The Notifiable Data Breaches Scheme: Your 72-Hour Obligations

If your business gets hit by a data breach that’s likely to seriously harm the people whose data you hold, the law gives you a tight window: assess it fast, then notify the regulator and the affected individuals as soon as practicable. Get the timing wrong and the penalties now run into the millions.

That’s the short version of the notifiable data breaches scheme, and it catches far more Melbourne SMEs than most directors realise. Here’s what it actually requires, who it covers, and the incident-handling steps you should have ready before anything goes wrong.

What the NDB scheme actually is

The notifiable data breaches scheme sits under Part IIIC of the Privacy Act 1988 (Cth) and has been in force since February 2018. It’s administered by the Office of the Australian Information Commissioner (OAIC). The core obligation is simple to state and harder to live by: if you experience an eligible data breach, you must notify both the OAIC and every affected individual.

It isn’t a “tell us if you feel like it” arrangement. Notification is mandatory once the threshold is met, and the clock starts the moment you have reason to suspect something has gone wrong. The scheme exists so people can take protective steps — change passwords, watch their bank accounts, put a credit ban in place — before stolen data is used against them.

Who the Privacy Act covers

The Act applies to “APP entities” — organisations bound by the Australian Privacy Principles. The headline test is annual turnover. If your business turns over more than $3 million a year, you’re almost certainly covered. Plenty of directors stop reading there and assume they’re exempt. That’s a mistake, because the exceptions sweep in a lot of smaller operators.

You’re covered regardless of turnover if you:

• Are a health service provider that holds health information — this includes GPs, allied health, dentists, physios, psychologists and pharmacies, no matter how small the practice.
• Trade in personal information (buying or selling it).
• Are a credit reporting body or provide credit.
• Are a contractor delivering services under a Commonwealth contract.
• Are a tax file number recipient (most employers handle TFNs).

A three-chair dental practice in Camberwell with $1.2 million turnover is covered because it holds health information. A logistics broker handling TFNs and credit checks gets pulled in through those activities. The $3 million line is a floor for ordinary businesses, not a free pass for everyone under it. If you handle health data specifically, our write-up on healthcare IT support and OAIC obligations goes deeper on the sector rules.

What counts as an “eligible data breach”

Not every lost laptop or misdirected email triggers notification. An eligible data breach has three ingredients:

1. There’s unauthorised access to, or unauthorised disclosure of, personal information you hold — or that information is lost in circumstances where unauthorised access or disclosure is likely.
2. A reasonable person would conclude the breach is likely to result in serious harm to one or more affected individuals.
3. You haven’t been able to prevent that likely serious harm through remedial action.

That third point matters. If you act quickly enough that serious harm is no longer likely — say, you remotely wipe a stolen, encrypted laptop before anyone could read it — the breach may not be notifiable at all. Remediation is a genuine off-ramp, but only if it’s fast and effective.

The “serious harm” test

“Likely to result in serious harm” is the pivot the whole scheme turns on, and there’s no fixed checklist. The OAIC asks you to weigh factors including the kind of information involved (health records and financial details rank high; a publicly listed business name does not), its sensitivity, whether it was encrypted or otherwise protected, who is now likely to have it, and what they could do with it.

Serious harm can be physical, psychological, emotional, financial or reputational. A breach exposing identity documents and bank details is far more likely to clear the bar than one exposing a marketing mailing list. The judgement is yours to make, but you have to be able to defend it — the OAIC can and does ask to see your reasoning.

The timeframes you have to hit

This is where SMEs get caught out, so be precise about the two clocks.

The assessment clock. If you only suspect an eligible data breach has occurred — you’re not yet sure it clears the serious-harm threshold — you must carry out a reasonable and expeditious assessment. The word “expeditious” means you start straight away, not when it’s convenient. The Act sets an outer limit of 30 calendar days from when you became aware of the grounds for suspicion. Thirty days is a ceiling, not a target. If you can resolve it in three, do it in three.

The notification clock. Once you’ve decided you have an eligible data breach, you must notify the OAIC and affected individuals as soon as practicable. There’s no fixed day count here — “as soon as practicable” is judged on your circumstances — but it is not weeks of internal deliberation. You prepare a statement, lodge it with the Commissioner through the OAIC’s online form, and notify individuals by whatever method you normally use to contact them.

People often talk about a “72-hour rule” for data breaches. That figure comes from the EU’s GDPR, not the Australian Privacy Act. Australia’s standard is the “as soon as practicable” test, with the 30-day assessment ceiling sitting behind it. Treating 72 hours as your internal working deadline is sensible discipline — just don’t mistake it for the letter of Australian law.

The 2024 reforms and the new penalty regime

The penalties for getting this wrong are no longer trivial. Reforms that began with the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 and continued through the Privacy and Other Legislation Amendment Act 2024 sharpened the OAIC’s teeth considerably.

For serious or repeated interferences with privacy, the maximum penalty for a body corporate is now the greater of $50 million, three times the value of any benefit obtained from the misuse of information, or 30 per cent of the entity’s adjusted turnover for the relevant period. That’s a dramatic jump from the old cap and it’s aimed squarely at organisations that treat privacy as optional.

The 2024 reforms also introduced a statutory tort for serious invasions of privacy, gave the Commissioner new mid-tier and low-tier civil penalty powers for less severe contraventions, and added powers to issue infringement notices. The practical effect for an SME: there is now a graduated enforcement ladder, so even a moderate compliance failure can attract a penalty rather than just a stern letter. Australia’s privacy framework is being progressively tightened, and the direction of travel is more obligations, not fewer.

What an SME should have ready before a breach

The businesses that handle a breach well aren’t the ones that read the Privacy Act after the fact — they’re the ones who decided in advance who does what. A data breach response plan doesn’t need to be a 40-page document. It needs to answer a handful of questions before the pressure is on.

A construction firm in Box Hill we work with discovered a compromised mailbox after a finance staffer’s credentials were phished. Because the logging was already in place, we could see exactly which messages and attachments the attacker had opened, scope the affected individuals within a day, and confirm that the exposed data did clear the serious-harm threshold. The notification went out fast and clean — not because they panicked well, but because the plan already existed. That kind of visibility is exactly what our cybersecurity services and managed detection and response are built to deliver.

Where most breaches actually start

In practice, the overwhelming majority of breaches we see trace back to compromised credentials and email — phishing, business email compromise, reused passwords. The single highest-value control for an SME is strong identity protection: multi-factor authentication everywhere, conditional access on Microsoft 365, and monitoring that flags anomalous sign-ins. Tightening identity is cheaper than any post-breach notification exercise, and it’s the foundation the Essential Eight is built on.

How TechAssist helps

TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk. Our 24/7 NOC operates out of Tecoma in the eastern suburbs, with a second office in the Melbourne CBD at 575 Bourke Street. When a breach is unfolding, response time is everything: we target sub-15-minute response on critical incidents, which is the difference between containing a compromise and explaining it to the OAIC.

The realistic goal isn’t never having an incident — it’s detecting fast, containing faster, and being able to make a defensible serious-harm decision inside your timeframes. If you’re not confident you could do that today, that’s the gap worth closing. Have a look at our broader managed IT services, or get in touch and we’ll pressure-test your breach readiness before something forces the issue.

Frequently asked questions

Does the NDB scheme apply to my business if I turn over under $3 million?

Possibly. The $3 million turnover threshold is the general rule, but exceptions bring in any size of business that provides health services, handles credit information, trades in personal information, or operates under a Commonwealth contract. Most healthcare providers are covered regardless of turnover.

Is there really a 72-hour deadline to report a data breach in Australia?

No — the 72-hour figure is a GDPR (European) rule. Under the Australian Privacy Act you must notify the OAIC and affected individuals “as soon as practicable” after deciding you have an eligible data breach, and you have up to 30 days to assess a suspected breach. Acting within 72 hours is good practice, not the legal test.

What if I fix the breach quickly — do I still have to notify?

Not necessarily. If you take remedial action fast enough that serious harm is no longer likely, the breach may not be “eligible” and notification isn’t required. The catch is that the remediation has to genuinely remove the risk, and you need to document why it did.

Who do I actually notify, and how?

You notify the OAIC by lodging a statement through its online Notifiable Data Breach form, and you notify affected individuals directly using your usual contact method. If you can’t reasonably contact individuals one by one, you publish the statement and take steps to publicise it.

What happens if I don’t comply?

Failing to comply is an interference with privacy and can attract enforcement by the OAIC. Following the 2024 reforms, penalties for serious or repeated breaches reach the greater of $50 million, three times any benefit gained, or 30 per cent of adjusted turnover — alongside new mid- and low-tier penalty powers for lesser failures.

If your business stores, processes or transmits card payment data, PCI DSS compliance applies to you. It’s the security standard the card brands enforce on every merchant that touches cardholder data. The good news for most Australian SMEs: with the right payment setup, your obligations are smaller than you’d think.

What PCI DSS actually is

PCI DSS stands for the Payment Card Industry Data Security Standard. It’s not Australian law or a government regulation. It’s a contractual standard maintained by the PCI Security Standards Council, owned by the major card brands: Visa, Mastercard, American Express, Discover and JCB. When you signed your merchant agreement, you agreed to comply with it.

The current version is PCI DSS 4.0.1, a minor revision of version 4.0. The old v3.2.1 standard was retired in March 2024, and the future-dated v4 requirements that were optional during the transition became mandatory from 31 March 2025. So if you ticked “best practice, not yet required” against those controls at your last assessment, that grace period is over. The v4 requirements push harder on multi-factor authentication for all access into the cardholder environment, tighter password rules, anti-phishing controls and scripts on payment pages.

