Network Segmentation for SMEs: A Practical Guide Without the Enterprise Jargon

Network segmentation gets explained as a zero-trust enterprise project with microsegmentation and identity-aware proxies. That framing scares SMEs off, which is a shame. A 30-person Melbourne business can segment its network usefully in a weekend with a UniFi stack and four VLANs. The hard part is sequencing the work so each step reduces real risk.

This guide is the practical version. We will walk through the minimum-viable segmentation that actually reduces lateral movement risk for an Australian SME, the priority order (guest Wi-Fi first, because it is the cheapest win and stops half the dumb risks), where SMEs over-engineer and waste budget, a sample VLAN and firewall rule pack you can adapt, and the trap of segmenting your network without doing the identity work alongside it.

TechAssist has been deploying these stacks for Melbourne SMEs since we were founded in 2014. Our cybersecurity services Melbourne team treats segmentation as one of the highest-leverage controls available to a small business. It is not the most exciting work, but it is the work that means a phished receptionist credential does not become a domain-wide ransomware incident.

What Network Segmentation Actually Is

Segmentation is the practice of dividing your network into separate zones so that a device or user in one zone cannot freely communicate with devices in another zone. Each zone is governed by firewall rules that say what traffic is permitted between it and other zones.

The simplest example: your guest Wi-Fi should not be able to talk to your office laptops. Your office laptops should not be able to talk to your CCTV cameras. Your CCTV cameras should not be able to talk to your phone system. Your phone system should not be able to talk to anything except the SIP provider. If you implement those four rules, you have already done most of the segmentation work that meaningfully reduces risk.

The reason segmentation matters is lateral movement. Modern ransomware does not just encrypt the machine it lands on. It enumerates the local network, finds open shares, weak credentials, and unpatched services on other devices, and spreads. A flat network gives the attacker the entire estate. A segmented network gives them one VLAN.

This is not zero trust, despite what some vendors will tell you. It is the perimeter approach with internal perimeters added. Zero trust is the next step beyond segmentation, where every connection is authenticated and authorised regardless of zone. Read our zero trust security model explained guide for that broader picture. For most SMEs, getting segmentation right is the prerequisite, and the right place to stop for now.

The Minimum Four VLANs for a Melbourne SME

If you run a 15-to-100-person business and you want a segmentation design that actually reduces risk without becoming a multi-month project, run four VLANs. We deploy this exact pattern several times a quarter across our client base.

Four VLANs sound trivial. The reason it is enough for most SMEs is that each one represents a meaningfully different risk profile. Guest devices are unmanaged and untrusted. IoT devices are notoriously badly patched and run weird firmware. Voice devices have their own QoS needs and should not be exposed to general office traffic. Corporate is the only zone where managed, patched, and authenticated devices live.

If you have a meaningfully different workload, like a manufacturing floor with PLCs, an OT environment, or a clinical environment with medical devices, add a fifth VLAN for that. Do not collapse it into the IoT VLAN. The blast radius if it gets compromised is too different.

Priority Order: Guest WiFi First

The single highest-leverage step you can take is splitting guest Wi-Fi from corporate Wi-Fi. It is cheap, it is fast, and it removes the most common dumb risk: a visitor’s compromised phone or a contractor’s malware-laden laptop pivoting onto your file server because they got the office Wi-Fi password.

The order we deploy in for a typical Melbourne SME segmentation engagement is as follows.

Week one. Guest Wi-Fi on its own VLAN with a captive portal, time-limited credentials, and a firewall rule that permits internet egress only. No access to internal subnets. This alone removes about 40 percent of the lateral movement risk for a typical SME.

Week two. Voice VLAN. Move the SIP phones onto their own VLAN, lock egress to your SIP provider’s IP range only, and prioritise QoS. This stops a compromised phone from talking to anything except the SIP provider and improves call quality at the same time.

Week three. IoT and AV VLAN. Move printers, cameras, smart TVs, AV gear, and any other unmanaged device onto its own VLAN. Permit only the management traffic the corporate VLAN needs (Bonjour and mDNS reflection for AirPrint, print server traffic, RTSP for camera viewing). Block everything else.

Week four. Corporate VLAN cleanup. Remove anything that should not be on the corporate VLAN, audit static IPs, document the segmentation in a network diagram, and set up monitoring alerts for inter-VLAN traffic that violates the rule set.

That is a four-week project for a typical 30-person Melbourne SME. Most of the cost is engineering time, not hardware. If you are already on UniFi, the hardware is essentially free, and the labour is roughly fifteen to twenty engineer-hours including documentation.

Where SMEs Over-Engineer

Segmentation has a way of attracting over-engineering. Here is what to skip if you are a 30-to-100-person business.

Microsegmentation. This is the practice of giving each workload or application its own segment with policies down to the application port level. It is the right answer for large enterprises with data centres and dozens of regulated workloads. It is not the right answer for a 40-person Melbourne law firm with one practice management system. Microsegmentation tooling costs more than the entire SME’s segmentation budget and adds operational complexity that the IT team cannot maintain.

Per-application firewalls. The pattern where each application has its own next-generation firewall with deep packet inspection rules. Same logic as above. It belongs to the enterprise data centre, not the SME network. For SMEs, a single perimeter firewall with sensible inter-VLAN rules covers the same risk at a fraction of the cost.

Identity-aware proxies for every internal application. Good idea in theory. In practice, deploying ZTNA across every internal app for a 30-person business takes three to six months of integration work, costs tens of thousands in licensing, and leaves the team frustrated. Start with corporate, guest, IoT, and voice segmentation. Then layer identity-aware access onto the two or three highest-value internal applications. Do not try to do all of it at once.

Dedicated SIEM and SOAR. SMEs that try to deploy a SIEM and incident orchestration platform alongside segmentation usually end up with both half-deployed. Use Microsoft Defender for Business or your MSP’s monitoring stack until you genuinely outgrow it. Our managed IT services Melbourne programme includes 24/7 NOC monitoring out of our Tecoma office, which covers what a small SIEM does for a fraction of the cost.

Sample VLAN and Firewall Rule Pack

Here is a sample rule pack that we deploy as a starting point on UniFi, pfSense, or Meraki gear. Adapt the IP ranges to your environment. The rules are written as “from-to: permit/deny.”

The thing to notice about this rule pack is how restrictive it is by default. Most SMEs run flat networks where everything can talk to everything. That is the disease. The cure is “deny by default” between VLANs and explicit permits only for the traffic you actually need. If you do not know whether a traffic flow is needed, it is not needed. Add it back if something breaks.

One detail that catches people out: print discovery. Modern printers use mDNS and Bonjour for discovery, which is broadcast-based and does not cross VLAN boundaries by default. You need either an mDNS reflector (UniFi calls it mDNS, Meraki calls it Bonjour Forwarding) configured between corporate and IoT VLANs, or you fix the printers in DNS with static A records and add them as IP-based printers. Both work. We usually prefer the static DNS approach because it is more deterministic.

The Trap: Segmenting Without Identity

This is the trap that costs SMEs more than any other in segmentation projects. You spend a weekend deploying four VLANs, you write a clean rule pack, you feel great, and then a phished user credential turns out to be a domain admin because identity hygiene was never done. The attacker authenticates as a privileged user, traverses your VLAN rules using legitimate credentials, and segmentation buys you nothing.

Segmentation is necessary but not sufficient. You also need identity hygiene. The minimum identity work to do alongside segmentation is as follows.

One. No standing domain admin. Domain admin rights are granted just-in-time, ideally through Privileged Identity Management in Entra ID, or at minimum through a separate dedicated admin account that requires MFA and is not used for email or browsing.

Two. MFA on everything. Not just email. RDP gateways, VPN, the firewall admin interface, the switch management interface, the wireless controller, the file server admin. If a credential gives access to something, that access requires MFA.

Three. Conditional access policies on Entra ID. At a minimum, require MFA for all users, block legacy authentication protocols, and require a compliant device for access to admin roles and high-value applications. This is included in Microsoft 365 Business Premium and is one of the highest-leverage controls available.

Four. Local admin password randomisation. Every Windows endpoint should have a unique, randomised local administrator password managed via LAPS or its modern equivalent in Intune. A consistent local admin password is one of the fastest paths to lateral movement, and most SMEs still have it.

Five. Application control allowlisting on at least the corporate VLAN endpoints. This is the hardest of the Essential Eight to deploy well, but it is also one of the most effective. See our deep dive on application control for the practical playbook.

Without those identity controls, segmentation is theatre. With them, segmentation becomes a meaningful second line of defence.

A Melbourne Example: 38-Person Architecture Practice in Richmond

A 38-person architecture practice in Richmond engaged us in early 2025 after a near-miss incident. A user clicked a phishing link, entered credentials into a fake Microsoft login page, and an attacker logged into their mailbox. The mailbox had access to a shared SharePoint library with five years of client documents, and the attacker started downloading files before MFA challenges (delayed by a policy gap) interrupted them.

The post-incident review showed three problems. First, no conditional access policy requiring MFA on every sign-in. Second, no device compliance check, so the attacker authenticated from an unmanaged device with no resistance. Third, flat network with no segmentation, so if the attacker had pivoted from email to internal systems, nothing would have stopped them.

We deployed in three phases. Phase one was identity hardening: conditional access, device compliance, MFA enforcement, LAPS on the Windows fleet. Phase two was segmentation, exactly the four-VLAN pattern above, with the addition of a fifth VLAN for the Revit project file server because it is high-value and warrants its own zone. Phase three was monitoring: alerting on inter-VLAN traffic that violated rules, alerts on impossible-travel sign-ins, and alerts on download volume anomalies in SharePoint.

