to remote and hybrid work is permanent. Australian businesses across every sector have adopted flexible work arrangements, and employees expect it. For SMEs, this means your IT infrastructure must support staff working securely and productively from home, on the road, or at client sites — not just from the office.

The challenge is doing this without compromising security or blowing the IT budget.

The Foundation: Cloud-First Infrastructure

Remote work only functions well when your business systems are accessible from anywhere. That means moving away from on-premises servers toward cloud-based alternatives.

Microsoft 365 provides email, file storage (SharePoint and OneDrive), collaboration (Teams), and productivity apps accessible from any device with an internet connection. For most SMEs, M365 Business Premium is the sweet spot — it includes everything plus advanced security features like Intune device management and Defender for Business.

Line-of-business applications: If your accounting, CRM, or job management software is still installed locally, check whether a cloud-hosted version is available. Most major Australian platforms (Xero, MYOB, Salesforce, ServiceM8) are already cloud-native.

Secure Remote Access

When staff work remotely, the connection between their device and your business systems must be secure.

VPN (Virtual Private Network): A VPN creates an encrypted tunnel between the remote device and your office network. This is essential if staff need to access on-premises resources like file servers, printers, or legacy applications. Modern business VPNs from Fortinet, SonicWall, or WatchGuard support always-on connections that activate automatically when the device is outside the office network.

Zero Trust Network Access (ZTNA): An evolution beyond VPN, ZTNA verifies every access request based on user identity, device health, and context — not just network location. Microsoft Entra (formerly Azure AD) Conditional Access is a practical starting point for SMEs, allowing you to enforce policies like requiring MFA, blocking access from unmanaged devices, and restricting access to specific applications based on risk.

Device Management

When staff work from home, their devices are outside your physical control. Mobile Device Management (MDM) tools bridge that gap.

Microsoft Intune (included in M365 Business Premium) allows you to enforce encryption on all devices, require screen locks and PINs, push security updates automatically, remotely wipe company data if a device is lost or stolen (without affecting personal data), and deploy company apps and configurations.

For BYOD environments, Intune’s app protection policies can secure company data within managed apps without requiring full device enrolment — respecting staff privacy while protecting business information.

Home Office IT Requirements

A reliable home office setup requires more than a laptop and Wi-Fi. Provide staff with guidance on minimum requirements:

Internet connection: A stable connection with at least 25 Mbps download and 5 Mbps upload for video conferencing. Staff should use a wired ethernet connection where possible for reliability.

Wi-Fi security: Home Wi-Fi should use WPA2 or WPA3 encryption with a strong passphrase. Default router passwords must be changed.

Workspace setup: A dedicated workspace reduces distractions and ensures confidentiality — particularly important for legal professionals handling sensitive client matters.

Collaboration and Communication

Remote teams need structured communication to avoid the isolation and miscommunication that undermine productivity.

Microsoft Teams serves as the central hub for remote collaboration. Channels organised by project, team, or client keep conversations focused. Scheduled video meetings maintain face-to-face connection. File sharing through integrated SharePoint ensures everyone works on the latest version.

Establish communication norms: Define when to use chat vs email vs phone. Set expectations around response times. Schedule regular check-ins without creating meeting overload.

Security Considerations for Remote Work

Remote work expands your attack surface. Key security measures include MFA on all accounts (non-negotiable for remote access), endpoint protection on every device, DNS filtering to block malicious websites on remote devices, regular security awareness training covering home-specific risks, and encrypted file storage rather than local copies on personal devices.

The biggest risk in remote work is unmanaged personal devices accessing business data without any security controls. Establish a clear policy: either provide company devices or require personal devices to be enrolled in your MDM platform.

Supporting Remote Staff

IT support changes when staff are dispersed. Remote support tools like TeamViewer, ConnectWise, or the built-in Windows Quick Assist allow your IT team or MSP to troubleshoot issues without being on-site. Ensure staff know how to request support, establish clear SLAs for remote support response, and maintain a knowledge base of common issues and self-service solutions.

Getting Started

If your business is still treating remote work as a temporary arrangement with ad-hoc solutions, it is time to formalise your approach. A structured remote work IT strategy improves security, productivity, and staff satisfaction. Contact TechAssist to build a remote work infrastructure that works for your team.

Cybersecurity for Small Business: An Australian Guide

You run a small business. You’re managing tight margins, growing carefully, handling customer data responsibly. The last thing you need is a cyber attack that wipes out your operations, exposes customer information, or leaves you offline for weeks.

Yet cybersecurity often feels overwhelming. You hear about sophisticated hackers, government-backed attackers, and zero-day exploits. How are you supposed to protect your business when security sounds so complex?

Here’s the truth: the threats facing Australian SMEs are real, but they’re largely preventable. You don’t need to be an expert in cryptography or advanced threat detection. You need to understand the actual threats your business faces, implement practical protections, and maintain good security discipline.

The Actual Threat Landscape for Australian SMEs in 2026

Let’s start by separating real threats from fearmongering.

Ransomware is the most serious threat facing Australian SMEs. Attackers encrypt your data and demand payment for the decryption key. The financial impact is severe—losing access to customer data, accounting records, and operational files can halt your business entirely. The Australian government and police have issued warnings about ransomware targeting SMEs specifically.