Who has to comply

The rule is blunt: any business that stores, processes or transmits cardholder data must comply, whether you take ten transactions a year or ten thousand. A florist in Camberwell on an EFTPOS terminal is in scope, just as a national retailer is. The standard scales, but never switches off.

Cardholder data means the primary account number (the long number on the front of the card) plus cardholder name and expiry date. A stricter category, sensitive authentication data, covers the full magnetic stripe, the CVV/CVC code and the PIN. That must never be stored after a transaction is authorised, full stop. A surprising number of Australian SMEs breach this by keeping card details in an email, spreadsheet or CRM note.

The four merchant levels

Merchants are sorted into four levels by annual card transaction volume. The level decides how you validate, from a heavyweight external audit at the top to a self-assessment at the bottom. The Visa and Mastercard tiers below are the ones almost everyone uses.

The overwhelming majority of Melbourne SMEs are Level 4: no auditor turns up at your door. You validate by completing the correct Self-Assessment Questionnaire and, depending on your setup, running quarterly external vulnerability scans through an Approved Scanning Vendor.

Self-Assessment Questionnaires in plain English

The SAQ is a checklist you fill in to attest that you meet the relevant controls. There are several types, and using the wrong one means answering hundreds of irrelevant questions or, worse, under-scoping your risk.

• SAQ A — for merchants who have fully outsourced all cardholder data handling to a compliant third party and never see the card number: the e-commerce shop that redirects customers to Stripe, Square or a hosted payment page. The shortest questionnaire, and where you want to be.
• SAQ A-EP — for e-commerce merchants whose site doesn’t receive card data directly but controls how the payment page is delivered, for example loading the payment fields via JavaScript from a provider. Your site can affect transaction security, so you carry more responsibility.
• SAQ B — for merchants using standalone dial-out or IP EFTPOS terminals, or imprint machines, with no electronic card data storage. Common for cafes, trades and small retail.
• SAQ C — for merchants with an internet-connected payment application, where card data is processed through your own network but not stored. More controls apply because your environment is exposed.
• SAQ D — the full questionnaire, for everyone who doesn’t fit the simpler categories, including any merchant that stores cardholder data. It covers all applicable requirements and is the most demanding.

The practical goal is to engineer your way down to SAQ A or SAQ B. The further down you sit, the fewer controls you have to build, evidence and maintain.

How compliant providers and tokenisation shrink your scope

“Scope” is the most important word in PCI DSS. It covers every system, person and process that touches cardholder data, or connects to systems that do. So the smartest strategy isn’t building more controls, it’s keeping card data out of your environment entirely.

Two levers do most of the work. The first is a compliant payment provider. If you take payments through a PCI-certified gateway like Stripe, Square, Tyro or Eway, and your systems never see the raw card number, you’ve handed the hardest parts of the standard to a provider built to meet them. That’s the gap between a 20-question SAQ A and a 300-question SAQ D.

The second lever is tokenisation. Instead of storing a customer’s card number for repeat billing, the provider stores it and hands you back a meaningless token. You charge the card by sending the token, never the real number. Because the token is worthless to an attacker, the systems holding it generally fall out of scope. For any business doing subscriptions, retainers or saved-card checkouts, it’s the cleanest way to keep recurring payments running.

Where Australian SMEs trip up

We see the same handful of mistakes again and again across Melbourne, and nearly all are avoidable.

• Storing card details in email, spreadsheets or CRM notes. A customer phones through a card number and a staff member jots it into an Outlook draft “to process later”. That single act pulls your mail platform and CRM into scope and often breaches the rule against storing the CVV.
• Assuming the payment provider’s compliance covers you. Stripe being compliant doesn’t make you compliant; you still complete your own SAQ. Outsourcing reduces your obligations; it doesn’t delete them.
• Treating it as a once-a-year form. PCI DSS 4.0.1 expects controls to operate continuously, not just on assessment day.
• Conflating it with the Privacy Act. Your obligations to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme are separate. A card data breach can trigger both; meeting one doesn’t satisfy the other.

A professional services firm in Hawthorn we work with had been emailing client card numbers internally for years to process annual retainer invoices. We moved them to tokenised, saved-card billing through their gateway and wiped the historical card data out of their mail and accounting systems, dropping them from SAQ D to a short SAQ A.

How an MSP handles the technical side

For businesses that can’t fully outsource card handling, real engineering work is involved, and that’s where an MSP earns its keep.

Network segmentation

The fastest way to cut scope where card data does flow is segmentation: isolating the cardholder data environment from the rest of your network with firewalls and VLANs, so a compromise of the office Wi-Fi can’t reach the payment systems. Done correctly, it takes dozens of machines out of scope. Done badly, your entire flat network is in scope. This is core to our cybersecurity services and overlaps with the controls we deploy under our Essential Eight compliance work.

Logging and monitoring

Version 4 is strict about logging. You need to capture access to cardholder systems, retain those logs, and actually review them, not just generate them. For most SMEs that means feeding logs into a SIEM with alerting, which is what our security operations team runs. When a bank or assessor asks for six months of access logs, having them already searchable is the difference between a quick answer and a panic.

The everyday technical controls

The rest is the disciplined IT hygiene that underpins the whole standard: MFA on every account that can reach the cardholder environment, prompt patching, hardened firewall rules, anti-malware, encrypted transmission of card data and tightly controlled access. None of it is glamorous; all of it is the work, and the controls slip the moment no one owns them. As a Melbourne managed IT services provider founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma, TechAssist keeps them running year-round, not just at audit time.

Frequently asked questions

Is PCI DSS a legal requirement in Australia?

Not directly. There’s no Australian statute that says “thou shalt be PCI compliant”. It’s a contractual obligation you accepted in your merchant agreement. Non-compliance can mean fines passed on by your acquirer, higher transaction fees, or in serious cases losing the ability to take card payments. A breach can also trigger separate obligations under the OAIC’s Notifiable Data Breaches scheme.

We only take payments through Square. Are we still in scope?

Yes, but your scope is small. If card data never lands in your own systems, you’ll typically complete the short SAQ A and confirm you don’t store card details anywhere. The risk is staff quietly creating shadow records, a card number in an email or spreadsheet, which drags other systems back into scope.

How often do we have to validate, and what’s the easiest way to stay compliant?

Validation is annual for most merchants: you complete the relevant SAQ each year, plus quarterly external vulnerability scans through an Approved Scanning Vendor if your setup requires them. The underlying controls are expected to operate year-round under PCI DSS 4.0.1. The single biggest thing you can do to make it easier is get card data out of your environment, using a compliant gateway and tokenisation so you never handle the raw card number.

Getting it sorted

For most Melbourne SMEs, PCI DSS compliance is far more achievable than the standard’s bulk suggests, provided you keep card data out of your hands and lock down whatever’s left. If you’re not sure which SAQ applies, or you suspect card numbers are lurking in your email and CRM, that’s worth fixing before an incident forces the issue. Get in touch with our team and we’ll map your scope and the controls you need.

SMB1001 is an Australian-developed cyber security certification standard built specifically for small and medium businesses. It uses five ascending tiers — Bronze, Silver, Gold, Platinum and Diamond — so a business can prove it has sensible controls in place without the cost and overhead of an enterprise framework like ISO 27001.

If you have heard it referred to as “Cyber Certification” or under the Dynamic Standards branding, that is the same lineage. SMB1001 is the named standard that sits behind those schemes. For a Melbourne SME being asked by a larger customer or insurer to “prove your security,” it is increasingly the answer that gets accepted — and it is far more achievable than people assume.

What SMB1001 actually is

SMB1001 is a tiered, multi-level cyber security standard aimed squarely at the businesses that the bigger frameworks were never written for: the 5-person bookkeeping firm, the 30-person fabrication shop, the family logistics operation running three trucks and a back office. These businesses still hold client data, still process payments, still get phished — but they do not have a CISO, a security budget, or the appetite to spend six months and tens of thousands of dollars on an ISO audit.

The standard’s strength is that it is designed to be self-assessed at the lower tiers and independently certified at the higher ones. You do not need to boil the ocean. You pick a tier that matches your size, risk and what your customers are demanding, implement the controls, and certify against it. As your obligations grow, you climb.

It is genuinely useful, and it is genuinely not a silver bullet. A certificate on the wall does not stop a determined attacker, and the lower tiers in particular set a floor, not a ceiling. Treated as a starting point and a discipline rather than a finish line, though, it does real work.

The five tiers, and roughly what each requires

The whole point of the tiered model is that the requirements scale with the business. Bronze is a sensible baseline that almost any micro-business can reach; Diamond approaches the kind of maturity you would expect from an organisation handling sensitive data at scale. Here is the broad shape of it.

The exact control list at each tier is defined by the standard itself and is refreshed periodically, which is part of the “dynamic” idea — the requirements move as the threat picture moves, so a Bronze in 2026 is not the Bronze of several years ago. Treat the table above as the shape, not the letter of the law. When we scope this for a client we work from the current published control set, not memory.

Who SMB1001 suits

The honest answer is most Australian SMEs that have never certified against anything. If you have been muddling along with decent-enough IT, an MSP keeping the lights on, and a vague sense that you “should do something about cyber,” SMB1001 gives you a structured, affordable way to start — and a credential at the end that means something to the people asking.

It fits particularly well for businesses in supply chains. A construction subcontractor in Box Hill bidding for work with a tier-one builder, a manufacturer supplying a listed company, a professional services firm acting for larger corporate clients — all of these are increasingly being asked, in tender documents and vendor onboarding forms, to demonstrate a baseline of security. SMB1001 is built to answer that question proportionately. We see it most across the construction, manufacturing and professional services clients we work with.