Total project cost: just under $34,000 across three months. Total engineer time: 58 hours. Hardware: $4,800 of UniFi gear that replaced a single flat-network router and a consumer-grade access point. They have had zero security incidents in the eighteen months since.

The most important detail: the segmentation work would have been worthless without the identity work that came first. We do not deploy VLANs as a standalone project anymore. Segmentation comes packaged with identity hardening, or it does not come at all.

Hardware Choices: UniFi, Meraki Go, or Meraki Proper

Three tiers cover almost all Melbourne SME deployments. Each has trade-offs.

UniFi from Ubiquiti is the SME favourite for good reason. Hardware is one-time-cost, no recurring licences, the controller is good, and the gear is genuinely capable of handling four-to-six VLANs and the rule pack above. The trade-off is that you (or your MSP) own the operational lift. If the controller falls over, no vendor support phone number rescues you. We deploy UniFi for clients with an MSP relationship in place, because the MSP carries the operational responsibility.

Meraki Go is the entry-level cloud-managed option from Cisco. It is easy to set up, has a clean phone app, and is a good fit for businesses under 20 staff who want minimal operational complexity. The trade-off is feature ceiling. Once you want VLAN-aware DHCP scopes, more than basic firewall rules, or advanced visibility, you hit the ceiling. We tend to deploy Meraki Go for businesses we do not co-manage.

Meraki proper (the full Cisco Meraki dashboard) is the right answer for SMEs with serious compliance ambitions or with multi-site setups. The licensing cost is real (typically $80-$200 per device per year), but the cloud management, deep visibility, and reliability are excellent. We deploy this for clients in regulated sectors and for clients with three or more sites where central management saves enough engineer time to pay for itself.

None of these is the wrong answer. The right answer depends on whether you have an MSP, your compliance trajectory, and how much operational lift you want to carry yourself. Our MSP Melbourne team scopes the hardware decision as part of the segmentation engagement so the gear matches the operating model.

Monitoring: How You Know Segmentation Is Working

Deploying segmentation and not monitoring it is half the job. You need to know when a rule is being violated, when a device is in the wrong VLAN, and when traffic patterns indicate something abnormal.

The minimum monitoring set for an SME deployment:

Alert on denied inter-VLAN traffic above a threshold. A few denied packets are normal background noise. A sustained pattern of denied traffic from one IoT device trying to talk to a corporate file share is a signal worth investigating.

Alert on new devices in any VLAN. Especially the corporate VLAN. If an unknown MAC address suddenly appears, you want to know.

Alert on devices moving between VLANs. This should almost never happen during normal operations. If a device hops from IoT to corporate, something is misconfigured or, worse, someone is poking at the network.

Alert on rule changes. The firewall rule pack is now a security control. Changes to it should be logged, ideally reviewed, and definitely not made silently.

Our 24/7 NOC out of Tecoma handles this monitoring for our managed clients. We respond to P1 incidents in under 15 minutes and are on-site across Melbourne metro within the same business day when something needs hands on gear. For clients running their own ops with our co-managed IT support model, we share the monitoring with the internal team and escalate when thresholds are crossed.

How This Fits With Essential Eight and ISO 27001

Segmentation is not explicitly an Essential Eight strategy, but it is referenced under several of them and is foundational to a Maturity Level Two posture. Restricting administrative privileges, restricting Microsoft Office macros, and application control all become more enforceable when segmentation has limited the blast radius of any single compromised endpoint.

For ISO 27001, segmentation falls under Annex A.13 (Communications Security) and contributes evidence for several other controls. We do not certify clients (we are ISO 27001 capable, not a certifying body), but we have helped a number of Melbourne SMEs pass certification audits, and segmentation always shows up positively in the auditor’s review.

For Privacy Act obligations, segmentation reduces the population of data potentially affected in a breach, which can change the calculus on notifiable data breach decisions. See our Privacy Act for SMBs guide for the data handling context.

What This Costs for a Typical Melbourne SME

The all-in cost for a 30-to-50-person SME segmentation engagement, including identity hardening and ongoing monitoring, breaks down roughly as follows.

Total project cost typically lands between 20 and 30 thousand dollars depending on existing hardware, site complexity, and how much identity work is needed alongside the segmentation. The ongoing monitoring sits inside our per-user fixed monthly managed service pricing, so there is no surprise on the operational side.

Compared to the cost of a single ransomware incident (we covered this in another article and the realistic number for an SME is between $150,000 and $400,000 including downtime and customer churn), the segmentation project pays for itself if it prevents one incident. The maths is usually obvious in the boardroom.

Frequently Asked Questions

Can I do segmentation myself with a consumer router?

No. Consumer routers do not support meaningful VLAN tagging, and the firewall capabilities are not granular enough to write the kind of rule pack that makes segmentation worth doing. You need at minimum a small-business gateway like a UniFi Cloud Gateway, a Meraki Go GX, or an equivalent. The hardware costs less than a couple of staff laptops, so the price is not the obstacle.

Will segmentation slow down my network?

On modern gear, no. The gateway processes inter-VLAN routing at line rate, and the firewall rules add microseconds of latency, not milliseconds. The only place we see performance issues is when an SME tries to deploy deep packet inspection and TLS interception on undersized hardware. If you size the gateway correctly for your throughput, segmentation is invisible to users.

Do I need separate physical switches for each VLAN?

No. VLANs are logical, not physical. One managed switch handles all four VLANs at once, tagging traffic on the uplink to the gateway. The only reason to use physically separate switches is for an OT or industrial environment with very strict isolation requirements, and that is not most SMEs.

What about working from home: do segmentation rules apply on the VPN?

This is the part that gets missed. If your remote workers VPN in and land in the corporate VLAN by default, your segmentation has a hole. The fix is either a separate VPN VLAN with its own rule set, or, better, moving away from VPN entirely and using Entra ID conditional access with device compliance checks for application access. The latter is the modern approach and avoids the VPN-as-trust-domain problem entirely.

How often should the rule pack be reviewed?

Quarterly at minimum, and after any significant change to the application stack. We review rule packs as part of our managed client quarterly business reviews, and we use those reviews to remove rules that are no longer needed (which is more common than adding new ones).

What if a vendor needs access to one of my internal systems?

Vendor access should land in a dedicated vendor-access zone with explicit rules to the specific systems they need. Do not give vendors guest Wi-Fi credentials and ask them to VPN. Do not give them corporate Wi-Fi access. A dedicated zone with explicit permissions, ideally with MFA and time-bound credentials, is the right pattern.

How do I get started?

The honest first step is an assessment. We will look at your existing network, your endpoint fleet, your identity setup, and your compliance trajectory, and we will give you a sequenced plan. We do this for Melbourne clients regularly out of both our Tecoma office and our 575 Bourke St CBD office. Reach the team via the contact page and we will sort out a discovery session.

For Australian SMEs under 200 seats, the four real cloud phone options in 2026 are Microsoft Teams Phone, 3CX, RingCentral, and Aircall. Each one is the right answer for a specific business profile and the wrong answer for others. This buyer’s guide compares them honestly on cost, fit, number porting, and resilience for Australian conditions.

Why this guide exists

Most Australian buyer’s guides for cloud phone systems read like a vendor brochure with a different cover. The advice is generic, the comparisons are shallow, and the local detail (porting timelines with TPG or Aussie Broadband, ACMA implications, what happens during an outage on the NBN) is missing. We have deployed and supported all four of these platforms inside our managed IT engagements since founding TechAssist in 2014, and the local detail is where most of the cost and risk hides.

This guide is opinionated. We will tell you which platform we recommend by default for which profile, and where we have seen each one go wrong. The goal is not to sell you on a particular vendor; it is to help you make a defensible choice that you will still be happy with in three years.

The four real options

Microsoft Teams Phone

The right answer for businesses that already run Microsoft 365 E3 or E5, want one platform for chat, video, and voice, and have a relatively standard office and remote staff mix without heavy call centre or sales dialler requirements.

Strengths:

• Single identity, single client, single admin centre with the rest of your Microsoft estate
• Native Teams app on every device people already have
• Tight integration with calendar, presence, and meeting recording
• Operator Connect or Direct Routing options give flexibility on the carrier side
• Compliance and call recording aligned to the broader Microsoft 365 compliance stack

Weaknesses:

• Native call queueing and IVR are basic compared to a dedicated UCaaS or contact centre platform
• Real call centre features (skill-based routing, advanced wallboards, supervisor monitoring) require add-ons or a third-party contact centre integration
• Sales-dialler workflows are clunky; no native power dialler
• Voice quality depends heavily on the network and the device; soft phones on personal Wi-Fi can be unreliable

Best fit: professional services, accounting, legal, healthcare admin, and any organisation where the phone is a normal-volume business tool rather than the primary production system. For a 38-staff South Yarra law firm we recently deployed, Teams Phone with Operator Connect through an Australian carrier was the obvious answer because the firm already had M365 Business Premium and the call volume was about 40 inbound calls per partner per day.

3CX

The right answer for businesses that want maximum control, are comfortable with a more technical platform, and either want to self-host or run on a tightly managed instance. Also the right answer for businesses migrating from a legacy on-premises PBX who want a familiar feature set.