Phishing and business email compromise. Someone sends a convincing email appearing to be from your bank, your software provider, or a trusted contact. They trick you into clicking a link, entering credentials, or opening a malicious attachment. This is the most common attack vector. It’s not sophisticated—it’s deception. And it works because most people aren’t expecting it.

Credential compromise. Your staff use the same password everywhere. An attacker compromises LinkedIn or another service and gets your password. They try that password on your email, cloud storage, or accounting software. Suddenly they have access to your systems.

Data theft. Attackers don’t always want to encrypt your data. Sometimes they want to steal it—customer information, financial records, intellectual property. They sell it on underground forums or use it for blackmail.

Supply chain attacks. You use accounting software, email hosting, or other services. The service gets compromised, and the attacker uses it to reach you. You thought you were secure, but you trusted a third party that wasn’t.

Social engineering. Someone calls pretending to be IT support. They convince your staff to reset a password or install something. Or they conduct research on LinkedIn and send a perfectly targeted email to your finance person.

These threats aren’t speculative. They’re happening now, targeting Australian businesses daily. The Australian Cyber Security Centre publishes reports regularly documenting the actual attacks occurring against Australian organisations.

Practical Protection Steps Every SME Should Take

Multi-factor authentication (MFA). This is the single most important protection you can implement. MFA means your password alone isn’t enough—you also need a code from an authenticator app, a security key, or a biometric. Even if attackers compromise your password, they can’t access your account without the second factor. Implement MFA for: email, cloud storage, accounting software, CRM, and any other critical systems. Start with admin accounts and work toward all users.

Regular backups and testing. If you’re hit by ransomware, your backup is your lifeline. Backups need to be: automated (so you don’t forget), tested regularly (so you know they work), and ideally offline or geographically separate (so ransomware can’t encrypt the backups too). Most Australian SMEs should follow the 3-2-1 backup rule: three copies of data, on at least two different media types, with one copy offline.

Patch management. Software has vulnerabilities. Attackers exploit them. When vendors release patches, apply them promptly. This includes Windows, Office, browsers, and third-party applications. Many organisations get compromised through vulnerabilities in outdated software. Automatic patching is your friend.

Email security and anti-malware. Your email is a primary attack vector. Implement filtering that catches phishing emails, blocks known malware, and scans attachments. Most cloud email services (like Microsoft 365) include this. Layer it with anti-malware on devices themselves.

User security training. Your staff are both your biggest security asset and your biggest vulnerability. They can spot phishing if trained. They can follow password discipline if educated. Invest in regular (quarterly minimum) security awareness training. Cover recognising phishing, password hygiene, reporting suspicious activity, and incident response. Make it clear this isn’t compliance theatre—it’s protecting the business.

Strong password management. “Password123” doesn’t work anymore. Humans are bad at creating strong, unique passwords. Use a password manager (Bitwarden, 1Password, LastPass) that generates and stores strong passwords. Your staff only needs to remember one strong password. The password manager handles the rest. Combine this with MFA and you have solid credential protection.

Data classification and access control. Not all data has the same sensitivity. Customer payment information is sensitive; your marketing plan less so. Identify what data needs protection, who needs access, and restrict access accordingly. Use cloud storage with appropriate sharing controls. A former employee shouldn’t still have access to critical files.

Incident response plan. Hope you never need it, but have a plan for when (not if) you discover a security incident. Designate someone as incident response lead. Document the steps: isolate affected systems, contact your IT support, notify relevant parties (customers if data is compromised, authorities if required). Having this planned before you’re panicked means faster, better response.

Common Security Mistakes Australian SMEs Make

Thinking “it won’t happen to us.” Ransomware doesn’t target based on business size. It targets based on what attackers can monetise. A 15-person medical practice or construction company is absolutely a target. Attackers know SMEs often lack sophisticated defences but still have valuable data.

Assuming expensive security is good security. You don’t need to spend huge amounts. The fundamentals—MFA, backups, patches, user training—are achievable for any budget. The expensive solutions (threat detection, penetration testing, advanced analytics) become valuable later, but they’re not prerequisites.

Treating security as IT’s job only. If security is only something IT cares about, you’ve failed. Every employee needs to understand why it matters. If they don’t, they’ll reuse passwords, fall for phishing, and keep their laptop unlocked.

Neglecting third-party security. You’re only as secure as your weakest link. Your accounting software provider, your email host, your cloud storage. Choose vendors carefully, verify they maintain reasonable security, and monitor their security communications. If your vendor gets compromised, you’re affected.

Not testing your backups. A backup that hasn’t been tested is just a hope. You need to actually restore files periodically, verify they work, confirm the process. If you’ve never tested and you need to restore after ransomware, that’s the worst possible time to discover your backups don’t work.

The Cost Perspective: Prevention vs. Incident Response

Security investment feels expensive until you’ve suffered a breach.

A typical ransomware incident costs an Australian SME $50,000–$500,000 depending on severity and how quickly it’s contained. This includes: downtime costs, recovery services, potential ransom payments (Australian government discourages paying, but some organisations do), legal and compliance costs if customer data is involved, and reputational damage.

Contrast that with preventative security investments: MFA implementation costs under $5,000 for most SMEs. Backup solutions are typically $100–$300/month. User training is $1,000–$3,000 annually. Email security filtering is built into most business email services. The total annual investment for solid SME cybersecurity is often $10,000–$30,000.