How it differs from — and complements — the Essential Eight and ISO 27001

This is where a lot of business owners get confused, so it is worth being precise. The Essential Eight, ISO 27001 and SMB1001 are three different things that overlap rather than compete.

The Essential Eight is a set of eight technical mitigation strategies published by the Australian Cyber Security Centre (ACSC). It is a controls framework, not a certification scheme — there is no certificate you receive at the end, only maturity levels you self-assess or have assessed against. It is excellent at telling you what to harden (application control, patching, MFA, restricting macros and so on) but it does not, by itself, give you a credential to wave at a customer. We cover this in detail in our guide to Essential Eight compliance for Melbourne businesses.

ISO 27001 sits at the other end. It is an international standard for a full information security management system (ISMS) — risk-driven, documentation-heavy, externally audited annually, and respected globally. It is the right answer for businesses that need international credibility or are contractually required to hold it. It is also a serious undertaking in time and cost, which is exactly why it is overkill for a 15-person business that simply needs to prove it is not negligent.

SMB1001 lands in the gap between them. It borrows the practical, control-based spirit of the Essential Eight, packages it into a certifiable, tiered credential like ISO 27001 offers, and scales it down to SME reality. The tiers map sensibly onto the others: the lower tiers cover much of the same ground as the Essential Eight’s foundational maturity, while the upper tiers start to resemble a lightweight ISMS. None of them cancels the others out.

In practice we often run them together. We will harden a client against the Essential Eight because the controls are sound, then certify the business under SMB1001 because that is the thing a customer or insurer actually recognises. The work overlaps heavily, so doing both is far less than twice the effort.

Why customers and primes are asking for it

Three forces are driving the demand. First, supply-chain security has become a procurement issue — larger organisations have woken up to the fact that their weakest link is often a small supplier with the keys to their data, so they are pushing security requirements down the chain. Second, cyber insurers have tightened underwriting and want evidence of basic controls before they will quote, let alone pay a claim. Third, regulators expect more: under the Privacy Act and the OAIC’s Notifiable Data Breaches scheme, a business that suffers a breach has to be able to show it took reasonable steps, and “we had nothing in place” is not a defensible position.

SMB1001 gives an SME a clean, recognised way to satisfy all three at once. It is a credential a prime contractor’s procurement team will accept, a data point an insurer’s underwriter understands, and evidence of diligence if the worst happens. That is why it is showing up in tender packs and vendor questionnaires far more often than it did two years ago. If cyber insurance is part of your thinking, our cyber insurance guide for Australian SMEs covers how these pieces fit together.

The certification path, effort and cost

The route through SMB1001 is deliberately straightforward. You scope which tier you need — driven by your size, your risk and, frankly, whatever your biggest customer is demanding. You implement the controls for that tier. At Bronze and Silver you self-assess and attest; at Gold and above you engage an authorised assessor for independent certification. Certification is then maintained and renewed periodically rather than being a one-off.

On effort: for a business with reasonable IT already in place, Bronze or Silver can be a matter of tidying up MFA, backups, patching and staff awareness, then documenting it — weeks, not months. Gold and above take longer because the governance and evidence requirements are real, and because independent assessment means you actually have to demonstrate the controls, not just claim them. Where there is groundwork to do — and there usually is — the gap is the controls, not the paperwork.

On cost: SMB1001 is markedly cheaper than ISO 27001, which is the whole point. The certification fees scale with the tier, and the larger expense for most businesses is the remediation work to actually meet the controls rather than the certification itself. As a rough guide, the lower tiers are a modest annual outlay; the upper tiers cost more but remain a fraction of an ISO programme. Figures move, so we scope it per-business rather than quoting a number that ages badly.

A heads-up worth giving plainly: the certificate is the easy bit. The controls are what protect you, and they only protect you if they are maintained — MFA stays enforced, backups keep being tested, patches keep landing, leavers keep getting offboarded. A business that certifies and then lets it all drift has a piece of paper and a false sense of security. That ongoing discipline is exactly what a managed arrangement is for.

How TechAssist approaches it

We are a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk. We are Essential Eight aligned and ISO 27001 capable, which means the controls underneath SMB1001 are bread and butter for us. When a client comes to us holding a tender that demands certification, we scope the right tier, close the control gaps, and get them through assessment — then keep the controls live afterwards under fixed per-user monthly pricing so they do not quietly rot.

A recent example of the pattern: a transport and logistics operator in Dandenong we work with was told by a national client that ongoing work depended on demonstrating a baseline of cyber controls. They had no certification and a tender deadline. We mapped their environment, lifted the gaps — MFA across Microsoft 365, tested backups, patching discipline, basic staff training — and put them in a position to certify at a sensible tier without blowing the budget. The work doubled as genuine risk reduction, not box-ticking. Our cyber security services are built around exactly this kind of proportionate, evidence-backed uplift.

Frequently asked questions

Is SMB1001 mandatory in Australia?

No. SMB1001 is a voluntary certification standard. There is no law requiring you to hold it. The pressure to certify is commercial — customers, primes and insurers asking for proof of security — rather than legal. That said, demonstrating reasonable security steps does help your position under the Privacy Act and the OAIC’s breach-notification obligations.

Which SMB1001 tier should we aim for?

Start from what is driving the decision. If a specific customer or tender names a tier, that is your target. If you are certifying proactively, Bronze or Silver is a sensible entry point for most small businesses, with Gold and above reserved for those handling sensitive data or facing stronger contractual demands. We scope this per-business rather than guessing.

Does SMB1001 replace the Essential Eight or ISO 27001?

No — they complement each other. The Essential Eight tells you which technical controls to harden, SMB1001 gives you a recognised certificate proving you have a sensible baseline, and ISO 27001 is the heavyweight option for businesses needing international-grade assurance. Many SMEs run the Essential Eight controls underneath an SMB1001 certification.

How long does it take to get certified?

For a business with reasonable IT already in place, the lower tiers can be achieved in weeks once the remediation is done. Higher tiers take longer because of the governance and independent assessment involved. The timeline is driven mostly by how much control gap there is to close, not by the certification paperwork.

Where to start

If a customer, prime contractor or insurer has put SMB1001 in front of you — or you simply want a structured, affordable way to prove your business takes security seriously — the first step is an honest look at where your controls actually stand. We will tell you which tier is realistic, what it takes to get there, and whether the bigger frameworks are worth it for you. Get in touch and we will scope it properly.

The SOCI Act directly captures owners and operators of designated critical infrastructure assets across 11 sectors. Most small and mid-sized Melbourne businesses are not caught. But if you supply, manage IT for, or sit in the supply chain of one of these entities, its obligations can land on your desk regardless.

That gap — between “the law doesn’t name me” and “I’m still on the hook” — is where most of the confusion sits. Here is who is actually captured, what they have to do, and how to tell whether any of it touches your business.

What the SOCI Act actually is

The Security of Critical Infrastructure Act 2018 (Cth) is Commonwealth legislation administered by the Department of Home Affairs through the Cyber and Infrastructure Security Centre (CISC). When it first passed it covered four sectors and did little more than require an asset register for electricity, gas, water and ports.

Two rounds of amendments changed that dramatically. The Security Legislation Amendment (Critical Infrastructure) Act 2021 expanded the sectors and introduced mandatory cyber incident reporting and government assistance powers. The 2022 Act, shortened to SLACIP, added the Risk Management Program obligation and enhanced duties for “systems of national significance”.

So the SOCI Act today means the 2018 Act as amended by those packages — the expanded version that now reaches businesses that never thought of themselves as critical infrastructure.

The 11 critical infrastructure sectors

The amended Act defines 11 sectors. If your organisation owns or operates an asset inside one of these, you are potentially in scope.

• Communications
• Financial services and markets
• Data storage or processing
• Defence industry
• Higher education and research
• Energy
• Food and grocery
• Health care and medical
• Space technology
• Transport
• Water and sewerage

Being in a sector is not the same as being captured. The Act bites on specific critical infrastructure assets defined by rules and thresholds within each sector. A small clinic in Camberwell sits within “health care and medical”, but the obligations attach to large hospitals and designated systems, not every GP practice. The sector tells you to keep reading; the asset thresholds tell you whether you are actually in.

The three core obligations

For captured entities, the Act imposes a tiered set of duties. Three are worth understanding in plain terms.

The asset register

Responsible entities must provide ownership and operational information about their assets to the Register of Critical Infrastructure Assets, held by the CISC: who controls the asset, who has access, and where interest or control sits offshore. The register is not public. It exists so government has visibility of who runs the country’s important infrastructure.

The Risk Management Program

This is the heart of the SLACIP amendments. Captured entities must adopt, maintain and comply with a Critical Infrastructure Risk Management Program (CIRMP) that identifies and manages hazards across four domains: cyber and information security, personnel, supply chain, and physical and natural hazards. Boards must approve it, and entities submit an annual report confirming the program is current and signed off at board level.

For the cyber domain, the rules point entities towards a recognised framework such as the Essential Eight maturity model or an equivalent standard like ISO 27001. This is where security posture stops being a nice-to-have and becomes a documented, board-signed legal obligation.

Mandatory cyber incident reporting

Captured entities must report cyber security incidents to the Australian Signals Directorate (ASD), in practice through the Australian Cyber Security Centre and coordinated with the CISC. There are two clocks, and the difference matters:

Twelve hours is a brutal window if you have not planned for it. A captured entity needs an incident response process that can detect, triage and report inside half a day — overnight, on a weekend, during a holiday. That is operational maturity, not a policy in a drawer, which is why our managed detection and response work exists.