Strengths:

• Strong feature parity with traditional PBX systems (call queues, ring groups, advanced IVR, hot desking)
• Can be self-hosted in Azure, AWS, or on-premises; or run on a 3CX-hosted instance
• Per-system pricing rather than per-user pricing, which can be significantly cheaper at scale
• Strong third-party SIP trunk support, so you can choose your Australian carrier
• Good softphone and mobile apps; reasonable Teams integration if needed

Weaknesses:

• Requires technical administration; not a ‘set and forget’ platform
• Self-hosted instances need patching, monitoring, and backup (real infrastructure work)
• UI is functional rather than polished; staff onboarding is harder than Teams
• 3CX itself has had security incidents in recent years (the 2023 supply chain compromise) which raised concerns; subsequent response has been adequate but worth noting

Best fit: businesses that already have IT capacity (internal or co-managed), value control over the platform, and have specific feature requirements that consumer-grade UCaaS platforms do not meet. We run 3CX in our own environment and for a number of clients where the cost model and the feature set are right. For a 65-staff manufacturing business in Dandenong South, 3CX with SIP trunks from an Australian carrier and a redundant pair of instances in Azure was the right call because the on-premises requirement (a few hundred handsets across two sites with paging integration) ruled out the pure-cloud UCaaS options.

RingCentral

The right answer for businesses that want a full unified communications-as-a-service experience with a polished UI, strong analytics, and built-in contact centre options for when the business grows into them.

Strengths:

• Polished, consumer-grade user experience across mobile, desktop, and web
• Built-in video, messaging, fax, SMS, and voice in one platform
• Strong analytics and reporting out of the box
• Contact centre add-on (RingCX) is mature and integrates natively when needed
• Strong CRM integrations (Salesforce, HubSpot, Zoho) without third-party connectors

Weaknesses:

• Per-user pricing is at the higher end of the market
• Australian carrier and number porting flexibility is more limited than 3CX
• Bundle includes features many SMEs do not use, which inflates the per-seat cost
• Account management can be inconsistent; SMEs sometimes feel underserved

Best fit: customer-facing businesses with 30 to 150 staff that have outgrown a basic phone system, want a single platform across all communication channels, and have a clear customer service or sales operation. For a 72-staff e-commerce business in Cremorne we work with, RingCentral with the contact centre module was the right call because the customer service team needed proper queueing, wallboards, and supervisor monitoring that Teams Phone could not match.

Aircall

The right answer when sales or customer experience is the dominant phone use case, when CRM integration is the highest priority, and when you are willing to add another tool to your stack to get a sales-optimised experience.

Strengths:

• Built specifically for sales and CX teams; the workflows reflect that
• Excellent CRM integration (Salesforce, HubSpot, Pipedrive, Zendesk) with screen pops and automatic logging
• Power dialler, click-to-call, and call coaching features are native
• Fast to deploy; user onboarding is friendly
• Good analytics for call outcomes and rep performance

Weaknesses:

• Not designed as a general business phone system; not the right tool for receptionist or main-line scenarios
• Australian number availability and porting can be slower; mostly serves international and metropolitan use cases
• Per-user pricing is competitive but stacks with whatever else you use for general office calling
• Voice quality is heavily dependent on the user’s network

Best fit: dedicated sales or customer success teams within a larger business that already has a general phone system. We have deployed Aircall for the sales team at a Hawthorn SaaS business while leaving Teams Phone as the general business platform. The two run side by side, the sales team gets the dialler experience they need, and the cost is contained to the 12 sales seats.

Side-by-side cost comparison

The table below assumes a 50-user Australian SME with a standard mix of office calling. Prices are 2026 Australian list, GST exclusive, and assume an annual commitment. Real negotiated prices for SMEs are often 10% to 20% below list.

The cost comparison hides important differences. Teams Phone looks cheap on this view because much of the platform cost is already paid for in your Microsoft 365 licence. 3CX looks cheaper still on a pure platform basis, but the operational cost of running and maintaining the platform is real and not captured in the per-user price. Aircall is the most expensive per seat, but in practice you only deploy it to a sales team subset, not the whole business.

Number porting timelines and carriers

Number porting in Australia is the most underestimated risk in a phone system change. Promised porting timelines and actual porting timelines often diverge by weeks. The factors that matter:

Carrier of the losing number

Porting away from Telstra is typically 4 to 8 weeks for a complex port (multiple numbers on a hunt group) and 1 to 3 weeks for a simple port (single number). Porting away from Optus or TPG is similar. Smaller wholesale carriers can be faster (1 to 2 weeks) but the process is also more dependent on the human being on the other side.

Carrier of the gaining number

For Teams Phone, you can use Operator Connect carriers (multiple Australian options including TPG, Vonage, and several smaller providers) or Direct Routing through your own carrier. Operator Connect is faster to provision but you trade flexibility. Direct Routing requires a session border controller setup but gives you choice of carrier.

For 3CX, you choose your SIP trunk carrier independently. Aussie Broadband, Maxotel, and TPG Wholesale are common choices for Australian SMEs. Maxotel in particular has a reputation for responsive porting support among smaller deployments.

For RingCentral and Aircall, the carrier is bundled. You do not choose; you accept the carrier the platform uses. This simplifies the buying decision but reduces flexibility.

The porting risk plan

Whichever platform you choose, plan the port itself as a discrete project with its own risk management. Recommended practice:

• Submit port requests at least 30 days before go-live
• Keep the old service active and paid until 7 days after port completion
• Test inbound calls from at least three external networks (mobile, landline from a different carrier, international if relevant) before decommissioning the old service
• Plan a fallback path: divert old numbers to mobile during the cutover window in case of disputed port
• Have a written escalation path with both carriers; know who to call when something stalls

For complex multi-site deployments, factor in 6 to 8 weeks of porting lead time. Trying to compress this is a frequent source of go-live failures.

ACMA and ATO implications

ACMA

The Australian Communications and Media Authority regulates how Australian businesses can use phone numbers and what carriers must do. The relevant points for a cloud phone deployment:

• You must use Australian-registered numbers for Australian business operations (you cannot just use a US-issued RingCentral or Aircall number for your Australian customers)
• Emergency calling (Triple Zero) must work and must report a usable location. Many cloud phone systems require explicit configuration of E000 location data per device or per user
• Lawful intercept obligations apply to carriers, not to you directly, but your carrier must be compliant

The E000 location requirement is the one most often missed. If your staff are working from home with a softphone, the system needs to know their location at sufficient detail that emergency services can be dispatched correctly. RingCentral and Teams Phone both handle this; 3CX requires explicit configuration; Aircall is more limited.

ATO and record keeping

The ATO requires businesses to maintain records of business transactions, which can include call records for sales and customer service interactions. Cloud phone systems typically retain call records and recordings for a default period (30 to 90 days), which is shorter than the typical ATO retention requirement of 5 years.

If you record calls, you need to store the recordings somewhere durable for the retention period. Most platforms offer extended retention as an add-on or via export to your own storage. Build this into the deployment design.

Fallback plans for outages

Cloud phone systems fail. They fail less often than on-premises PBXs, but when they fail they fail completely. Your fallback plan needs to be:

• Documented in writing and tested at least annually
• Triggerable by a non-IT staff member if needed
• Capable of routing inbound calls to mobiles within 5 minutes

The standard fallback is a carrier-level call forwarding rule that activates on platform unreachable. Most Australian carriers support this for inbound DID numbers. The rule sends all inbound calls to a designated mobile (usually the reception manager) when the cloud platform stops responding. When the platform recovers, the rule deactivates.

For businesses where the phone is mission-critical (medical practices, professional services with tight client SLAs, customer service operations), consider running two carriers in active-passive configuration. The cost is meaningful but the resilience is the highest you can achieve outside of a dedicated contact centre platform.

For a Camberwell healthcare practice we manage, the phone system runs Teams Phone with Operator Connect through one carrier and a secondary direct route through a different carrier as failover. The cost premium is about $400 a month for the secondary path. They have used it twice in 18 months and both times the failover saved the day.

How to decide

The decision tree we use with clients is:

1. Do you already have Microsoft 365 E3 or E5, or Business Premium with Teams Phone add-on? If yes, start with Teams Phone unless there is a specific reason not to.
2. Is your call volume primarily sales-driven, with CRM integration as a top requirement? If yes, evaluate Aircall as a sales-team overlay on top of a general phone system.
3. Do you have a customer service team of 5 or more that needs proper queueing, wallboards, and supervisor features? If yes, evaluate RingCentral or RingCX.
4. Do you have specific feature requirements (paging integration, dense IVR, hot desking) that consumer-grade platforms do not meet, and do you have or want technical control over the phone platform? If yes, evaluate 3CX.
5. If none of the above clearly dominates, default to Teams Phone for the Microsoft 365 integration alone.

Implementation realities

Cloud phone deployments fail more often than they should, almost always for the same reasons. The four to plan against:

• Underestimating the porting timeline. Already covered above. Treat it as the critical path.
• Underestimating user training. Phone behaviour is muscle memory. Switching staff to a new system without dedicated training results in two months of awkward calls and lost business.
• Underestimating the network impact. Voice traffic competes with Teams meetings, file syncs, and everything else on the network. QoS is essential; on a typical NBN connection, prioritising voice traffic prevents call quality degradation during peak hours.
• Underestimating the headset standard. A $35 headset is not the same as a $180 business headset. Voice quality complaints are 50% headset and 50% network in our experience. Standardise on a known-good business headset and budget for it.