Even accounting for the relatively low probability of being attacked, the expected value strongly favours prevention. You’re spending $20,000 annually to avoid a $200,000+ incident that might occur once every 10 years.

Leveraging the Australian Signals Directorate (ASD) Guidance

Australia’s peak cybersecurity authority, the Australian Signals Directorate (ASD), publishes detailed guidance specifically for SMEs. Their Essential Eight framework outlines eight strategies that, if implemented, prevent the vast majority of attacks. These aren’t theoretical—they’re based on actual threat intelligence from defending Australian government systems.

You don’t need to be an expert to benefit from ASD guidance. Their guidance is practical and free. Their security alerts inform you about active threats. Their collaboration with Australian Cyber Security Centre provides country-specific threat information.

Building a Security Culture

The most important layer of security isn’t technical. It’s cultural. Does your team understand that security matters? Will they report suspicious activity rather than ignore it? Will they follow processes even when they seem inconvenient?

Build this through:

Leadership commitment. If your leadership treats security as important, so will your team. If it’s seen as bureaucratic overhead, it won’t work.

Regular communication. Share incidents (both real and examples). Explain why security practices matter. Make security a regular part of conversations.

Psychological safety. If someone falls for a phishing email, can they report it without punishment? Or will they hide it? You want people reporting incidents quickly, not covering them up.

Incremental improvement. You don’t need perfect security on day one. Start with the fundamentals. Implement MFA. Set up backups. Run one training session. Then add to it over time.

Working With Professional Support

Many Australian SMEs benefit from working with a managed IT provider or cybersecurity specialist. They can:

Assess your current security posture and identify vulnerabilities.

Recommend prioritised improvements based on your specific risks and budget.

Implement technical controls—MFA, email filtering, backup solutions, patch management.

Conduct user training and awareness programs.

Maintain and monitor ongoing security, catching problems early.

Respond quickly if an incident does occur.

This is particularly valuable for businesses lacking internal IT expertise.

Taking Action

Don’t let cybersecurity overwhelm you. Start with these priorities:

This week: Enable MFA on your email and critical business systems.

This month: Verify you have automated backups, test one restore, confirm it works.

This quarter: Implement user training on recognising phishing.

Ongoing: Keep systems patched, monitor for incidents, maintain your security practices.

If you need help assessing your security or building a practical roadmap, we work with Australian SMEs to implement pragmatic cybersecurity. Call us on 1300 028 324 or get in touch online. We’ll assess your situation and help you prioritise where to invest.

Why Choosing the Right MSP Matters

Define What You Actually Need

The Questions That Actually Matter

About Their Service Delivery

About Their Technical Capabilities

About Their Business Model

Red Flags to Watch For

The Evaluation Process

Making the Transition

Why Businesses Choose TechAssist

Related — When you’re ready to compare against an actual MSP offer, see what’s included in our managed IT services in Melbourne — honest inclusions, predictable pricing, real engineers.

Why Every Business Needs an Annual IT Audit

An IT audit is not something most business owners look forward to. It sounds bureaucratic, expensive, and time-consuming. But here is the reality: if you are not reviewing your IT environment at least once a year, you are flying blind. You do not know what vulnerabilities exist, what systems are approaching end of life, what compliance gaps you have, or whether the money you are spending on technology is actually delivering value.

An IT audit does not have to be a massive, painful exercise. At its core, it is simply a structured review of your technology environment — what you have, how it is configured, whether it is secure, and whether it is serving the business effectively. Think of it as a health check for your IT systems.

This checklist covers the 15 areas that matter most for mid-size Australian businesses — typically 20 to 200 employees — running a mix of on-premise and cloud infrastructure. Use it as a starting point for your own annual review, or hand it to your IT audit provider and ask them to address every item.

The 15-Point IT Audit Checklist

1. Hardware Inventory and Lifecycle

Do you know exactly what hardware you have, where it is, who is using it, and how old it is? This sounds basic, but a surprising number of businesses cannot answer this question accurately. An IT audit should produce a complete inventory of all desktops, laptops, servers, network equipment, printers, and mobile devices.

For each piece of hardware, you need to know: the make and model, the purchase date, the warranty status, and the expected end-of-life date. Hardware that is past its warranty or approaching five years old should be flagged for replacement planning. Running critical business operations on aging hardware is a risk you are choosing to take — make sure it is a conscious choice, not an accidental one.

2. Software Licensing and Compliance

Are all the software applications in your environment properly licensed? Are you paying for licenses you are not using? Are staff using unauthorised software that could pose security or legal risks?

A software audit should reconcile your licenses against actual usage. Over-licensing wastes money. Under-licensing exposes you to legal liability. Unauthorised software (shadow IT) can introduce security vulnerabilities. This is particularly important for businesses running Microsoft 365, Adobe Creative Cloud, or industry-specific applications where licensing costs are significant.

3. Backup and Disaster Recovery

This is arguably the most critical item on the list. Your IT audit should verify that backups are running, that they are completing successfully, that they cover all critical data, and — most importantly — that they have been tested with an actual restore.

Questions to answer: How often are backups taken? Where are backups stored (on-site, off-site, cloud)? How long would a full restore take? When was the last test restore performed? Is there a documented disaster recovery plan, and has it been tested in the last 12 months?

A backup that has never been tested is not a backup. It is a hope. And hope is not a strategy when ransomware hits at 2am on a Friday.