Be honest: most Melbourne SMEs are not directly captured

This gets glossed over by anyone trying to sell you compliance product. The vast majority of small and mid-sized businesses in Melbourne are not responsible entities under the SOCI Act. A 25-person law firm in the CBD, a manufacturer in Dandenong, a logistics operator in Footscray — these are not critical infrastructure assets, and the asset register, CIRMP and 12-hour reporting clock do not apply to them directly.

The obligations are deliberately aimed at scale and national consequence: major energy networks, large hospitals, designated data centres, financial market operators, telecommunications carriers, significant ports and rail. If a cyber attack on you would disrupt an essential service for a meaningful slice of the population, you are the target of this law. If it would mostly hurt you and your customers, you almost certainly are not directly captured. Anyone telling a 30-person SME it must file a Risk Management Program because of the SOCI Act is either confused or selling something.

Why it still matters to SMEs: the supply chain flow-down

Direct capture is not the only way SOCI obligations reach you. The Risk Management Program explicitly requires captured entities to manage supply chain hazards — a legal duty to assess and control the security risk posed by their vendors, contractors and IT providers.

So the obligation flows downhill through contracts. A captured hospital cannot meet its CIRMP duty unless it can demonstrate its suppliers are secure, so it pushes security requirements into procurement and supplier agreements. If you sell software, provide IT support, host data, supply equipment or deliver professional services to a captured entity, you will increasingly be asked to prove your security posture as a condition of doing business.

We see this constantly. A professional services firm in Hawthorn that works for a captured energy operator suddenly receives a security questionnaire demanding evidence of multi-factor authentication, patching cadence, access controls and an incident response plan — Essential Eight territory. The firm is not captured by the SOCI Act, but its client is, and the client’s obligation has become the firm’s commercial reality.

This is the honest reason SMEs should care. Not because the regulator is coming for you, but because your captured customers are. Losing a contract because you cannot answer a supplier security assessment is a far more immediate risk than any enforcement action. Aligning to the Essential Eight is the most efficient way to be ready, and it is the same framework the captured entities are pointed to.

How do I know if any of this applies to me?

A practical test, in order:

1. Are you in one of the 11 sectors? If not, the SOCI Act does not directly apply, though you may still face flow-down obligations if you supply someone who is.
2. Do you own or operate a defined critical infrastructure asset? Each sector has thresholds — capacity, customer numbers, designation by the Minister. Most SMEs fall well under them. The CISC publishes the authoritative guidance on which assets are caught.
3. Have you been notified? Responsible entities are generally aware they are captured; the framework is not a hidden trap. If no regulator or rule has identified you as one, you very likely are not.
4. Do your contracts impose security obligations? This is the one that catches SMEs. Read your supplier agreements and any new security schedules from larger clients — that is where SOCI reaches you in practice.

If you are genuinely unsure whether you are captured, that is a legal question worth getting right. Where we add value is the technical side: building the controls and evidence that either satisfy a direct CIRMP obligation or answer the supplier assessments flowing down from your captured clients. Our virtual CIO engagements often start here — turning a vague “our client wants us to be secure” into a concrete, costed plan.

What TechAssist does about it

We are a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. That on-shore, around-the-clock capability matters here, because the 12-hour reporting clock does not respect business hours. For captured entities, we build the cyber domain of a Risk Management Program: Essential Eight uplift, documented controls, monitoring, and an incident response process that can actually meet a 12-hour deadline. For the far larger group of SMEs facing flow-down pressure, we get your posture to where supplier questionnaires become a formality rather than a fire drill. Either way it is real engineering, not a compliance binder, and it sits inside our standard cybersecurity services.

Frequently asked questions

Does the SOCI Act apply to small businesses?

Almost never directly. The Act captures owners and operators of defined critical infrastructure assets, which are large-scale and nationally significant. A typical Melbourne SME is not a responsible entity. The real exposure is indirect — security obligations flowing down through contracts from captured customers.

What are the SOCI Act reporting timeframes?

Captured entities must report a critical cyber incident with significant impact within 12 hours of becoming aware, and an incident with relevant impact within 72 hours. Reports go to the Australian Signals Directorate via the Australian Cyber Security Centre.

What is a Risk Management Program under the SOCI Act?

The CIRMP, introduced by the 2022 SLACIP amendments, requires captured entities to identify and manage hazards across cyber, personnel, supply chain and physical domains, have the board approve it, and report annually that it is current.

I supply a captured entity. What will they ask me for?

Typically evidence of multi-factor authentication, patching, access controls, backup and recovery, logging, and an incident response plan — broadly the Essential Eight. Getting these in place and documented is the most efficient way to keep those contracts.

The short version

The SOCI Act is real and serious, and mostly not aimed at you if you run a Melbourne SME. What is aimed at you is the security pressure your captured customers are now legally required to push down their supply chains. The smart move is not to panic about direct capture, but to get your security posture to a standard that satisfies both your clients and your own risk. For a straight answer on where you sit, talk to us.

A FY27 IT budget template for a specific persona: a 50-person Melbourne professional services firm, $12 million revenue. Numbered line items, real dollar ranges, IT-spend-as-percentage-of-revenue benchmarks, and the four lines most SMEs forget. Built for CFOs who want defensible numbers, not vendor guesswork.

The persona this budget is built for

Specifics matter; a generic IT budget is useless. The numbers below are sized for:

• 50 staff total (45 desk-based knowledge workers, 5 partners or executives)
• Melbourne-based, single office plus remote work, typical CBD or inner-suburb location
• Professional services (consulting, legal, accounting, architecture, engineering consultancy) – knowledge-worker firm with no manufacturing, no point-of-sale, no production line
• Approximately $12 million annual revenue
• Microsoft 365 stack, hybrid cloud (light on-prem footprint, most workloads in Azure or SaaS)
• Standard cyber insurance requirements; aligned to Essential Eight Maturity Level 1 minimum
• No internal IT staff; engagement with an MSP on per-user fixed monthly pricing

If your business is materially different – 50 staff with a manufacturing plant in Dandenong, or a 50-staff healthcare practice with clinical software, or a 50-staff retailer with 12 store locations – the totals will move significantly. Use this as a baseline to adjust from. Our sector-specific guidance for Melbourne manufacturers, healthcare, and law firms covers the variations.

The benchmark: IT spend as a percentage of revenue

Industry benchmarks vary by sector, but for Australian professional services firms in the 30 to 100 staff band, IT spend as a percentage of revenue typically lands between 1.5% and 3.5%. The drivers of where you sit in that range:

For our persona ($12 million revenue), the FY27 budget should land between $240,000 and $360,000 in steady state, or up to $420,000 in a project-heavy year. The template below targets the middle of that range and produces a defensible $295,000 to $345,000 total. If your number is above this, look first at the projects line; if it is well below, look first at security and backup.

The line-itemed FY27 template

All numbers are in AUD, annual, for the persona above. Ranges reflect actual variance across our managed book in Melbourne; the midpoint is what we would budget for a typical firm in this segment.

1. Microsoft 365 licensing

The single largest recurring line for most professional services firms.

Subtotal for M365: $29,000 – $52,000. For our persona, $35,000 is realistic – Business Premium across the firm, Copilot for 20 selected users, Power BI for the analyst pool. The Business Premium vs E3 conversation hinges on whether you need the deeper compliance and identity protection of E3+P2; for most 50-staff professional services firms, Business Premium is sufficient.

2. Security stack (beyond what is included in M365)

Microsoft 365 Business Premium includes Defender for Business, Intune, and Entra ID P1. That is a strong baseline. Additional security tooling for a 50-staff firm typically covers:

Subtotal for additional security: $32,000 – $60,000. For our persona, $42,000 is realistic – MDR through the MSP, additional email security, DNS filtering, password manager, light external attack surface monitoring. This line item is where SMEs traditionally underspent and where the post-2023 cyber insurance market has forced the conversation. Our Melbourne cyber security services wrap most of these into a managed stack.

3. Managed IT services retainer (MSP)

For a 50-staff firm engaging an MSP on per-user fixed monthly pricing, the typical Melbourne market rate in 2026 is $110 to $170 per user per month for a comprehensive engagement that covers unlimited support, security operations, vendor management, and proactive maintenance.

Subtotal: $66,000 – $102,000. For our persona, $80,000 to $90,000 is realistic. Co-managed models (where you have some internal capability and the MSP fills gaps) typically land 30 to 40% lower; pure break-fix models are cheaper still but rarely advisable at this scale. For the context on what to expect from a Melbourne MSP at this price band, see our guide to choosing an MSP in Melbourne.

4. Hardware refresh sinking fund

The mistake most SMEs make is treating hardware as a lumpy capex purchase every three years. Better: a smooth annual sinking fund that covers the rolling refresh.

Subtotal: $38,000 – $40,000. Hold this as a separate fund; do not blend it into operational expense. When the refresh cycle hits, the fund pays for it without a quarterly cost spike. The 4-year laptop cycle assumes mid-range business laptops (Dell Latitude, HP ProBook, Lenovo ThinkPad mid-tier); premium devices (MacBook Pro, ThinkPad X1) push the per-unit number to $3,500 and the line to $44,000.

5. Projects budget

The line item that gets cut first when revenue softens and then has to be reinstated when something breaks. Better to budget it explicitly:

Subtotal: $40,000 – $75,000. For our persona, $50,000 is realistic. A typical FY27 project list might include a SharePoint information architecture rebuild, an Entra ID conditional access refresh, a CRM integration, and the office Wi-Fi upgrade. Whatever the list is, it should be in the budget at the start of the year, not added quarter by quarter.

6. Cyber insurance

Cyber insurance premiums for Australian professional services SMEs in 2026 land around 0.4% to 0.8% of revenue for $5 million to $10 million of cover with reasonable retentions, assuming the security posture meets the underwriter’s requirements (MFA, EDR, backups, training, vendor risk management).