This kind of deployment work sits naturally inside a managed IT services arrangement with per-user fixed monthly pricing. Our 13 Australian engineers handle cloud phone deployments out of our 24/7 NOC in Tecoma and our 575 Bourke Street CBD office, with sub-15-minute P1 response when something goes wrong post-go-live. The same-business-day on-site capability for Melbourne metro matters when you have 40 desk phones to physically replace.

If you want a sharper conversation about which of the four platforms is the right fit for your specific business, get in touch. The right answer depends on context that a buyer’s guide cannot fully cover.

Frequently Asked Questions

Can we keep our existing PBX and just add cloud features?

Yes, with hybrid models. 3CX in particular supports a hybrid mode where some users are on the cloud client and others remain on legacy SIP handsets. This is a sensible transition path for businesses with significant existing handset investment. Teams Phone also supports a hybrid model through Direct Routing, where your existing PBX can serve as the gateway during migration. The hybrid period typically lasts 3 to 6 months.

What about Zoom Phone?

Zoom Phone is a legitimate fifth option that we deliberately excluded from the main comparison because in our experience it sits awkwardly between Teams Phone and RingCentral without clearly winning on either dimension for Australian SMEs. If your business is Zoom-first for meetings (which is unusual in Australian SMEs but happens), Zoom Phone is worth evaluating. For most Australian SMEs already on Microsoft 365, the simpler answer is Teams Phone.

How do we handle remote and hybrid staff with the chosen platform?

All four platforms support remote work natively through softphone clients. The practical issues are home network reliability, headset quality, and emergency calling location data. The home network reliability question often pushes businesses toward providing a mobile data backup option for staff who do customer-facing calls from home.

What is the typical implementation timeline?

For a 50-seat deployment, expect 6 to 10 weeks end to end. Two weeks for design and procurement, two weeks for tenant configuration and pilot user testing, four to six weeks for porting (often the long pole), and one week for cutover and immediate post-cutover support. Rushed implementations are the single largest source of go-live failures.

How does the choice of cloud phone system intersect with cybersecurity?

Cloud phone systems are an identity surface and a data surface. Voicemail recordings, call recordings, and contact lists are all sensitive data subject to the Privacy Act. The platform’s identity model should integrate with your existing identity provider (Microsoft Entra ID in most cases), and the call recording retention and encryption should align with your broader data protection posture. This is why we evaluate cloud phone choices as part of a broader cybersecurity conversation rather than as a standalone procurement.

What is the right number of carriers to use?

For most SMEs, one carrier with carrier-level failover (call divert on unreachable) is sufficient. For mission-critical phone use cases, two carriers in active-passive configuration. Three or more is over-engineered for sub-200-seat businesses. The marginal resilience past two carriers does not justify the cost or complexity.

Multi-Site IT for Melbourne Businesses: Branches, Warehouses and Pop-Ups

When a Melbourne SME opens a second site — a warehouse in Dandenong, a pop-up in the CBD, a branch in Geelong — IT complexity compounds fast. By the fifth site you are running thirty different NBN contracts and nobody knows where the spare switch lives. This is the practical playbook for keeping multi-site IT under control.

Identity first, network second

The single most important shift in multi-site IT thinking over the past five years is moving from a network-centric model to an identity-centric one. In the old model, a “site” was defined by its network — the same VLAN, the same domain controller, the same file share. Anyone connecting to that network was on the corporate LAN and had access to corporate resources.

In the new model, a “site” is largely a power and connectivity convenience. The corporate resources live in Microsoft 365, Azure, or other cloud services. Access is granted based on user identity, device compliance and conditional access policies — not based on which Wi-Fi the user happens to be on. This is the practical version of zero trust thinking, and it changes the multi-site IT problem from “extend the corporate network to each location” to “make sure each user has reliable internet and a compliant device, regardless of where they are”.

If you are still thinking in the old model, multi-site IT looks expensive and complicated — SD-WAN, MPLS, site-to-site VPNs, domain controllers at each branch. If you have already made the identity-first shift, it looks much simpler — good internet at each site, a sensible Wi-Fi standard, identity through Microsoft Entra ID with strong conditional access, and you are most of the way there.

For a 25-person professional services firm opening a second office in Hawthorn, the right answer in 2026 is almost never to extend the corporate network. The right answer is to put a business-grade NBN connection in, deploy a managed Wi-Fi system, and let identity do the rest of the work. We have done this transition for several Melbourne clients and it consistently reduces the per-site IT cost by 40 to 60 percent compared to the old model.

When SD-WAN is overkill

SD-WAN gets pitched aggressively to mid-market businesses by carriers and resellers because it is a high-margin product. For most Melbourne SMEs with one to three sites, it is overkill. Here is when it pays back and when it does not.

SD-WAN is overkill when:

• You have one to three sites and the WAN traffic is mostly to cloud services (Microsoft 365, Azure, Salesforce, etc.) rather than between sites.
• Site-to-site latency is not business-critical (you are not running real-time voice over a private WAN or replicating large databases between sites).
• Your existing internet links are reliable enough — business-grade NBN with a 4G failover usually is.
• You can solve specific site-to-site needs with point solutions (a managed site-to-site VPN for the one application that needs it, rather than SD-WAN for everything).

SD-WAN starts to pay back when:

• You have four or more sites with active site-to-site traffic.
• You are running voice or video that needs QoS guarantees you cannot get from the public internet.
• You have a real need for application-aware routing — sending Microsoft 365 traffic out the local internet break while sending finance system traffic back to head office, automatically.
• You have specific compliance or contractual requirements for traffic segregation that point-solution VPNs cannot meet.

The Box Hill construction firm we onboarded last year had three sites and was being quoted $4,200 a month for SD-WAN by their incumbent telco. The actual requirement was a reliable internet connection at each site, identity-driven access to cloud apps, and a managed VPN between head office and the warehouse for a legacy job costing system that did not have a cloud version. We delivered that for $1,150 a month all-in across the three sites and the legacy system was migrated to a cloud equivalent six months later, eliminating the VPN entirely.

The hardware standard kit

One of the unglamorous secrets of multi-site IT is that the per-site hardware should be boringly consistent. Same firewall model, same switch model, same access point model, same configuration template, every site. This makes troubleshooting fast, sparing strategy obvious, and refresh cycles predictable. We use a standard kit per site type, scaled to size.

The point is not the exact equipment choice. The point is consistency. Pick a vendor stack (we tend to favour Fortinet for SMB and Cisco Meraki for businesses where the simpler cloud-managed model is more important than the deeper feature set), document the standard configuration, and apply it everywhere. When the access point dies at the Geelong branch, a same-model spare ships overnight and a remote engineer can reconfigure it from the template.

The on-site support response time problem

This is the issue that bites every Melbourne SME the moment they open a second site, and it is almost never addressed in the original IT planning.

Same-business-day on-site support is easy to deliver in the Melbourne metro area. It is harder when the second site is in Ballarat, Bendigo, or further afield. Most national MSPs solve this by paying break-fix technicians on demand at country rates, which is fine for occasional incidents but expensive and inconsistent for ongoing operations.

The honest answer is that on-site response time is a zone-based pricing question. Our Tecoma headquarters and CBD office at 575 Bourke Street let us deliver same-business-day on-site support across the Melbourne metro footprint, and we are transparent about response times for outer-metro and regional locations. For a multi-site business, the right conversation is “what is your business tolerance for a Ballarat user being offline for 24 hours versus 4 hours, and what is that worth paying for?”. Often the answer is that day-to-day support is delivered remotely (which works for 90% of issues), and on-site is reserved for hardware replacement and physical incidents, with a defined hours-to-on-site SLA per site zone.

For an outer-metro warehouse where downtime costs $4,000 an hour, paying for 4-hour on-site response is good economics. For a regional branch with five staff doing administrative work where downtime costs $200 an hour, next-business-day on-site is the rational choice.

This is the conversation that should happen during multi-site planning, not after the first regional outage. Zone-based response SLAs need to be in the agreement, with the cost difference made explicit. Anyone who quotes you “same SLA at every site” is either charging you for outer-metro response everywhere, or going to disappoint you when the Geelong site goes down.

The three governance rules that stop site sprawl

Multi-site IT becomes a mess not because of any single bad decision, but because of dozens of small decisions made independently at each site over years. Three governance rules, applied from day one of multi-site operations, prevent this.

Rule 1: one ISP relationship, not thirty

The single biggest contributor to multi-site IT chaos is each site having its own ISP contract, billed separately, with separate account managers and separate support paths. By site five, you have five different ISPs, five different bill cycles, five different sets of router credentials, and an IT manager who is on the phone to a different call centre every week.

The rule: every site’s internet connection runs through one ISP relationship, ideally aggregated by a single business-grade provider that can deliver to all your locations. The cost is usually within 5-10 percent of buying separate connections, and the operational saving is enormous. When a site goes down, there is one number to call and one technical contact who knows your business.

This rule applies even when the underlying technology has to vary — NBN at one site, Enterprise Ethernet at another, 4G at a pop-up. The aggregator handles the underlying carrier; you handle one relationship.

Rule 2: every site has a documented sponsor

Each site needs a named business owner who is responsible for the IT environment there. Not the IT manager — the local business sponsor. They are the person who notices when something is broken, who escalates when remote support is not responding fast enough, who is the local point of contact for hardware replacement deliveries, and who signs off on local IT changes.