4. Cybersecurity Controls

Your audit should assess the current state of your cybersecurity controls against a recognised framework — ideally the Essential Eight. At a minimum, review:

Endpoint protection: Is antivirus/anti-malware installed on all devices? Is it up to date? Is it centrally managed? Email security: Are you filtering for spam, phishing, and malicious attachments? Do you have DMARC, DKIM, and SPF configured for your domain? Firewall: Is your perimeter firewall properly configured and regularly updated? Are there rules that no one remembers creating? Multi-factor authentication: Is MFA enabled on all internet-facing services — email, VPN, cloud applications, remote desktop?

5. Patch Management

How quickly are security patches being applied to your operating systems and applications? The Essential Eight requires critical patches within 48 hours. Your audit should check: the current patch status of a sample of devices, the average time between patch release and deployment, whether any devices are running unsupported software (like Windows 10 past its end-of-support date), and whether there is an automated patch management process in place.

Manual patching is unreliable. If your IT environment relies on staff clicking “update later,” patches are not being applied in a timely manner.

6. User Access and Permissions

Who has access to what? This is a fundamental security and compliance question. Your audit should review: the list of all user accounts (are there accounts for people who left the company months ago?), administrative access (who has admin rights, and do they genuinely need them?), shared accounts (are multiple people sharing login credentials?), and access to sensitive data (who can access financial records, customer data, HR files?).

Orphaned accounts — accounts belonging to former employees that were never disabled — are a common finding in IT audits and a significant security risk. Every former employee account that still has access is a potential breach vector.

7. Network Infrastructure

Your network is the backbone of everything. The audit should review: network topology (do you have a current, accurate diagram of your network?), Wi-Fi coverage and security (are you using WPA3? Are there dead spots? Is the guest network properly isolated?), switch and router configuration (are default passwords still in use?), and network segmentation (is your network segmented to limit the blast radius of a breach?).

For businesses with multiple sites or remote workers, also review your VPN configuration and inter-site connectivity.

8. Email Configuration and Security

Email is both your primary communication tool and your primary attack surface. Beyond the basic security controls mentioned above, your audit should check: whether email archiving and retention policies are configured correctly (this matters for compliance), whether data loss prevention rules are in place to prevent sensitive information from being emailed externally, whether staff are trained to recognise phishing attempts, and whether there is a process for reporting suspicious emails.

9. Cloud Services and SaaS Applications

Most businesses now use a range of cloud services — Microsoft 365, Google Workspace, accounting software, CRM, project management tools, and more. Your audit should inventory all cloud services in use (including ones IT did not officially approve), review the security configuration of each (especially admin accounts and sharing settings), verify that data in cloud services is being backed up (Microsoft 365 does not comprehensively back up your data by default), and check whether single sign-on (SSO) is configured where possible.

10. Physical Security

IT security is not just digital. Your audit should review: who has physical access to server rooms or network closets (is it locked? Who has keys?), whether visitor access is controlled in areas with IT infrastructure, whether security cameras cover critical infrastructure areas, and whether laptops and mobile devices have physical security measures (cable locks, encrypted drives, remote wipe capability).

11. Business Continuity Planning

Beyond disaster recovery for IT systems specifically, does your business have a broader continuity plan that addresses: how operations continue if your primary office is unavailable, who is responsible for what in an emergency, communication plans for staff, customers, and suppliers during an incident, and insurance coverage (including cyber insurance) — is it current, adequate, and do you meet the conditions?

12. Compliance Requirements

Depending on your industry, you may have specific compliance obligations that your IT environment needs to support. Common ones for Australian businesses include: Privacy Act and Australian Privacy Principles (APP), industry-specific regulations (APRA for financial services, AHPRA for healthcare), PCI DSS if you handle credit card data, and contractual obligations from clients or partners who require specific security standards.

Your audit should map your compliance obligations against your current controls and identify any gaps.

13. IT Documentation

Good IT documentation is the difference between a smooth recovery and a chaotic scramble. Your audit should check whether you have: an up-to-date network diagram, documented procedures for common tasks (user onboarding, offboarding, password resets), a register of all vendor contacts and support agreements, documented configurations for critical systems, and a password management system (not a spreadsheet).

If your current IT provider left tomorrow, could someone else step in and understand your environment? If the answer is no, your documentation needs work.

14. IT Spending and ROI

An IT audit is not just about security and risk — it is also about value. Review: your total IT spend (hardware, software, services, licensing, telecommunications), whether you are paying for services or licenses you are not using, whether your current IT investments are aligned with business priorities, and whether there are opportunities to consolidate, renegotiate, or optimise costs.

Many businesses are surprised to find they are paying for duplicate services, unused licenses, or legacy systems that could be replaced with cheaper and better alternatives.

15. Staff IT Literacy and Training

Your people are both your greatest asset and your greatest vulnerability. The audit should assess: when staff last received cybersecurity awareness training, whether there is a clear acceptable use policy for IT resources, whether staff know how to report security incidents, and whether there are recurring issues that suggest a training gap (for example, repeated phishing clicks or frequent calls to the helpdesk for the same issue).

Technical controls can only do so much. If your staff do not know how to spot a phishing email, all the firewalls in the world will not save you.