Subtotal: $30,000 – $55,000. For our persona, $42,000 is realistic. The premium has stabilised after the sharp increases of 2022-2024 but remains sensitive to your control posture; gaps in your security stack will push the premium up materially or trigger a coverage decline. The conversation with the broker is now half technical (controls), half financial (limits and retentions).

7. Training

Easily skipped, easily justified to skip, and the highest-ROI security spend in the budget.

Subtotal: $9,500 – $20,000. For our persona, $12,000 is realistic. Phriendly Phishing has strong Australian content and is our default recommendation for clients who want locally relevant training.

8. Contingency

10% of the total budget as a contingency reserve, held against unexpected events that the projects line cannot absorb (an early hardware failure outside the refresh cycle, a regulatory change forcing a tooling addition, a vendor that hikes prices unexpectedly).

Subtotal: $25,000 – $35,000.

The four line items most SMEs forget

Across hundreds of budget reviews with Melbourne SMEs, four line items show up in good budgets and are missing from average ones.

1. Vendor risk tooling and process

Either a dedicated platform (rarely justified at SME scale) or the time cost of running the lite vendor risk programme. We typically include this within the MSP retainer for our managed clients, but if you are running it internally, budget for 8 to 16 hours per month of someone’s time. For a 50-staff firm, this is $8,000 to $15,000 a year that often shows up nowhere.

2. AI licences you already pay for

Most firms now have Copilot for M365, ChatGPT Team or Enterprise, Claude.ai for Work or Teams, a specialised AI tool for their sector, and one or two pilots that grew into production. The cumulative AI line is rarely consolidated; it lives in expense claims, in a marketing budget, in a partner’s personal spend. Sum it up. For our persona, total AI tooling is typically $15,000 to $35,000 a year by FY27.

3. M365 backup

As discussed at length in our buyer’s guide on the topic, Microsoft does not back up your M365 data in a way that helps you recover from real incidents. Third-party M365 backup for 50 users is $1,800 to $3,600 a year. Cheap, essential, and missing from most budgets.

4. Exit and transition reserve

The unpleasant truth: at some point in the next 5 to 10 years, you will change MSPs, change your primary cloud platform, or be acquired. The cost of a clean exit is real – typically 4 to 12 weeks of overlap, documentation work, data extraction fees, and project management. Budget 5% of annual IT spend in a reserve, held separately, that exists for this purpose. For our persona, that is $15,000 a year sitting in a reserve account. You may not need it in any given year, but when the day comes, you will be glad it is there.

The CapEx vs OpEx question for FY27

The classic SME CFO question – ‘should we buy the laptops outright or lease them, should we buy the server or rent the cloud workload’ – has shifted meaningfully in the SaaS era. For most line items in this budget, the choice has been made for you: there is no CapEx option. Microsoft 365 is OpEx. The MSP retainer is OpEx. Cyber insurance is OpEx. The MDR service is OpEx.

The remaining CapEx choices are:

• Laptops: Buy outright is usually cheaper over a 4-year cycle than Device-as-a-Service, but DaaS smooths cash flow and includes refresh management. For a 50-staff firm, the financial difference is around $4 to $6 per device per month either way; the operational difference is more meaningful.
• Network equipment: Almost always CapEx. The lifespan is 5 to 7 years, and the rental models for switches and APs don’t make financial sense at this scale.
• Server hardware (if any): If you still run on-prem servers, CapEx remains the norm. The question to ask annually is whether the workload should be in Azure rather than on the server at all.

Our default recommendation for FY27 is to keep laptops and network equipment as CapEx with a sinking fund, and treat everything else as OpEx. Don’t over-engineer this.

The FY27 total

Adding the midpoints together for our persona:

$356,000 against $12 million revenue is 2.97% – in the upper half of the steady-state range. If FY27 is genuinely a steady-state year with no major projects, you could pull this back toward $300,000 by trimming the projects line. If FY27 has a major piece of work (M&A integration, platform migration, office relocation), the projects line should grow and the total can reasonably push past $400,000.

A real-world worked example

A 48-staff consulting firm in Collingwood approached us in 2025 with an FY26 IT budget of $185,000 that they suspected was too low. The reality check confirmed it: their security stack was a few years out of date, their MSP retainer was a break-fix arrangement that produced a constant stream of unbudgeted incidents, and there was no projects line.

The rebuild brought them to $310,000 for FY26, then approximately $330,000 for FY27 (this template). The increase landed in three categories: an additional $35,000 in security tooling and MDR, a $40,000 increase in the MSP retainer for a comprehensive managed model, and the previously-invisible projects budget at $50,000. Their cyber insurance premium dropped $9,000 the following year because the upgraded posture qualified them for a better rate. Net true cost increase: about $116,000, or just under 1% of revenue.

The conversation with the partners took two meetings. The first meeting was about why the number was going up; the second was about what they got for it (a defensible security posture, predictable monthly costs, no more invoice surprises, a real DR position, alignment with Essential Eight Maturity Level 1). The decision was unanimous after the second meeting. The lesson: SMEs underspend on IT because the value of the spend is invisible. Make it visible and the budget conversation gets easier.

How TechAssist works with the FY27 budget

For managed clients on our per-user fixed monthly pricing, the MSP retainer line on this template covers our entire engagement: the sub-15-minute P1 response from our 24/7 NOC at Tecoma, the same-business-day on-site response across Melbourne metro from either our Tecoma office or our 575 Bourke Street CBD office, and the work of our 13 Australian engineers across helpdesk, projects, security operations and vendor management. Founded in 2014, we have built the engagement model specifically for SMEs like the persona in this template: 30 to 150 staff, professional services or similar, Microsoft-aligned, Essential Eight focused.

The security tooling line, the M365 licensing, the cyber insurance premium and the hardware are direct vendor relationships that we manage on behalf of the client but bill at vendor cost. The projects line is scoped separately at the start of the financial year. The result is a budget that is predictable to within 5% across the year, which is what makes the CFO conversation work. For the broader picture of how the engagement is structured, see our MSP Melbourne page or reach the team through contact.

Frequently Asked Questions

We are smaller than 50 staff – how do we scale this down?

The fixed costs (cyber insurance, baseline security stack) don’t scale linearly with headcount. A 25-staff firm typically spends 3.0% to 4.0% of revenue on IT – higher than the 50-staff number – because the fixed costs are spread across fewer users. The per-user costs (M365 licensing, MSP retainer per user, hardware sinking fund) scale linearly. Apply the same template, adjust for size, and expect the percentage of revenue to be higher.

What about firms larger than 100 staff?

Past 100 staff, the conversation usually splits: an internal IT manager or director appears in the org chart, the security stack moves toward enterprise tooling, and the MSP relationship becomes co-managed rather than fully outsourced. Total IT spend as a percentage of revenue typically drops to 1.5% to 2.5% as scale efficiencies kick in.

How much of this should be CapEx versus OpEx for tax purposes?

This template lands roughly 90% OpEx and 10% CapEx (the hardware sinking fund). The OpEx-heavy mix is structurally favourable for cash flow but means the depreciation argument for tax is smaller than it was a decade ago. Talk to your accountant; the tax treatment of cloud and SaaS spend changes most years.

Should we budget for AI separately?

Yes. The AI line will grow meaningfully through FY27 and into FY28 as Copilot, agent-based tools, and sector-specific AI products scale up. Separating the AI line makes the growth visible and lets the leadership team make explicit decisions about it rather than discovering it on the credit card statement.

What is the most common budget mistake for a firm this size?

Underspending on security and overspending on premium hardware. We see firms with $3,500 MacBooks for every user but no MDR service and a self-managed Microsoft tenant. Inverting that ratio – mid-tier hardware, comprehensive security – produces a more defensible posture for the same total spend.

How do we benchmark our actual spend against this template?

Pull together your actual line items, map them to the eight categories above, calculate the percentage of revenue, and compare. If you would like an external review, we run IT budget assessments as a discrete piece of work for non-clients, with a one-page summary and a remediation list. Reach the team through the contact page.

Melbourne SMEs buying disaster recovery for the first time get stuck between three product categories, unrealistic RTO numbers, and a Microsoft 365 backup conversation nobody told them about. This is the buyer’s guide: what you are choosing between, the realistic 2026 price brackets, and the eight questions to ask any DR vendor before signing.

What this guide is and is not

This is not a planning guide. It is not ‘how to write a business impact analysis.’ It is the conversation you have once you have decided you need to buy something and you are trying to work out what to buy.

Three product categories cover almost every Melbourne SME DR purchase in 2026:

1. DRaaS – replicating production workloads to a cloud target so they can be failed over (Azure Site Recovery is the dominant Australian play, with VMware Cloud Disaster Recovery and Zerto in specialised cases)
2. On-premises BCDR appliances – a local appliance that backs up your servers and can stand them up locally or in the vendor’s cloud (Datto, Axcient, Acronis, Arcserve, Veeam with a hardware partner)
3. SaaS backup – third-party backup for Microsoft 365 and Google Workspace, which the platform vendors do not back up for you (Keepit, Backupify, CloudAlly, Veeam for M365, AvePoint, Dropsuite)

Most SMEs need pieces of all three, in different combinations. A 60-staff professional services firm in Richmond probably needs Azure Site Recovery for the two on-premises servers, a third-party M365 backup, and not much else. A 90-staff manufacturer in Dandenong with a line-of-business ERP, a SQL database, and a need for fast local recovery probably needs a BCDR appliance plus SaaS backup. A 100% cloud-native software company needs SaaS backup plus a workload-specific backup of their cloud database. The product mix follows the workload.