Without a sponsor, sites accumulate undocumented changes — the warehouse manager who hard-wired the printer to bypass print server policy, the branch manager who plugged a personal Wi-Fi extender into the corporate switch, the pop-up coordinator who set the firewall admin password to “password123” so the marketing agency could plug in their demo equipment. Each of these is a small problem. Cumulatively they are how site IT environments rot.

The sponsor does not need to be technical. They need to be accountable. We require this as a condition of taking on multi-site management contracts, because without it the support quality degrades over time no matter what we do.

Rule 3: hard quarterly site audits

Every site gets a documented audit every quarter. Equipment inventory, configuration check against the standard template, network performance baseline, security posture review, sponsor interview about what is working and what is not. This costs about two engineer-hours per site per quarter and is the single most effective control against drift.

The audit produces a list of variances from standard. Most are trivial and get fixed during the visit. Some surface real changes — a site has grown headcount and needs more capacity, the local landlord has changed the building’s electrical layout, a department has started a workflow that needs a different printer configuration. The audit is where these get picked up and handled deliberately, rather than being discovered during an outage.

This is part of how our managed IT services model works for multi-site clients — a structured operational rhythm rather than reactive break-fix.

Backup, disaster recovery and the multi-site twist

Multi-site businesses have an interesting backup and disaster recovery profile because the sites can serve as recovery locations for each other in many scenarios. A flood at the head office is bad, but if the warehouse has internet, power, and a few desks, head office staff can work from there for a fortnight.

The implication is that multi-site DR planning should explicitly identify each site’s potential role in a recovery scenario for each other site. Most of the time this just means making sure that staff from each site have credentials that work everywhere, that there is enough physical capacity to absorb displaced staff, and that critical applications are cloud-hosted and accessible from anywhere.

The legacy file server at head office becomes a single point of failure that breaks this model. So does the on-premises application that only works on the head office LAN. Modern backup and DR design for multi-site SMEs explicitly identifies these single points of failure and either eliminates them (move to cloud) or designs around them (replicate to a second site, document the recovery process). We have rebuilt backup and DR for multi-site Melbourne businesses where the original design pre-dated the second site by years and was still treating head office as the only thing that mattered.

The cloud-first multi-site stack

For a Melbourne SME starting fresh, or for one going through a multi-site refresh, the cloud-first stack is now the default. It looks like this:

• Identity: Microsoft Entra ID with phishing-resistant MFA and Conditional Access policies. No on-premises domain controllers anywhere.
• Devices: All endpoints enrolled in Microsoft Intune. Compliance policies enforced as a precondition for accessing corporate resources. Wipe capability for lost devices.
• Productivity: Microsoft 365 with SharePoint and OneDrive as the canonical document storage. No file servers.
• Line of business: Cloud-hosted wherever possible. SaaS for accounting, CRM, ERP. Where on-premises is unavoidable, hosted in Azure or AWS, accessed via published web app or Azure Virtual Desktop.
• Networking per site: Business NBN or Enterprise Ethernet, managed firewall, managed Wi-Fi, 4G failover. No site-to-site VPN unless required for a specific application.
• Voice: Microsoft Teams Phone or a comparable cloud PBX, with handset standards documented per site type.
• Print: Cloud print or per-site MFD with direct printing from Intune-managed endpoints.

This stack is genuinely site-agnostic. Adding a new site means provisioning internet, deploying the standard hardware kit, and confirming identity policies apply. The business systems do not change. The “cutover” for a new site is hours, not weeks.

This is also where cloud services design matters more than network design. The cloud stack is the thing the business runs on. The network is the dial tone.

Common multi-site mistakes we see

A few patterns come up repeatedly in multi-site engagements. Worth listing.

Buying the wrong internet at the new site. Going for the cheapest available NBN connection at a warehouse where 30 staff need to use cloud services is false economy. The right line at the right speed costs maybe $80 a month more and removes a category of frustration.

Not standardising on switch and access point models. Different equipment at each site means different troubleshooting, different sparing, different configurations. Pick one. Live with it for the refresh cycle.

Letting each site choose its own SaaS. The Geelong branch using a different scheduling tool than head office because “it works better for our team” is fine until a customer interaction crosses sites and the tools cannot talk to each other. SaaS standards are a head-office decision.

Forgetting the physical security of the comms cupboard. A switch in an unlocked corner of the warehouse is a security incident waiting to happen. Lock the rack, log access.

Not having a sponsor at each site. Already covered, but the most common failure mode.

Underestimating the support cost of regional sites. Same-business-day on-site in regional Victoria is genuinely more expensive than in Hawthorn. Build it into the budget honestly rather than hoping nothing breaks.

How TechAssist supports multi-site clients

We support multi-site Melbourne businesses across construction, manufacturing, logistics, professional services and healthcare. The model is per-user fixed monthly pricing with zone-based on-site SLA tiers, which means a client knows exactly what each user costs to support regardless of which site they sit at, and the on-site response commitment matches the business value of each location.

Our 24/7 NOC in Tecoma handles monitoring and remote response across all sites for all clients. Same-business-day on-site is available across the Melbourne metro area from our two offices — Tecoma and 575 Bourke Street CBD. For outer-metro and regional Victorian sites, the SLA is set during onboarding based on the business risk profile and is honest about response time and cost.

Founded in 2014, we have 13 Australian-employed engineers and run an Essential Eight aligned, ISO 27001 capable operations practice. The reason that matters for multi-site clients is that consistency across sites is a security and audit problem as well as an operational one. The same standards, the same monitoring, the same documentation, every site, every time.

If you are about to open a second site, or are managing three sites that have grown organically into a mess, we have done this enough times to know where the traps are. Have a look at our MSP Melbourne page for the broader service description.

Frequently Asked Questions

Do we need SD-WAN for our second site?

Almost certainly not. SD-WAN is a real product with real use cases but for most Melbourne SMEs with two to three sites running mostly cloud applications, a managed business NBN at each site with 4G failover is the better answer. SD-WAN gets pitched hard because it is high margin for the seller.

Should we have a domain controller at each branch?

No. If you are still thinking in those terms, the broader architecture probably needs a refresh. Identity should live in Microsoft Entra ID, devices should be Intune-managed, and the branch becomes a power-and-internet location rather than a network outpost.

How do we handle internet failover at a regional site?

4G or 5G failover through the firewall is the standard answer. The throughput is lower than the primary line but enough to keep cloud applications running while the NBN fault is being resolved. Telstra and Optus business mobile data plans are the usual carriers; choose the one with better coverage at the specific site.

What happens when a site needs urgent hardware replacement?

If the equipment is standardised across sites, we usually have a spare ready to courier the same day for Melbourne metro and next business day for regional. For sites where downtime is critical, we recommend keeping a cold spare on-site, configured and ready to swap. The cost is the price of a backup access point or switch, and it is cheap insurance.

Can we use the same Wi-Fi network name across all sites?

Yes, and we recommend it. Same SSID, same identity-based authentication (typically WPA3-Enterprise via Entra ID), automatic roaming for staff who move between sites. This is part of the identity-first design — the user does not need to know they are at a different site.

How do we budget for multi-site IT?

The two main components are per-user costs (which scale with headcount and are largely site-agnostic in a cloud-first stack) and per-site costs (which cover internet, hardware, on-site support response). A reasonable rule of thumb is to budget the equivalent of one month’s per-user fee per site per quarter for ongoing site-specific costs, plus the standard kit cost for new site setup.

What to do next

If you are about to open a second site, the right conversation is identity-first design, business NBN with failover, standardised hardware kit, and a documented site sponsor. Skip the SD-WAN pitch unless you are at four-plus sites with real site-to-site traffic.

If you are already running three or more sites and feel like the wheels are coming off, start with a site audit. Inventory what is at each location, who the sponsor is, what the ISP relationship looks like, and where the variances from a sensible standard have crept in. The list itself will tell you the priority order for cleanup.

If you want a hand designing or untangling multi-site IT for a Melbourne business, get in touch. We will give you a frank assessment and a realistic plan.

A Power Outage Is an IT Outage

When the power goes out, so does your business. Servers shut down ungracefully, network equipment drops offline, and staff lose unsaved work. In areas with unreliable power — rural properties, industrial estates, older commercial buildings — even brief outages can corrupt data and damage hardware.

An uninterruptible power supply (UPS) is the first line of defence. It is not optional for any business that depends on its IT systems.

What a UPS Does

A UPS sits between the mains power and your IT equipment. When power drops, the UPS battery takes over instantly — no interruption, no shutdown. Depending on the size, it provides anywhere from five minutes to thirty minutes of runtime. That is enough time to save work and shut systems down gracefully, or to ride out a brief outage without any disruption.

Beyond blackouts, a UPS also protects against brownouts (voltage drops), power surges, and electrical noise — all of which can damage sensitive electronics over time.

What Needs UPS Protection

Essential: Servers, network switches, firewalls, NAS devices, and internet routers. If these go down, the entire business loses connectivity and access to files and applications. A single UPS protecting your server rack and network cabinet is the minimum investment.

Recommended: Point-of-sale systems, security cameras and NVRs, and any workstation running critical processes that cannot be interrupted.

Optional but worthwhile: Individual workstations in roles where data loss from an unexpected shutdown would be costly — CAD operators, accounts staff mid-payroll, or anyone working with large unsaved files.

Sizing a UPS

UPS capacity is measured in VA (volt-amperes) or watts. To size a UPS correctly, add up the power draw of the equipment it will protect. A typical small business server draws 300 to 500 watts. A network switch draws 20 to 50 watts. A firewall draws 15 to 30 watts. For a small server room, a 1500VA UPS provides approximately 15 to 20 minutes of runtime — enough for a graceful shutdown.