How to Use This Checklist

You can approach this in a few ways:

Self-assessment. Walk through the checklist with your internal IT team or person. Document what you find, prioritise the gaps, and create a plan to address them. This is better than nothing, but be aware of blind spots — it is hard to audit yourself objectively.

MSP-led review. If you have a managed service provider, ask them to conduct an annual audit against this checklist (or their own equivalent). A good MSP should be doing this proactively as part of their service.

Independent audit. For the most thorough and objective assessment, engage an independent IT audit provider. They will bring fresh eyes, no conflicts of interest, and often catch things that internal teams and incumbent providers miss.

How TechAssist Can Help

At TechAssist, we provide comprehensive IT audits for mid-size businesses across Australia. Our audit covers every item on this checklist and more, resulting in a detailed report with prioritised recommendations that you can action immediately or incorporate into your IT roadmap.

We also offer ongoing managed IT services where regular auditing and review is built into the service — not an afterthought or an annual event, but a continuous process of monitoring, assessing, and improving.

Ready to get a clear picture of your IT environment? Get in touch and we will scope an audit that fits your business and your budget.

IT Support Response Times: What SLAs Should Australian Businesses Expect?

When you call your MSP’s help desk because your email is down, you want to know when someone’s going to pick up the phone. You don’t want to hear “we’ll get back to you when we can”. You want an SLA — a Service Level Agreement that commits to a specific response time.

But here’s the problem: MSPs use SLAs differently, and the language is inconsistent. When an MSP says “1-hour response time”, do they mean someone will start working on your issue in 1 hour, or that they’ll actually have it fixed in 1 hour? The difference matters.

We’re going to walk through what reasonable SLAs actually look like in Australia right now, what the priority levels mean, why response time and resolution time are not the same thing, and what to look for when an MSP promises you an SLA.

Priority Levels: P1, P2, P3, P4

Most MSPs use a four-tier priority system. Understanding what each means will help you figure out if the SLA you’re looking at is actually useful.

P1: Critical / Down

Your business can’t operate. Email is down. All servers are offline. Core application is unavailable. Multiple users can’t work.

Typical response time: 30 minutes to 1 hour for Australian MSPs. 24/7 support.

Typical resolution time: 4 hours. This is a target, not a guarantee. Some issues take longer.

Who works on it: Senior technician immediately. Escalated within 15 minutes if not resolved.

What you should expect: Phone call or text within 30 minutes. Someone working on the issue actively. Regular updates. If they can’t fix it, they escalate or engage a vendor.

Red flag: If your MSP doesn’t have 24/7 support or if they charge extra for P1 support, that’s a problem. P1 is not negotiable.

P2: High / Severely Degraded

Multiple users are affected, but not everyone. A shared drive is slow. A team’s printer is down. A subset of users can’t access a service.

Typical response time: 1–2 hours during business hours. 2–4 hours outside business hours.

Typical resolution time: 4–8 hours.

Who works on it: Mid-level technician. Escalated within 1 hour if not resolved.

What you should expect: Email confirmation within 30 minutes. Assigned technician within 1 hour. Regular updates every 1–2 hours.

P3: Medium / Minor Impact

A single user is affected, or there’s a workaround. One person can’t print. A non-critical service is running slow. Something’s not working as expected but the business can operate.

Typical response time: 4–8 hours during business hours. 12–24 hours outside business hours.

Typical resolution time: 24–48 hours.

Who works on it: Junior technician or support queue.

P4: Low / Cosmetic / Enhancement Request

Nice-to-have fixes. Software request. User preference issue. Doesn’t affect operations.

Typical response time: No committed SLA. Best effort. Could be handled within a week or month.

Typical resolution time: No committed timeline. Addressed when capacity allows.

Response Time vs Resolution Time

This is critical. Most people don’t understand the difference, and MSPs count on that confusion.

Response time: How long until someone from your MSP acknowledges the issue. Usually this means a phone call, email, or ticket assignment. The technician has your ticket and knows about it.

Resolution time: How long until the issue is actually fixed.

A good SLA commits to both. A bad one commits only to response. Example: “1-hour response, 4-hour resolution” for P1 issues means: someone will contact you within 1 hour, and the issue will be fixed within 4 hours.

Red flag example: “1-hour response for P1” with no resolution time mentioned. Technically they could respond, say “we’re looking into it”, then leave you hanging for 12 hours.

On-Site vs Remote Support

MSPs handle most issues remotely now (remote access tools, VPN, phone support). On-site visits happen for hardware failures, network problems, or when remote troubleshooting fails.

What you should know: Remote support is faster. On-site is not guaranteed same-day in Australia. If you’re in a major city (Sydney, Melbourne, Brisbane), expect same-day or next-day on-site. Regional areas might be 2–3 days. Get this in writing.

On-site calls typically get their own SLA. Example: “P1 on-site response: 4 hours in metro areas, 24 hours in regional areas.”

On-site hours are usually business hours only. Unless you pay extra for after-hours, don’t expect an on-site technician at 10 PM.

What Reasonable SLAs Actually Look Like

Here’s an example of a solid, realistic MSP SLA for Australian small businesses.

This is reasonable. It commits to real response and resolution times for critical issues, realistic times for medium issues, and best-effort for non-urgent work.

Red Flags in MSP SLAs

Response time only, no resolution target. If they only commit to “we’ll call you”, that’s not good enough. Push for resolution times too.