For the planning side of the conversation – the BIA, the RTO and RPO targets, the runbook – see our backup and disaster recovery 2026 guide, which is the companion piece to this one.

Category 1: DRaaS (Disaster Recovery as a Service)

The model is: your production workload runs where it is (on-prem, in Azure, in AWS), and a replication layer copies it continuously to a standby environment in a cloud target. When something fails, you fail over to the standby and run there until you can return to primary.

Azure Site Recovery (ASR)

The default option for Australian SMEs running on Hyper-V or VMware on-prem, or running production workloads in Azure. Replicates VMs to a secondary Azure region (typically Australia East to Australia Southeast, or vice versa). Failover is orchestrated, and you can test failover into an isolated network without disrupting production.

Strengths:

• Native Microsoft, integrates with the rest of the Azure estate
• Australia-sovereign target regions
• Pricing is genuinely SME-friendly: about $25 to $30 per protected instance per month for ASR itself, plus the storage and (during failover) the compute
• Failover testing is non-disruptive and well-supported

Weaknesses:

• RPO is typically 5 to 15 minutes for app-consistent recoveries; not the sub-minute that some marketing claims
• Complex to configure properly; SMEs often deploy it half-configured
• The compute cost during a real failover catches CFOs off guard – if you fail over 12 VMs and run them in DR for two weeks while you rebuild, that is a real Azure bill
• Requires Azure expertise that not every MSP has at the level needed for reliable orchestration

VMware Cloud Disaster Recovery

For SMEs running VMware on-premises with a meaningful estate. Replicates to a VMware Cloud target on AWS or to an alternative pilot-light site. Usually overkill for under-50-VM environments.

Zerto

The premium DRaaS choice. Continuous data protection rather than scheduled replication, RPOs measured in seconds, mature failover orchestration. Priced accordingly. We deploy Zerto for clients who genuinely need sub-minute RPO on critical workloads; it is not the right answer for an average SME.

Category 2: On-premises BCDR appliances

The model is: a physical or virtual appliance lives at your office or data centre, takes regular image-level backups of your servers (and often endpoints), and can either restore locally (fast) or stand the workloads up in the vendor’s cloud (slower, but works if your office is gone).

Datto

The category-defining product. Datto Siris appliances are sold exclusively through MSPs. The local appliance has its own compute, so it can stand up a failed server as a virtual instance on the appliance itself within minutes. Off-site copies replicate to Datto’s cloud (in Australia, hosted in Sydney and Melbourne data centres).

Strengths:

• Fast local recovery; the on-appliance virtualisation actually works
• Cloud failover is real, not theoretical, and Datto runs the orchestration
• Hardware refresh is part of the agreement; the appliance gets replaced on a cycle without a capex spike
• Good for SMEs that want a single thing to point at when the auditor asks ‘show me your DR’

Weaknesses:

• Per-protected-server pricing; can become expensive for environments with many small servers
• Vendor lock-in; getting your backup data out of Datto if you change providers is a project
• Local appliance is a single point of failure for local recovery; needs the off-site copy to be real
• The MSP-only sales channel means you cannot evaluate it without going through a partner

Axcient

Similar concept to Datto, with the local appliance and the cloud failover. Often the right answer for slightly smaller environments where Datto’s pricing is over the budget. The cloud failover capability is solid; the on-appliance virtualisation is functional but slightly less polished.

Veeam with hardware

The build-your-own option. Veeam is the backup software, paired with a Dell PowerEdge or HPE ProLiant or a purpose-built backup appliance (Dell PowerProtect, HPE StoreOnce). More flexible and often cheaper at scale than the all-in-one appliances, but requires the MSP or internal team to design, build, and operate the stack rather than buying it as a service.

This is what we recommend for clients who already have Veeam expertise and who want to avoid the vendor lock-in of the all-in-one appliances. It is what we run in our own environment.

Acronis and Arcserve

Adjacent options in this category, both with valid use cases. Acronis Cyber Protect adds a security overlay (anti-malware, anti-ransomware) on top of the backup product, which appeals to SMEs that want fewer products to manage. Arcserve UDP has a strong reputation for hybrid workloads. Both worth evaluating if Datto and Axcient don’t fit.

Category 3: SaaS backup (the conversation nobody told you about)

The single most common gap we see in Melbourne SME DR posture: Microsoft does not back up your Microsoft 365 data in a way that helps you recover from accidental deletion, ransomware encryption, malicious insider activity, or a SharePoint policy gone wrong. They protect their infrastructure, not your content. This is the Microsoft 365 shared responsibility model, and it is documented in their own service description.

What Microsoft does:

• Geo-redundant storage so a data centre failure does not lose your data
• Retention policies you configure (litigation hold, retention labels)
• Recycle bin and version history for a default period
• Point-in-time recovery for Exchange Online within a window

What Microsoft does not do:

• Full long-term backup of your mailboxes, OneDrive, SharePoint, and Teams content
• Granular recovery to a point earlier than the retention or recycle bin window
• Recovery of an entire tenant if it is wiped by a compromised admin
• Export of mailbox data in a portable, restorable format outside of Microsoft’s tooling

The conversation to have with your IT lead: ‘If a user gets compromised and the attacker deletes the contents of their OneDrive and emails, and we do not notice for 45 days, can we recover the data?’ The honest answer from native Microsoft is usually no – the 30-day default retention window has passed.

Third-party M365 backup tools solve this. Pricing is per-user-per-month, typically $3 to $6 in the Australian market, retention is configurable up to ‘forever,’ and recovery is granular (a single email, a single OneDrive file, a single Teams chat). The leaders:

For every Melbourne SME we manage that uses Microsoft 365 – which is all of them – a third-party M365 backup is part of the baseline stack. We default to Keepit for new deployments because the Australian data residency, retention model, and recovery experience are the best of the options, and the pricing is defensible for SME budgets.

Realistic price brackets for 2026

The number that comes out of a vendor sales call is rarely the number you end up paying once setup, support, replication storage, failover compute, and the inevitable additions are included. Approximate all-in monthly numbers for a 60-user Melbourne SME with 4 production VMs:

Add the implementation cost (typically $4,000 to $15,000 one-off depending on complexity) and the annual failover test (typically half a day of MSP time, billed at the going rate). For most 60 to 100 staff Melbourne SMEs, total DR spend lands between $14,000 and $30,000 per year all-in.

RTO and RPO: what vendors quote versus what they deliver

Vendor marketing materials quote ‘RTO of 5 minutes’ or ‘RPO of seconds.’ These numbers refer to the absolute best-case mechanical capability of the product under controlled conditions on the vendor’s test bench. They are not what you get in a real disaster.

Realistic numbers for the three categories under SME conditions, based on incidents we have run for clients:

The gap between vendor-quoted and realistic is not the vendor lying; it is the difference between the mechanical recovery time and the business-readiness time. When you negotiate, make sure the RTO in the contract is the business-readiness time, not just the time for the system to come up. Otherwise you are signing for a number that does not mean what you think it means.

The eight questions to ask any DR vendor before signing

1. What is your contracted RTO and RPO, and is it measured to system-online or business-ready? If they cannot answer this clearly, walk away.
2. Where is the off-site copy stored, and is the storage in Australia? Sovereign data residency matters for many SMEs, especially those with health, legal or government-adjacent data.
3. What is the additional cost during a real failover (compute, egress, storage)? The DR product price is the steady-state cost; the failover cost can be substantial.
4. How often do you test failover, who tests it, and what is the success rate? Untested DR is a hope, not a plan. Insist on at least an annual test.
5. What does it cost to extract our data if we leave? Vendor lock-in is real. Get the exit number on the contract.
6. What is the support model during an incident – phone, ticket, named engineer? When you are actually failing over, the time to get a human matters more than any other metric.
7. Who else like us are you protecting in Melbourne, and can we speak to them? Reference checks from similar-sized businesses cut through the marketing fast.
8. What is the upgrade and hardware refresh cycle, and who pays? For appliance-based products, this affects the multi-year total cost.

One client of ours – a 40-staff law firm in Kew – went to contract with a national MSP that quoted a 30-minute RTO. The contract small print clarified that 30 minutes was system-online. When we ran their first DR test under our co-managed arrangement, business-ready was 5 hours. We renegotiated the contract on renewal to specify business-ready RTO with measurable check points. Different number, more honest contract.

Sample DR scope checklist (30 to 100 user SME)

The scope of work conversation with a DR vendor is where mistakes get baked in. Use this as a starting checklist:

If a vendor proposal does not cover every row of this table or does not explicitly note items as out of scope with a reason, ask before signing. A DR proposal that omits Microsoft 365 backup is a flag, not because the vendor is dishonest but because the gap will surface during a real incident at the worst possible time.

How TechAssist delivers this

We are vendor-agnostic on DR. Our default stack for a typical Melbourne SME is Azure Site Recovery for IaaS, Keepit for M365 backup, and Veeam for environments that need a richer on-prem appliance story. We also run Datto where it is the right answer and Zerto where the RPO requirement justifies it.

The delivery is what makes the difference. Our 24/7 NOC at Tecoma monitors backup jobs and replication health on every managed client, with sub-15-minute response for P1 events. When a real incident hits, our 13 Australian engineers (no offshore tier-one queue) take the call, and the same-business-day on-site response in Melbourne metro means an engineer can be at your office before lunchtime if hands on the equipment are needed. The per-user fixed monthly pricing model includes the DR management on managed engagements; the DR product cost is a separate, transparent line item passed through at the vendor rate. The two Melbourne offices – Tecoma and 575 Bourke Street CBD – give clients access in both directions of the metro area, with the CBD office useful for CBD-based clients who want a quick face-to-face during planning.