Oversize by 20 to 30 per cent to allow for future equipment additions and battery degradation over time.

UPS Types

Standby (offline) UPS: The cheapest option. Switches to battery when power drops, with a brief transfer time (5 to 12 milliseconds). Adequate for workstations but not ideal for servers.

Line-interactive UPS: Regulates voltage without switching to battery for minor fluctuations. Better transfer time and longer battery life. The standard choice for small business server rooms. APC Smart-UPS and CyberPower PR series are common options.

Online (double-conversion) UPS: Equipment always runs on battery power, with mains continuously charging the battery. Zero transfer time. Required for mission-critical systems but more expensive. Consider this for businesses where even a millisecond interruption is unacceptable.

Surge Protection Is Not Enough

A $20 power board with surge protection is not a substitute for a UPS. Surge protectors guard against voltage spikes but provide no battery backup and no protection against brownouts or blackouts. They also degrade over time — a surge protector that has absorbed a few hits may no longer be providing any protection at all. Replace surge protectors every three to five years, and never daisy-chain power boards.

Battery Maintenance

UPS batteries have a finite lifespan — typically three to five years. A UPS with a dead battery provides zero protection. Monitor battery health through the UPS management software or your MSP’s remote monitoring. Replace batteries proactively before they fail. Most business-grade UPS units use standard replaceable battery cartridges.

Test your UPS annually by simulating a power outage and verifying that connected equipment stays online for the expected runtime.

Remote Monitoring and Automated Shutdown

Business-grade UPS units include network management cards that connect to your monitoring systems. Configure automated shutdown scripts so that if battery runtime drops below a threshold, servers shut down gracefully without human intervention. This is critical for businesses without on-site IT staff — particularly remote offices and sites.

Protect Your Investment

Your IT equipment represents a significant investment. A UPS costing $500 to $2,000 protects tens of thousands of dollars in hardware and the data it contains. Contact TechAssist to assess your power protection needs and specify the right UPS for your environment.

Professional Video Conferencing Is Now Expected

Video calls are a standard part of business communication. Clients, suppliers, and partners expect clear audio, reliable video, and professional presentation. Yet many Australian SMEs still struggle with poor audio, frozen screens, and meeting rooms that require 10 minutes of troubleshooting before every call.

A well-configured video conferencing setup is an investment in productivity and professionalism.

Choosing a Platform

For businesses using Microsoft 365, Teams is the obvious choice — it is included in the licence, integrates with your calendar and files, and provides a consistent experience across desktop, mobile, and meeting rooms. Zoom remains popular for external meetings with clients who may not use Teams. The two can coexist — use Teams internally and Zoom for client-facing meetings if preferred.

Avoid spreading across too many platforms. Every additional platform means another set of credentials, another app to update, and another interface for staff to learn.

Audio Quality Is Non-Negotiable

Poor audio ruins meetings faster than poor video. Built-in laptop microphones and speakers are designed for casual use, not business calls. For individual desks, invest in a quality USB headset ($50 to $150) with noise cancellation. Jabra Evolve2 and Poly Voyager series are business standards. For shared offices, consider a speakerphone like the Jabra Speak or Poly Sync for small group calls.

For meeting rooms, a dedicated speakerphone or soundbar designed for the room size eliminates echo, feedback, and the “tin can” effect of laptop audio projected into a large space.

Camera Setup

The built-in webcam on most laptops is adequate for one-on-one calls but struggles in poor lighting. A dedicated USB webcam ($100 to $300) provides better image quality, wider angle, and auto-framing features. Position the camera at eye level — looking down at a laptop camera is unflattering and disengaging. Ensure lighting is in front of you, not behind. A window behind you creates a silhouette.

For meeting rooms, a PTZ (pan-tilt-zoom) camera or an intelligent camera like the Jabra PanaCast provides a wide view that captures everyone at the table.

Meeting Room Setup

A dedicated meeting room system eliminates the setup time and technical issues of connecting a laptop to a screen, camera, and audio system every time. Microsoft Teams Rooms devices provide a one-touch-join experience. Walk in, tap the screen, and the meeting starts. These systems range from $2,000 for small rooms to $10,000 for boardroom setups.

Essential components include a display (55-inch minimum for a 6-person room), a dedicated camera and audio system, a touch panel for meeting control, and reliable ethernet connectivity (do not rely on Wi-Fi for meeting room systems).

Network Requirements

Video conferencing demands consistent network performance. Each video call requires 1.5 to 4 Mbps per participant. Packet loss above 1 per cent causes noticeable quality degradation. Jitter and latency affect real-time communication more than bandwidth alone.

Configure Quality of Service (QoS) on your network to prioritise video and audio traffic. If your internet connection is shared with other heavy users (file downloads, cloud backups), schedule bandwidth-intensive tasks outside peak meeting times.

Hybrid Meeting Best Practices

Hybrid meetings — where some participants are in a room and others join remotely — are the most challenging format. The in-room experience is always better than the remote experience. To bridge this gap, use a camera that shows all in-room participants (not just whoever is speaking), ensure the room microphone captures everyone clearly, share content through the meeting platform (not by pointing a camera at a screen), encourage in-room participants to look at the camera when speaking to remote attendees, and consider an additional display showing the remote participants’ video feeds.

Security Considerations

Video meetings can be sensitive. Use meeting passwords or lobby controls to prevent uninvited attendees. Disable recording by default — enable it only when needed and with participant consent. Be mindful of screen sharing — close confidential documents before sharing your screen. Review meeting recordings access and retention policies.

Upgrade Your Setup

If your business is still treating video calls as an afterthought, a modest investment in audio, camera, and meeting room technology pays for itself in productivity and professionalism. Contact TechAssist to design a video conferencing setup for your business.

Windows 10 End of Life Is Coming

Microsoft has confirmed that Windows 10 support ends on 14 October 2025. After that date, no more security patches will be released for Windows 10 — meaning every unpatched vulnerability becomes a permanent risk. For Australian businesses still running Windows 10, migration to Windows 11 is no longer optional.

The good news is that Windows 11 is a solid operating system with meaningful security improvements. The bad news is that many older business PCs do not meet the hardware requirements, which means migration may involve device replacement as well as software upgrades.

Windows 11 Hardware Requirements

Windows 11 has stricter hardware requirements than any previous version. The key requirements are a 64-bit processor with at least 1 GHz and 2 or more cores, 4 GB RAM minimum (8 GB recommended for business use), 64 GB storage minimum, TPM 2.0 (Trusted Platform Module), Secure Boot capable UEFI firmware, and a DirectX 12 compatible graphics card.

The TPM 2.0 requirement is the most common blocker. Many business laptops purchased before 2018 do not have TPM 2.0, even if they are otherwise capable. Check your fleet using the PC Health Check tool or, for larger deployments, Microsoft Endpoint Analytics in Intune.

Assessing Your Fleet

Before planning the migration, audit every device in your business. Categorise them as compatible (meets all Windows 11 requirements — upgrade in place), upgradeable (meets most requirements but needs a BIOS update or TPM enablement), and incompatible (does not meet requirements — requires hardware replacement).

For businesses using Microsoft Intune or another endpoint management platform, compatibility reports can be generated automatically across your entire fleet.

Security Improvements in Windows 11

Windows 11 is not just a cosmetic update. Key security features include hardware-based isolation through TPM 2.0 and Secure Boot, credential protection with Windows Hello for Business, Smart App Control that blocks untrusted applications, enhanced phishing protection in Microsoft Defender SmartScreen, and memory integrity (HVCI) enabled by default.

These features align with the ASD Essential Eight, particularly around application control and restricting administrative privileges. Upgrading to Windows 11 makes Essential Eight compliance easier to achieve.

Planning the Migration

A structured migration avoids disruption. The recommended approach is to start with a pilot group of 5 to 10 users from different departments. Run the pilot for two to four weeks, collecting feedback on compatibility and usability. Resolve any application compatibility issues identified during the pilot. Roll out to the broader organisation in phases — department by department. Schedule upgrades outside business hours or during low-activity periods.

For in-place upgrades (compatible hardware), the process takes 30 to 60 minutes per device. User data and applications are preserved.

Application Compatibility

Most modern business applications work on Windows 11 without issues. However, test your critical applications before rolling out widely. Pay particular attention to older line-of-business applications (especially industry-specific software), printer and scanner drivers, VPN clients, and hardware peripherals (barcode scanners, label printers, specialised equipment).

Microsoft’s App Assure programme provides free compatibility assistance for businesses encountering application issues during migration.

Hardware Replacement Strategy

For incompatible devices, plan a replacement cycle. Budget $1,200 to $2,000 per device for business-grade laptops that meet Windows 11 requirements with adequate performance for the next four to five years. Consider leasing or device-as-a-service models to spread the cost. Deploy new devices with Windows Autopilot for zero-touch provisioning — the device arrives, the user signs in, and all apps and policies are applied automatically.

Extended Security Updates

If you cannot migrate all devices before the Windows 10 end-of-life date, Microsoft offers Extended Security Updates (ESU) for a fee. ESU provides critical and important security patches only — no feature updates or non-security fixes. It is a bridge, not a long-term solution. Budget for ESU if your migration timeline extends beyond October 2025.

Get Started Now

Do not wait until the deadline. Assess your fleet, budget for replacements, and start your pilot now. Contact TechAssist for a Windows 11 readiness assessment and migration plan.