P1 response time over 2 hours. That’s too slow. By the time they call, you’ve already lost two hours of productivity.

No 24/7 support for P1 issues. If your business operates 9–5 and you never have downtime outside those hours, that’s fine. But if there’s any risk of after-hours issues, you need 24/7 P1 support.

Different SLA tiers depending on contract level. Some MSPs have “Tier 1” customers with 1-hour response and “Tier 2” with 4-hour response. That’s okay, but know which tier you’re on.

No SLA for P2 outside business hours. If you operate outside 9–5, your P2 issues don’t disappear at 5 PM.

SLA has lots of exclusions. Some MSPs say the SLA doesn’t apply if it’s a vendor issue, or your internet is down, or the issue is due to user error. Reasonable exclusions are fine. Overly broad exclusions are a red flag.

How to Choose an SLA That Matches Your Needs

Not every business needs the same SLA. A consultancy where everyone works from home needs different support than a manufacturing plant with machines on the floor.

Small office, 9–5 operation: You don’t need 24/7 support. A reasonable SLA is 2-hour response for P1 during business hours, next-business-day for after-hours P1. P2 can be 4 hours. P3 can be next business day.

Always-on operation (retail, hospitality, customer service): You need 24/7 support and aggressive SLAs. P1 should be 30-minute response, 1–2 hour resolution target. P2 should be 1-hour response, 4-hour resolution target.

Professional services (accounting, legal, consulting): You probably need business-hours plus some after-hours coverage. A good compromise is 24/7 P1 response (they call you after hours but may not resolve until business hours), and 1-hour response for P2 during business hours.

Response times are only meaningful if they’re backed by SLAs with teeth. TechAssist’s IT support services include guaranteed response times with financial penalties if we miss them.

Related reading: support levels | SLA comparison | proactive services

Regional business: Adjust for on-site travel time. A 4-hour response target might mean “4 hours to start remote troubleshooting” and “same-day on-site response in metro, next-business-day in regional.”

Next Steps

Before you sign any MSP contract, get the SLA in writing. Make sure you understand what response and resolution times actually mean. And make sure the SLA matches your actual needs — not the MSP’s standard offering.

Managed IT Pricing in Australia: What SMBs Actually Pay in 2026

If you’ve asked a managed IT services provider for a quote and they’ve come back with “we’ll need to schedule a discovery call”, you already know the problem. There’s no transparency in managed IT pricing, especially in Australia. Every MSP quotes differently, includes different things, and — most importantly — charges different amounts for the same service.

This makes it genuinely difficult to know if you’re overpaying, underpaying, or about to sign a contract that’ll lock you in at a premium rate for three years while your business changes.

We’re going to walk through exactly what Australian SMBs are paying for managed IT in 2026, what pricing models actually mean, and how to spot contracts that are overpriced on their face.

The Three Main Managed IT Pricing Models in Australia

Most MSPs use one of these three approaches. Some use a hybrid.

Per-User Pricing (Per Seat)

This is the most common model in Australia right now. You pay a fixed amount per user per month, typically between AUD $100–$200 depending on service level and what’s included.

What you’re usually getting:

• Desktop support (help desk, remote access, troubleshooting)
• Email support during business hours
• Basic device management and monitoring
• Antivirus and basic security
• Monthly patching

The catch: “Per user” often means per device. If you have 20 staff and 5 of them have a laptop and desktop, you might be paying for 25 seats. Some MSPs are clearer about this than others.

When it makes sense: Growing businesses with stable headcount, or firms where most staff use just one device. If your team size and device count fluctuate frequently, per-user pricing can become messy.

Per-Device Pricing (Per Workstation/Server)

Less common these days, but still around. You pay a flat rate per computer or server on your network, regardless of how many users sit in front of it. Expect AUD $80–$150 per device per month.

What’s typically included:

• Monitoring and alerting
• Basic patching and updates
• Remote support
• Antivirus

When it makes sense: Businesses with shared devices or hot-desking arrangements. Also works if you have high device count but low user count.

All-Inclusive or Tiered Pricing

You pay one monthly fee for everything up to a certain size: all monitoring, all support, all security, patching, backup, the lot. Usually AUD $3,000–$8,000+ per month depending on scope.

What you’re getting:

• 24/7 or extended hours support
• Network monitoring and management
• Server management (if you have servers)
• Backup and disaster recovery
• Advanced security (MFA, endpoint detection, etc.)
• Compliance support
• Proactive maintenance
• Often includes cloud services like Microsoft 365 management

When it makes sense: Most Australian SMBs. Once you factor in backups, security, compliance, and proper support hours, all-inclusive pricing is often cheaper and simpler to budget.

What’s Included vs What Costs Extra

This is where MSP contracts get expensive fast. Two MSPs might quote AUD $150/user/month, but what they include is completely different.

Usually included: Help desk support, monitoring, patching, antivirus, email support.

Usually extra: Backup and disaster recovery, advanced security tools, compliance auditing, on-site visits, cloud infrastructure, project work, password management, MFA deployment.

Before you sign anything, ask your MSP what’s included and what costs extra. Get it in writing.

What’s Reasonable to Pay in Australia Right Now

Tier 1 (Basic support, business hours only): AUD $100–$130/user/month.

Tier 2 (Standard support, extended hours, basic security): AUD $150–$180/user/month.