Founded in 2014, our DR practice has now run incidents across professional services, healthcare admin, manufacturing, and not-for-profit clients. The pattern across all of them is the same: the DR posture that works is one that has been tested, documented, owned, and reviewed annually. The product choice matters less than the discipline around it. To talk through your specific environment, our team is reachable through the contact page, or for the broader managed services context the Melbourne managed IT services page covers how DR sits in the overall engagement.

Frequently Asked Questions

Is Microsoft 365 backup really necessary if we have litigation hold?

Litigation hold is a retention control, not a backup. It prevents end users from permanently deleting items, but it does not protect against a compromised admin wiping the tenant, does not give you a portable export, and does not provide point-in-time recovery for arbitrary historical states. For any SME holding meaningful business data in M365 – which is all of them – a third-party backup is a baseline control, not an option.

Can we just rely on the local appliance and skip the cloud failover?

If the disaster is a ransomware attack that encrypts the local appliance, or a fire that takes the office, the local-only configuration is no protection at all. The cloud or off-site copy is what makes the DR posture survive a real disaster. Local appliance plus cloud copy is the minimum; local-only is not DR, it is backup with extra steps.

What is the difference between backup and disaster recovery?

Backup is the data; DR is the ability to operate from that data after a major incident. A nightly backup of your server is backup. The ability to fail that server over to a working environment within a contracted time is DR. Most SMEs need both, in coordinated form, not one or the other.

How often should we test failover?

At least annually for a full test, quarterly for component tests, and continuously for the automated health checks the platform should be running. A DR plan that has not been tested in 18 months is no plan; it is a hope.

Will our cyber insurance cover the cost of a DR failover?

Sometimes yes, sometimes no. Read the policy. Many cyber policies cover business interruption losses but exclude or limit the actual restoration costs. The cleanest approach is to budget for the failover cost as a separate line, and treat any insurance recovery as upside.

Does the same DR product work for our on-premises servers and our Azure workloads?

Mostly no. The categories were designed for different starting points. Azure Site Recovery covers both Azure-native and on-prem to Azure. The appliance-based BCDR products are typically on-prem first, with limited cloud-native coverage. If your workload split is meaningful in both directions, expect to run two products. Our Melbourne cloud services page has more on hybrid architecture.

Azure costs for Melbourne SMEs grow 30 to 50% a year without anyone noticing. Enterprise FinOps assumes a $5 million cloud spend; this is the SME version, sized for the $50k to $500k reality. Eight quick wins, governance guardrails that stick, and the three traps that catch almost every business.

Why SME Azure spend creeps

It is rarely one decision. A pilot tenant becomes a production tenant. A test virtual machine becomes a forgotten orphan with a 1 TB premium SSD attached. Defender for Cloud gets enabled on a free trial, ends up on the Standard tier across every subscription, and nobody can find the off switch by the time the invoice arrives. The dev environment that was ‘just for two weeks’ is still running 18 months later because no one wants to be the person who turned it off.

We see the same pattern across our managed clients. A business signs up for Azure at $3,000 a month. Two years later it is $11,000 a month, the workloads have not materially expanded, and the CFO is asking the right question for the first time. By then the answer is harder than it would have been at $4,000.

FinOps as a published discipline (the FinOps Foundation maintains the framework, Microsoft has published its own opinionated version) assumes you have a cloud platform team, a financial analyst, and an executive sponsor. For a 60-staff Melbourne business with a quarter-million-dollar Azure footprint, that is overkill. The lite version below takes the parts of FinOps that apply at SME scale and ignores the rest. We have run this with clients across professional services in the CBD, manufacturers out around Dandenong, and not-for-profits across the eastern suburbs as part of our Melbourne cloud services work.

What ‘normal’ SME Azure spend looks like

Some benchmarks from our managed book, useful as sanity checks on whether your number is in the right zone.

If your number is materially above the band for your profile, there is almost certainly waste. If your number is materially below, either you are doing something genuinely clever or you have under-provisioned somewhere that will cause a production incident later.

The eight quick wins

Most SMEs can take 20 to 35% off their Azure bill in a fortnight of focused work, without changing anything about what the business does. The targets in order of effort-to-saving ratio:

1. Rightsize the virtual machines

The Azure Advisor and the Azure Migrate tools both flag VMs running well below their provisioned capacity. The reality is most SMEs have two or three D8s_v5 instances that were sized off a panicked guess at the start of a migration and have been running at 8% CPU ever since. Moving them down two or three sizes typically saves 60 to 75% of the per-VM cost. Validate with seven days of metrics first; do not just take Advisor’s word for it.

One client of ours – a 55-staff engineering consultancy in South Melbourne – was running their file server VM as a D16s_v5 because the original migration consultant ‘matched the on-prem CPU count.’ Seven days of metrics showed 4% average CPU. Rightsizing to a D2s_v5 saved $720 a month with zero user-visible impact.

2. Kill the orphaned disks

Every time someone deletes a VM through the portal, the OS disk and any data disks survive unless deletion was explicitly chosen. Over a few years, an SME tenant will accumulate 20 to 60 orphaned managed disks, often premium SSDs at $0.15 per GB-month. A 1 TB orphaned premium disk is $150 a month for storing absolutely nothing useful.

Run a quick KQL query in Azure Resource Graph to find disks where ManagedBy is empty. Validate that none of them are being held intentionally (some teams keep a disk for a few months as a ‘soft delete’ before truly removing it), then delete the rest. Easy win, usually $400 to $1,200 a month.

3. Reserved instances or savings plans for the steady-state workloads

Anything that runs 24/7 in steady state – production servers, domain controllers, a SQL VM, a file server – is paying full pay-as-you-go pricing by default. A one-year Reserved Instance is roughly 30% cheaper; three years is closer to 50%. The Azure Savings Plan for compute is more flexible (it covers any VM family in any region for the commitment amount) but a slightly lower discount.

The decision rule we use: if the workload is going to run for at least the next 12 months as-is, take the one-year reservation. If it might move, resize, or change family within that window, take the savings plan. Three-year commitments only for genuinely static workloads.

4. Auto-shutdown for dev and test

Dev and test VMs do not need to run on weeknights or weekends. A standard Azure Automation runbook or the built-in Azure DevTest Labs auto-shutdown can cut a non-production VM bill by 65 to 75%. The cost is two hours of configuration and a 30-second wake-up delay when someone needs the box at 7am Monday. We have yet to meet a dev team that genuinely objected once the saving was shown.

5. Azure Hybrid Benefit

If you have Windows Server or SQL Server licences with active Software Assurance, the Azure Hybrid Benefit lets you bring those licences to Azure VMs and stop paying the per-hour Windows or SQL surcharge. The saving on a Windows Server VM is typically 40%; on a SQL VM it can be 60 to 75%. Almost every SME with Software Assurance is leaving this on the table because nobody enabled the toggle at deployment.

Check your existing fleet through Cost Management. Filter by ‘Windows’ or ‘SQL Server’ as a meter category. Anything not marked as Azure Hybrid Benefit is overpaying.

6. Archive cold storage

Storage account blobs default to the Hot tier. Anything older than 30 days that you have not touched should be in Cool ($0.0152 per GB-month versus $0.0184 for Hot) or, for compliance archives, the Archive tier ($0.00099 per GB-month). Lifecycle policies on the storage account do this automatically.

For a healthcare client of ours in Box Hill with a 14 TB compliance archive, moving the long-tail blobs from Hot to Archive saved about $230 a month. A small number per month but a clean, automated saving that compounds as the archive grows.

7. Kill unused public IPs

A standard static public IP is roughly $4.50 a month. Trivial individually, but most SMEs have 15 to 40 of them, half of which are unattached from their original VM or load balancer. Run an Azure Resource Graph query for public IPs with no associated resource, validate, delete.

8. Review egress

Outbound data transfer (egress) from Azure to the internet is roughly $0.087 per GB after the first 100 GB free per month. Backup tools that pull data out of Azure, a misconfigured replication target that goes through public endpoints rather than peering, a video conferencing recording archive that streams out to a local NAS – all of these can quietly produce $400 to $1,500 a month in egress charges that nobody knows about.

The fix is usually a routing change (route the traffic through a private endpoint or service endpoint) or a topology change (move the target into Azure rather than pulling the data out). The win is identifying the source first; Cost Management broken down by Meter Subcategory shows you where the egress lives.

The governance guardrails that actually stick

Quick wins are easy. Stopping the spend from creeping back up over the next 12 months is the hard part. The lightweight controls we recommend for SMEs – the parts of the textbook that work at this scale:

Subscription-level budgets and alerts

One budget per subscription, set to the monthly run rate plus 15%, with alerts at 80%, 100%, and 120%. The alerts should go to a real person (the CFO and the IT lead), not a shared mailbox. The 80% alert is the one that catches the problem before it becomes a quarterly variance discussion.

Do not bother with budgets at the resource group level for an SME; the maintenance overhead is not worth the precision. The subscription is the right granularity.

Tagging that the team will actually do

Enterprise FinOps documents will tell you to enforce 14 mandatory tags. The team will rebel. For SME purposes, three tags are enough: Environment (Prod / Dev / Test), CostCentre (or Department), and Owner (a person, not a generic mailbox). Enforce them with Azure Policy at subscription creation time so any new resource without the three tags is blocked.

Three tags get used. Fourteen tags get ignored, and then nothing gets used.

Quarterly cost review

One hour every three months. The IT lead and the CFO sit down with Cost Management, look at the trend, look at the top ten cost drivers, look at the variance against budget, and decide whether to act. That is the entire process. The output is a one-page note for the leadership team and a list of remediation actions for the next quarter.