Wi-Fi in Industrial Spaces Is Different

Designing Wi-Fi for a warehouse, workshop, or industrial facility is nothing like setting up a home network or a standard office. Metal racking, concrete walls, machinery interference, temperature extremes, and vast open spaces all degrade wireless signals. A consumer access point that covers an entire house will barely reach across a single warehouse aisle.

Yet modern warehouse and workshop operations depend on wireless connectivity. Barcode scanners, tablets for inventory management, IoT sensors, VoIP handsets, and security cameras all require reliable Wi-Fi throughout the facility.

Understanding the Challenges

Metal shelving and racking: Steel racking reflects and absorbs radio signals, creating dead zones and interference patterns. Standard 2.4 GHz Wi-Fi struggles to penetrate dense metal structures.

Concrete and masonry: Tilt-up concrete panels — common in Australian industrial buildings — attenuate Wi-Fi signals significantly. Each wall can reduce signal strength by 50 per cent or more.

Electromagnetic interference: Welding equipment, motors, compressors, and other industrial machinery generate electromagnetic noise that can interfere with Wi-Fi signals, particularly on the 2.4 GHz band.

High ceilings: Warehouses with 8 to 15 metre ceilings present mounting challenges. Access points mounted at ceiling height may not provide adequate coverage at ground level, especially when racking obstructs the signal path.

Temperature and dust: Standard IT equipment is rated for office environments (10 to 35 degrees Celsius). Australian warehouses and workshops can exceed 45 degrees in summer. Dust, moisture, and vibration further reduce equipment lifespan.

Design Principles

Site Survey First

Never design a warehouse Wi-Fi network without a proper site survey. A predictive survey uses floor plans and material properties to model expected coverage. An active survey (conducted after initial deployment) validates real-world performance. Professional site survey tools like Ekahau or iBwave account for the specific materials, interference sources, and coverage requirements in your facility.

Access Point Placement

In industrial environments, more access points at lower power is generally better than fewer at high power. Mount access points below racking height where possible to provide line-of-sight coverage in aisles. Use directional antennas to focus coverage where it is needed rather than broadcasting in all directions. Plan for overlapping coverage zones so devices can roam seamlessly as staff move through the facility.

Band Selection

The 5 GHz band offers higher throughput but shorter range and poorer penetration through obstacles. The 2.4 GHz band has better range and penetration but is more susceptible to interference from other devices and industrial equipment. Wi-Fi 6 (802.11ax) access points operate on both bands and include features specifically designed for high-density and challenging environments.

For most warehouses, a dual-band deployment with band steering (encouraging capable devices to use 5 GHz) provides the best balance of performance and coverage.

Equipment Selection

Enterprise-grade access points: Consumer and small-business access points are not suitable for industrial environments. Enterprise platforms from vendors like Aruba, Cisco Meraki, Ubiquiti (UniFi), or Ruckus provide centralised management, advanced RF tuning, and ruggedised hardware options.

Outdoor and industrial-rated models: For areas exposed to extreme temperatures, dust, or moisture, use IP67-rated access points designed for harsh environments. These cost more than indoor models but survive conditions that would destroy standard equipment.

PoE switches: Power over Ethernet (PoE) eliminates the need for power outlets at each access point location. A PoE switch powers the access point through the ethernet cable, simplifying installation — particularly when mounting access points in locations where running power is difficult or expensive.

Network Design

Segmentation: Separate your operational Wi-Fi (barcode scanners, inventory systems) from corporate Wi-Fi (laptops, phones) and IoT devices (cameras, sensors). This prevents a compromised IoT device from accessing business-critical systems.

Quality of Service: Prioritise traffic for time-sensitive applications. VoIP and real-time inventory systems should take priority over general internet browsing or software updates.

Redundancy: For business-critical operations, design the network so that the failure of a single access point does not create a coverage gap. Overlapping coverage zones provide inherent redundancy.

Common Mistakes

The most common mistakes in warehouse Wi-Fi include installing consumer equipment not rated for the environment, mounting access points at ceiling height above dense racking, using too few access points at maximum power (causes interference and poor roaming), neglecting to account for forklift-mounted devices that need seamless roaming, failing to plan for future growth and additional connected devices, and skipping the site survey.

Maintenance and Monitoring

Industrial Wi-Fi networks need ongoing attention. Monitor for changes in coverage caused by racking layout changes or new equipment. Update access point firmware regularly. Review client connection data to identify problem areas. Conduct periodic resurveys if the facility layout changes significantly.

Cloud-managed platforms provide dashboards showing real-time network health, client connectivity, and alerts for access point failures or performance degradation.

Get It Right the First Time

A properly designed warehouse Wi-Fi network is a one-time investment that supports your operations for years. A poorly designed one creates ongoing frustration, workarounds, and rework. Contact TechAssist for a professional Wi-Fi site survey and network design for your warehouse or workshop.

Why Network Security Cannot Wait

Start With Your Firewall

Network Segmentation

Secure Your Wi-Fi

Endpoint Protection

Patch Management

DNS Filtering

Monitoring and Logging

Physical Security Matters Too

Building a Security Baseline

Related — Network security is foundational but not sufficient on its own. The complete cyber posture requires endpoint, identity, M365 and IR — see how we bundle all of it in our managed cybersecurity in Melbourne.

Why Australian SMEs Are Switching to VoIP

Traditional phone lines are on their way out. With the NBN rollout complete and copper infrastructure being decommissioned, Australian businesses need a modern phone solution. Voice over Internet Protocol (VoIP) delivers enterprise-grade calling over your existing internet connection — at a fraction of the cost.

For SMEs with 5 to 150 staff, VoIP is not just a cost-saving measure. It is a genuine productivity upgrade that changes how your team communicates with clients, suppliers, and each other.

How VoIP Works

VoIP converts voice into digital packets and sends them over the internet rather than traditional phone lines. Modern systems like Microsoft Teams Phone, 3CX, and Zoom Phone handle this seamlessly. Your staff pick up a handset or click a button on their laptop — the experience feels identical to a traditional phone call.

The difference is what happens behind the scenes. Calls route through cloud infrastructure, which means features like call recording, auto-attendants, voicemail-to-email, and call analytics come standard. No expensive PBX hardware sitting in your server room.

Cost Comparison: VoIP vs Traditional Phone Systems

A traditional PBX system for a 30-person office typically costs $15,000 to $25,000 upfront, plus $800 to $1,500 per month in line rental and call charges. VoIP eliminates the hardware cost entirely and reduces monthly expenses to $15 to $40 per user.

For a 30-person business, that translates to roughly $450 to $1,200 per month — a saving of 30 to 60 per cent on telecommunications costs alone. Internal calls between offices or remote workers are free, and most plans include unlimited national calling.

Key Features That Matter for SMEs

Auto-attendant: Route incoming calls professionally without a dedicated receptionist. Callers hear a menu and reach the right person or department instantly.

Mobile integration: Staff in the field — whether on a construction site, farm, or at court — can make and receive calls on their mobile using the business number. Clients never see personal mobile numbers.

Call recording: Essential for law firms managing client instructions and trades businesses confirming job details. Recordings are stored securely and retrievable when disputes arise.

Voicemail-to-email: Missed calls are transcribed and delivered to email. No more checking a physical answering machine at the end of the day.

Scalability: Adding a new staff member takes minutes, not days. No waiting for a technician to install a new line.

VoIP for Specific Industries

Law Firms

Legal practices benefit from call recording for file notes, direct inward dialling for each solicitor, and integration with practice management software. When a client calls, the system can display their matter details before the call is answered.

Construction and Trades

Field workers need reliable mobile integration. A plumber on-site can answer the office line on their mobile, transfer calls to the scheduling team, and access voicemails without returning to the office. The business presents one professional number regardless of who answers.

Mining and Resources

Remote site connectivity is the challenge. VoIP systems can operate over satellite internet where traditional phone lines do not reach. Centralised management means the head office can configure phones at remote camps without sending a technician.

What You Need Before Switching

VoIP depends on a reliable internet connection. Before making the switch, ensure your business has:

Sufficient bandwidth: Each concurrent call requires roughly 100 Kbps. A 20-person office with 10 simultaneous calls needs at least 1 Mbps dedicated to voice — well within the capacity of most NBN plans.

Quality of Service (QoS) configuration: Your router or firewall should prioritise voice traffic over general internet use. Without QoS, a large file download could cause call quality issues.

Network redundancy: Consider a 4G/5G failover connection. If your primary internet drops, calls automatically route through the backup — no interruption to your business.

Choosing the Right VoIP Provider

Look for providers that offer Australian-hosted infrastructure for call quality and data sovereignty. Key questions to ask:

Where are your servers located? Australian hosting means lower latency and compliance with local data regulations. Do you offer number porting? You should keep your existing business numbers. What is the uptime guarantee? Look for 99.9 per cent or better with a service level agreement. Is there local support? Overseas call centres are fine for consumer products, but business phone systems need responsive Australian support.

The Migration Process

A well-planned VoIP migration takes two to four weeks. The process typically involves an internet assessment, number porting (which takes 5 to 10 business days), system configuration, handset deployment, and staff training. A good provider or MSP handles this end-to-end, scheduling the cutover outside business hours to avoid disruption.

Next Steps

If your business is still running a traditional phone system — or worse, relying on personal mobiles — it is time to explore VoIP. The cost savings are immediate, and the productivity gains compound over time. Talk to TechAssist about a VoIP assessment for your business.