Tier 3 (Premium support, 24/7, advanced security and compliance): AUD $200–$250/user/month.

All-inclusive for small teams (5–15 staff): AUD $3,500–$5,500/month.

All-inclusive for mid-size (15–50 staff): AUD $6,000–$12,000/month.

Red Flags in Managed IT Contracts

Vague inclusions. If the contract says “support includes troubleshooting” but doesn’t define what that means, that’s a problem.

No SLA on response time. Your MSP should commit to response times for different priority levels.

Excessive setup or implementation fees. Some MSPs charge AUD $500–$2,000 to get you on their platform.

No price lock. Always negotiate a fixed price for the contract term.

Auto-renewal without escalation clause. Your contract auto-renews at current rates, then they increase it 10–15% next year.

Bundled services you don’t want. Some MSPs force you to buy backup, security, and phone support as a bundle.

No exit clause or excessive exit fees. You should be able to leave with 60–90 days notice.

How to Compare Quotes Properly

When you get quotes from different MSPs, use a detailed scope of work. Ask each MSP to provide a written breakdown of what’s included. Get support hours, response times, and SLAs in writing.

How to Get Better Pricing

Commit to a longer term. Most MSPs will discount if you sign a two or three-year contract.

Negotiate out unnecessary services. You might save money by not buying 24/7 support if 9–5 is enough.

Go all-in with one provider. Buying multiple services from the same MSP is cheaper than piecemeal.

Get ahead on compliance. If you already have Essential Eight implemented, you might not need their compliance support package.

For a detailed breakdown of what’s included at each price point, see our managed IT services page — we publish our inclusions so you can compare apples to apples.

Related reading: service offerings | cost comparison | provider selection

Be transparent about your infrastructure. Tell your MSP exactly what you have so they price accurately.

A Final Note on Australian Pricing

Australian MSP pricing is generally higher than overseas pricing. We have longer SLAs due to geography, higher wages, and stronger compliance requirements. That’s real. But it also means you should get Australian-based support with local expertise.

If a quote seems cheap, ask where the support is coming from. There’s nothing wrong with offshore support for after-hours, but your local support should be Australian-based.

Next Steps

Know exactly what you need before you start getting quotes. Once you know your baseline, you can compare fairly. If you want help evaluating your current spend or working out what reasonable pricing looks like for your business, we’re happy to talk it through.

The Two Models of IT Support

When it comes to getting IT problems fixed, there are fundamentally two approaches: someone helps you remotely (over the phone, via screen sharing, or through a ticketing system) or someone comes to your office in person. Most businesses end up using some combination of both, but understanding the strengths and limitations of each model is essential for making the right choice.

The remote helpdesk model has transformed dramatically over the past decade. What used to mean “call a 1800 number and hope for the best” now means secure remote access tools that let a technician see your screen, take control with your permission, and fix problems in real time — often faster than if they were sitting next to you.

On-site support, meanwhile, remains irreplaceable for certain types of work. Hardware failures, network infrastructure, cabling, physical security systems, and complex multi-user issues that require being in the room — these are situations where remote just does not cut it.

The right answer for your business depends on your size, your industry, the complexity of your IT environment, and what your staff actually need day to day.

How Remote IT Helpdesk Support Works

A remote IT helpdesk operates through a combination of tools and processes that allow technicians to diagnose and resolve issues without being physically present. Here is what that typically looks like:

Ticket submission. Your staff report an issue — via phone, email, or a web portal. The issue is logged, categorised, and assigned to a technician based on urgency and expertise required.

Remote diagnosis. The technician connects to the affected machine using a secure remote access tool. They can see the screen, access the file system, check event logs, run diagnostics, and troubleshoot as if they were sitting at the desk.

Resolution. Most common issues — software crashes, email problems, printer issues, password resets, connectivity problems, permission changes — can be resolved entirely remotely. The technician fixes the issue, documents the resolution, and closes the ticket.

Monitoring and prevention. A good remote helpdesk does not just react to tickets. It includes proactive monitoring tools that detect problems before your staff even notice them — a server running hot, a disk filling up, a backup that failed overnight.

The speed advantage is significant. A remote technician can often start working on your issue within minutes of it being reported. There is no travel time, no scheduling an on-site visit, no waiting for someone to drive across town. For businesses where downtime directly costs money — and that is most businesses — this speed matters enormously.

When On-Site Support Is Necessary

Despite the capabilities of remote support, there are situations where you genuinely need someone on-site:

Hardware failures. If a workstation, server, printer, or network switch physically fails, someone needs to be there to replace or repair it. You cannot swap a hard drive remotely.

Network infrastructure. Cabling, switch configuration, Wi-Fi access point placement, and network redesigns all require physical presence. If your office Wi-Fi has dead spots or your network is unreliable, a technician needs to walk the site.

New office setup or moves. Setting up a new office, relocating, or reconfiguring your physical workspace requires on-site work. Desks need to be connected, screens need to be mounted, phones need to be plugged in.

Complex, multi-user issues. Sometimes a problem affects multiple staff and the best way to understand and resolve it is to be in the room, observing the workflow and talking to the people affected.

Staff training. While remote training is effective for many topics, hands-on training — especially for less tech-confident staff — is often better done in person where the trainer can read body language, answer questions naturally, and adapt the pace.

Physical security. CCTV, access control systems, alarm integrations — anything that involves physical hardware and wiring needs an on-site visit.