Cloud Backup Solutions: Protecting Your Business Data

Your data is your business. Customer information, financial records, project files, operational documentation—lose it and you lose viability.

Yet many Australian SMEs have surprisingly fragile backup strategies. They hope nothing bad happens. They assume cloud storage like Dropbox counts as backup. They have no tested way to recover if disaster strikes.

Cloud backup solutions change this. They’re affordable, automated, and genuinely protective. But they’re not all the same, and understanding what you actually need matters.

Why Cloud Backup Matters

Physical disasters. Fire, flood, theft, building damage. If all your backups are on-site, physical disaster means total data loss. Cloud backup keeps data safe in geographically dispersed data centres.

Ransomware and malware. Attackers encrypt your files and local backups simultaneously. Cloud backup, particularly when offline or separately accessed, survives ransomware.

Hardware failure. A hard drive fails. If it’s your only copy, data is lost. If it’s your only backup location, you’re in trouble. Cloud backup is automatically maintained while you continue working.

Accidental deletion. Someone deletes files by mistake. Cloud backup with version history lets you recover previous versions.

Compliance and audit trail. Many industries require demonstrating that data is backed up and recoverable. Cloud backup with audit logs provides evidence you’re meeting compliance obligations.

Cloud backup is the foundation of modern data protection. It’s not optional if you care about your business continuity.

Understanding the 3-2-1 Backup Rule

The gold standard in data protection is the 3-2-1 backup rule: three copies of data, on at least two different media types, with one copy offline or geographically separate.

In practice for SMEs:

Copy 1: Working data. Your files as they currently exist. On your office servers, computers, or cloud storage. This is your primary data.

Copy 2: Local backup. A backup on different storage—typically a network drive, external hard drive, or local server in your office. This backup runs daily or more frequently. If you need to recover, it’s accessible instantly (no waiting for download from cloud). It’s fast for frequent recovery scenarios.

Copy 3: Cloud backup (offline/geographically separate). A backup in cloud storage at a different location than your office. This protects against physical disaster, ransomware, and catastrophic on-site failure. It’s geographically distributed, so even if the entire Australian East Coast experiences a disaster, your backups in a different region are safe. This copy is ideally not constantly connected to your working systems—if ransomware hits, it can’t encrypt your cloud backup.

This approach means you can recover from: hardware failure (use local backup), ransomware (use offline cloud backup), accidental deletion (use any backup), physical disaster (use cloud backup from different location).

Cloud Backup vs. Cloud Sync vs. Cloud Storage

These terms are often confused. They’re not the same thing.

Cloud sync (like Dropbox, Google Drive, OneDrive). Files are synchronised between your computer and cloud storage. Changes on your computer sync to the cloud. Changes in the cloud sync to your computer. This is convenient for collaboration and access, but it’s not backup. If you delete a file or ransomware encrypts it, the deletion/encryption syncs to the cloud. The file is gone everywhere.

Cloud sync is useful for collaboration, but it’s not protective against data loss.

Cloud storage (like S3, Azure storage). You store files in the cloud, but there’s no syncing. You upload files you want to keep. They’re accessible from anywhere. But it’s not automated. You manually upload files. Many files are never uploaded.

Cloud backup (like Backblaze, Carbonite, Microsoft 365 backup, Veeam). Automatically backs up your data continuously or on a schedule. All files are backed up, not just ones you remember to sync. Backups are retained with version history. If something changes, you can restore a previous version. This is protective backup.

For data protection, you need cloud backup, not just sync or storage. However, cloud sync (like Microsoft 365) combined with proper backup is effective—use OneDrive for syncing and collaboration, plus backup that data separately.

What a Good Cloud Backup Solution Includes

Automated backups. Backups run automatically on a schedule (hourly, daily, weekly). You don’t need to remember to run them. Everything is backed up.

Comprehensive coverage. All critical data is backed up. Servers, workstations, files, databases, email—everything important. Not just selected folders you think to backup.

Version history. Multiple versions of files are retained. If a file is corrupted, you can restore an older version. If something is deleted, you can restore it from yesterday, last week, or last month.

Encryption. Data is encrypted in transit (while uploading) and at rest (while stored). Even if someone intercepts backup data, it’s encrypted. Only you (with your encryption key) can decrypt it.

Incremental backup. Only changed data is backed up after the initial backup. This saves bandwidth and speeds up backup process. If you back up 500GB initially, tomorrow’s backup might only be 5GB (just changed files).

Easy recovery. You can easily restore individual files or entire systems. Recovery should be straightforward, not requiring specialised knowledge.

Testing and restore verification. You can test restores without affecting working data. You can verify that backups are working.

Compliance and audit logs. For regulated industries, backup solutions should provide audit logs documenting who accessed backups, when backups occurred, and retention of data.

Ransomware protection. Advanced solutions detect ransomware activity and protect backups from encryption. Some keep backups offline automatically if ransomware is detected.

Cloud Backup Solutions for Australian SMEs

Several cloud backup options exist. Here are common ones:

Microsoft 365 and OneDrive. If you’re on Microsoft 365, you have cloud backup built-in. OneDrive backs up user documents. Exchange Online backs up email with a 93-day retention. This is included with your M365 subscription. For many SMEs, this is a good starting point. Limitation: 93-day retention for deleted email might not be sufficient for longer compliance holds.

Dedicated cloud backup services (Backblaze, Carbonite, Veeam, Acronis). These are specialised backup solutions. They provide comprehensive backup, unlimited version history, granular restore, and often ransomware protection. Costs typically $5–$15 per computer per month or $50–$200 per server per month. For detailed backup and recovery needs, these are excellent.

Local backup to cloud (like Synology NAS with cloud backup). You use a local backup device (NAS) for on-site backup, then back up that NAS to cloud. This gives you local backup speed plus cloud protection. Costs depend on the NAS and cloud service.

Backup storage services (like AWS Glacier, Azure Archive). Very cheap long-term storage (for archival, compliance holds). Not ideal for frequent recovery, but excellent for long-term retention and compliance. Often used as a third copy in the 3-2-1 strategy.

For most Australian SMEs, a combination works well: Microsoft 365 (or OneDrive) for immediate access and syncing, a dedicated cloud backup service (Backblaze or similar) for comprehensive backup with version history, and optionally a long-term archive solution (Glacier or Azure Archive) for compliance-required retention.

Implementing Cloud Backup

Assess what needs backing up. Is it all user files, or are there specific areas? Do you need email backed up? Databases? Yes to all—backup everything.

Choose a solution. Determine your RTO (recovery time objective—how long can you be down?) and RPO (recovery point objective—how much data loss can you accept?). These drive your solution choice.

Configure and test. Set up backup, configure what’s included, test that restore works. This isn’t optional—test restores before depending on backup.

Ongoing monitoring. Regular monitor backup status. Ensure backups are running, complete, and accessible. Periodically test restores. If anything looks wrong, investigate immediately.

Retention policies. Decide how long to retain backups. Compliance might require specific retention. Industry standard is 30 days of daily backups, 12 months of weekly backups, for a year of backup data available for recovery.

Document procedures. Who manages backup? Who initiates restores? What’s the process? Document it so multiple people can manage if needed.

The Total Cost Picture

Cloud backup costs are typically modest:

Microsoft 365 (includes OneDrive): $12–$22 per user per month.

Dedicated cloud backup (Backblaze, Carbonite): $5–$15 per computer per month, or $50–$200 per server per month.

Long-term archive storage: $1–$5 per GB annually (very cheap, but slow to recover from).

For a 20-person office with 20 computers and 1 server: roughly $200–$500/month for comprehensive backup covering all three copies in the 3-2-1 strategy.

This is inexpensive insurance against data loss. The cost of a ransomware incident or complete data loss—recovery services, business disruption, potential ransom payments—is 100x the cost of backup.

Testing Backups Regularly

The most common backup failure: you think you’re backed up, but when you actually try to restore, something doesn’t work.

Test quarterly:

• Pick a critical file or system
• Restore it from cloud backup
• Verify it’s complete and usable
• Document how long restore took
• Ensure your RTO is realistic

If recovery doesn’t work as expected, your backup isn’t effective. Better to find this during testing than during actual disaster.

Ransomware and Backup Strategy

Modern ransomware tries to delete or encrypt backups along with working data. Protect against this by:

Keeping one backup offline. Not connected to your network. If ransomware spreads network-wide, offline backup is safe.

Using immutable backup. Some backup solutions support immutable backups that can’t be modified or deleted, even by administrators. If ransomware gains admin access, immutable backups survive.

Monitoring for anomalies. Watch for unusual backup activity—very large deletions, attempts to modify backups, encryption of backup storage. Alert on these and investigate.

Separate credentials. Don’t use the same passwords for backup systems as for working systems. If attackers compromise your admin account, they shouldn’t immediately have backup access.

Getting Help

Many Australian SMEs benefit from managed IT support that handles backup and recovery. A good provider will:

Design a backup strategy suited to your business.

Implement and monitor cloud backup solutions.

Test backups regularly and document procedures.

Respond quickly if recovery is needed.

If you need help designing or implementing cloud backup, we work with Australian businesses to implement protective backup strategies. Call 1300 028 324 or get in touch online.

Related — Cloud backup is one piece of the puzzle. Pairing it with documented recovery runbooks, off-site copies and routine restore tests is what separates a tick-box backup from a real recovery capability. See how we package that as backup and disaster recovery services in Melbourne.