The Cost Comparison

Let us talk money, because that is often the deciding factor.

Remote helpdesk support is inherently cheaper to deliver. There is no travel time, no vehicle costs, no windshield time between jobs. A single remote technician can handle significantly more tickets per day than an on-site technician because they are not spending hours in traffic. These savings get passed on in pricing — remote-focused support plans are typically 20-40% cheaper than equivalent on-site plans.

On-site support costs more per interaction, but the value equation changes depending on your needs. If you have a complex environment with lots of hardware, multiple sites, or staff who struggle with technology, the investment in regular on-site presence can pay for itself through faster resolution of physical issues and better staff relationships.

The hybrid model — which is what most businesses end up with — gives you the best of both worlds. Remote support handles the 80% of issues that do not require physical presence, keeping costs down and response times fast. On-site visits are reserved for the 20% that genuinely need a body in the building.

The key metric to focus on is not the cost per ticket or the cost per visit — it is the total cost of IT support relative to the outcomes you are getting. A cheap remote-only plan that leaves hardware issues unresolved for days is not actually saving you money.

Response Time Expectations

Response times differ significantly between the two models, and your expectations should be calibrated accordingly.

Remote helpdesk: A well-run remote helpdesk should acknowledge your ticket within 15-30 minutes and begin active work on it within 1-2 hours for standard issues, or within 15 minutes for critical issues. Because there is no travel involved, the gap between “we received your ticket” and “someone is working on it” is short.

On-site support: Even with a provider located nearby, on-site response for non-emergency issues is typically same-day or next-business-day. For emergencies, you might get a 2-4 hour response window. If your provider is not local — if they are based interstate or in a distant suburb — add more time.

This is why having a local IT provider matters for the on-site component. A provider with technicians based near your office can respond faster to physical emergencies. A provider on the other side of Melbourne — or the other side of the country — simply cannot match that response time.

What Works Best by Business Size

1-10 employees: Remote-first support is usually sufficient. Your IT environment is likely simple — laptops, Microsoft 365, maybe a shared drive. Most issues can be resolved remotely, and on-site visits can be handled on an as-needed basis.

10-50 employees: A hybrid model works best. Remote helpdesk for day-to-day support, with scheduled on-site visits (monthly or fortnightly) for hardware maintenance, staff check-ins, and proactive work. On-demand on-site for emergencies.

50-200 employees: You likely need a more substantial on-site presence — possibly a dedicated on-site technician for part of the week, supplemented by remote helpdesk for after-hours and overflow. The complexity of your environment and the volume of physical hardware usually justifies regular on-site time.

200+ employees: Dedicated on-site staff (either your own or embedded from your MSP) supported by a remote helpdesk for after-hours, specialist escalations, and multi-site coordination.

Industry Considerations

Your industry matters too. Some environments have characteristics that make one model more suitable than the other.

Office-based businesses (accounting firms, law firms, professional services) generally do well with a remote-first approach. Most of the work is on laptops and cloud applications, and most issues are software-related.

Manufacturing and warehousing businesses often have more on-site needs — industrial equipment with IT components, rugged devices, warehouse Wi-Fi, and a workforce that may not be comfortable submitting tickets via a web portal. Regular on-site presence is usually important.

Healthcare and aged care facilities have compliance requirements and specialised equipment that often necessitate on-site support. Patient data systems, medical devices with network connectivity, and strict uptime requirements mean you cannot wait for a scheduled visit if something goes wrong.

Retail and hospitality businesses need on-site support for POS systems, payment terminals, and customer-facing technology. When the EFTPOS machine goes down during the lunch rush, remote support is not going to cut it.

Questions to Ask Your IT Provider

When evaluating IT support options, here are the questions that will help you understand what you are actually getting:

What percentage of issues do you resolve remotely vs on-site? A good MSP should be resolving 70-85% of tickets remotely. If they are sending a technician on-site for every password reset, something is wrong with their remote capability.

What are your on-site response time guarantees? Get this in writing. “We will try to get there same day” is not a commitment. A specific SLA — “4-hour response for critical on-site issues” — is.

Where are your technicians based? If you need on-site support, geography matters. Ask where their nearest technician is located relative to your office.

What remote tools do you use? Enterprise-grade remote management tools (like ConnectWise, Datto, or NinjaRMM) are a different class from consumer-grade screen sharing. The tools your MSP uses directly affect how quickly and effectively they can support you remotely.

Is on-site included or extra? Some managed service agreements include a set number of on-site hours per month. Others charge on-site visits as an additional fee. Know what you are paying for.

How TechAssist Handles It

At TechAssist, we deliver a hybrid model by default because we believe that is what works best for most businesses. Our remote helpdesk handles the vast majority of issues quickly and efficiently, while our field technicians — based across Melbourne — provide on-site support when it is genuinely needed.

Every managed services client gets access to our remote helpdesk with guaranteed response times, plus a monthly allocation of on-site hours for proactive work, hardware maintenance, and face-to-face check-ins. Emergency on-site visits are available with a 4-hour response window.

We have found that this hybrid approach gives our clients the speed and cost-efficiency of remote support without sacrificing the personal touch and hands-on capability of having a technician who knows your office, your people, and your systems.

Want to find the right support model for your business? Get in touch and we will walk you through the options based on your specific situation.