This is the rhythm we run with our managed clients. It is also the rhythm where most of the savings actually surface, because it forces someone to look at the data on a cadence that catches problems while they are small.

The three traps

Three patterns catch almost every SME on Azure. Worth understanding them before they catch you.

Trap 1: Lift-and-shift over-provisioning

The most expensive single mistake we see. A business migrates 12 servers from VMware to Azure and tells the migration partner to ‘match the existing VM sizes.’ The existing on-premises VMs were sized for peak load that occurs maybe twice a year, on hardware that was bought five years ago. The Azure VMs run hot for two hours a quarter and idle the other 99% of the time, but are billed at peak capacity every hour. Add up across 12 VMs and you are paying three times what the workload needs.

The fix is to size for Azure metrics, not on-prem habits. Migrate first, then watch the metrics for two to four weeks, then rightsize aggressively. We have done this exercise often enough now that we build the rightsizing step into the migration plan from the start. If the migration partner does not include a post-migration optimisation phase, that is a warning sign.

Trap 2: The dev environment that became production

A developer or contractor spins up a dev environment to test a workload. The business comes to rely on it. Three years later it is processing real production data on a ‘temporary’ subscription with no monitoring, no backup, no DR, and no reserved instances. It is also costing twice what it should because no one ever optimised it.

The fix is governance at the subscription creation step. No new subscription without a documented owner and an explicit lifecycle (this is a permanent prod subscription, or this is a 90-day project subscription with an automatic shutdown date). Cleaning up after the fact is harder than preventing it.

Trap 3: Defender for Cloud tier sprawl

Defender for Cloud is genuinely good, and the Standard tier offerings (Defender for Servers, Defender for SQL, Defender for Storage, Defender for Containers, Defender for App Service, and so on) protect real attack surfaces. The trap is that they bill per resource and the tiers are enabled per subscription. Click the wrong toggle and you have Defender for Servers Plan 2 running on every VM across every subscription for $24 each per month.

We have seen SMEs paying $4,000 a month for Defender coverage when their actual security need would be served by $800 of targeted enablement. The fix is to choose the plans deliberately, enable per subscription, and review quarterly. Defender for Servers Plan 2 on the workloads that need it; off everywhere else. Defender for Storage on accounts with sensitive data; off on the public assets bucket. The protections matter; the indiscriminate enablement does not.

For the security-side conversation about what to leave on, our Melbourne cyber security services page outlines the decisions we apply on the managed side. Cost and security are the same conversation in Azure; you cannot optimise one without involving the other.

What the FinOps tooling landscape looks like for SMEs

The third-party FinOps tools (CloudHealth, Cloudability, Apptio Cloudability, Flexera) are excellent but enterprise-priced. For an SME at $50k to $500k annual Azure spend, the native Azure tooling is enough:

If your spend grows past $1 million a year, the third-party tools become defensible. Below that, the native tooling is fine and the discipline matters more than the platform.

A small-business worked example

A 65-staff manufacturing business in Bayswater came to us in late 2025 with an Azure bill of $14,800 per month and a CFO who could not get a straight answer about why. Two weeks of focused work:

• Rightsized seven over-provisioned VMs, saving $2,100 per month
• Deleted 23 orphaned premium disks, saving $1,400 per month
• Applied Azure Hybrid Benefit to 12 Windows VMs (they had Software Assurance through their CSP and no one had enabled the toggle), saving $1,800 per month
• Switched the steady-state production workloads to one-year savings plans, saving $1,200 per month
• Set up auto-shutdown on the dev and test environments, saving $600 per month
• Identified and re-routed an egress problem through a private endpoint, saving $400 per month
• Trimmed Defender for Cloud tier coverage to the workloads that actually needed Plan 2, saving $700 per month

Total monthly saving: $8,200, or about 55% of the original bill. The new run rate of $6,600 per month is a defensible number for the workload, with no production impact and no reduction in security posture (in fact a more deliberate one). Subscription budgets, three-tag enforcement, and quarterly review cadence are now in place. The job took us about 70 hours across two engineers from our 13-strong Melbourne team and was delivered alongside the regular per-user fixed monthly managed IT engagement.

FinOps and the broader cloud strategy

Cost optimisation is one strand of a wider conversation about whether the cloud architecture is right for the business. Sometimes the answer to a high bill is to optimise; sometimes it is to redesign. A 24/7 SQL workload that processes a fixed batch overnight may be better suited to Azure SQL serverless or even a scheduled VM. A file server that nobody touches for three months at a time might belong in Azure Files cool tier with a small AVD presence on demand. These are not quick wins; they are architecture changes. But once the quick wins are taken, the conversation moves to design.

For Melbourne SMEs that want a second opinion on whether the architecture is right before committing to another year of the existing spend, we run cloud architecture reviews as a discrete piece of work, separate from ongoing managed services. They are useful at the 12-month mark of any non-trivial Azure deployment. Reach us through the contact page if that is the conversation you need.

Frequently Asked Questions

Should we move away from Azure to save money?

Almost never the right answer for a workload that is already in Azure. Egress fees on a full re-platform are punishing, the operational disruption is real, and the cost difference between Azure, AWS and GCP for SME-typical workloads is usually under 15% once both are properly optimised. Optimise what you have before considering a move. The exception is a workload that genuinely fits a different platform’s primitives better (a heavy GCP BigQuery analytics workload, for example).

How often should we revisit our reserved instance commitments?

At the renewal point and at any major workload change. The Azure Savings Plan is more flexible than the older Reserved Instances because it does not lock you to a VM family; if your workloads shift, the savings plan keeps applying. We typically recommend a mix: reservations for the most stable workloads (domain controllers, file servers, the SQL VM that has run unchanged for three years), savings plans for the rest.

What does FinOps mean for our cloud backup and DR spend?

Backup storage tends to live outside the day-to-day cost conversation and grows quietly. Same principles apply: tier the storage (most backup data can live in cool or archive after 30 days), review retention against actual recovery needs, and watch the egress when you do a restore. Our companion piece on backup and disaster recovery for Melbourne businesses goes deeper on the design decisions.

Do we need a dedicated FinOps person?

Not at SME scale. The work is two to four hours a month for an experienced engineer plus a quarterly review with the CFO. We run it as part of the managed engagement for clients on our per-user fixed monthly pricing model. Hiring a dedicated FinOps person is a sensible move at around $2 to $3 million annual cloud spend, not before.

Will the optimisation work introduce risk to production?

It can if it is done carelessly. The discipline is: validate against metrics before any resize, take a backup before any storage change, do the work in a maintenance window, and have a rollback path. We have done hundreds of these exercises with our MSP Melbourne clients without a production incident, but the process matters. A weekend cowboy resize of a production SQL VM is how you cause an incident.

What is the role of the CFO in cloud cost management?

The CFO owns the budget and the variance conversation; the IT lead and the MSP own the technical optimisation. The quarterly review is the meeting where those two functions talk to each other. Most SME cost creep we see comes from a lack of that conversation rather than from any technical failure.

Enterprise vendor risk management assumes you have a four-person governance, risk and compliance team. Most Melbourne SMEs have zero. This is a deliberately stripped ‘lite’ framework for businesses with 20 to 200 staff: three vendor tiers, a one-page questionnaire, the only evidence that matters, and the playbook for when a critical vendor fails the assessment.

Why the enterprise playbook fails for SMEs

Open any vendor risk management framework written for a bank or a listed company and you will find a 130-question security questionnaire, a quarterly review cadence, on-site audits, and a control library mapped to NIST CSF, ISO 27001, SOC 2, PCI DSS and the APRA standards. It works because there is a team paid full-time to run it.

An accounting firm in Hawthorn with 45 staff cannot run that programme. The office manager who ‘owns IT’ has neither the hours nor the technical background to read a SOC 2 Type II report properly, let alone challenge the boundaries it covers. And yet that same firm now uses 60 to 90 SaaS products that touch client data: Xero, a practice management system, an e-signature tool, four AI products, a payroll bureau, a document portal, a cloud archive, a CRM, and so on. The risk surface is the same as a mid-market enterprise. The team to manage it is not.

The lite framework below is what we run with our co-managed clients. It is opinionated, it ignores parts of the textbook on purpose, and it produces a defensible position that holds up in a cyber insurance application or a Privacy Act incident review. We have refined it across 12 years of running managed IT services in Melbourne since founding TechAssist in 2014, and it has now been deployed across professional services, healthcare admin, light manufacturing and not-for-profit clients.

The three-tier vendor categorisation

The single most useful move you can make is to stop treating all vendors the same. About 80% of the SaaS in a typical SME is low-risk; about 5% will hurt badly if it is breached or goes down. Sort the list once, properly, and you can focus your effort on the 5%.

Tier 1: Critical

A vendor is Tier 1 if any one of these is true:

• They process or store regulated personal data at scale (health records, financial accounts, legal matters, identity documents)
• Their outage stops the business from operating within 24 hours (your finance system, your line-of-business platform, your phone system, Microsoft 365)
• They have privileged access into your network, your identity provider, or your endpoints (your MSP, your security tooling, your remote support tools)
• They handle payments or move money

Expect 5 to 12 Tier 1 vendors in a typical SME. These get the full questionnaire, evidence requirements, and an annual review.

Tier 2: Important

A vendor is Tier 2 if they hold business data that you would care about leaking, but their outage is tolerable for a few days, or the data set is limited. Examples: your CRM, your marketing automation tool, your e-signature service, an HR information system that holds employee records, project management tools.

Expect 15 to 30 Tier 2 vendors. They get the short questionnaire and a light evidence check (the security page on their website is acceptable if it lists the right certifications).

Tier 3: Everyone else

Free productivity tools, internal-only utilities, vendors that hold nothing more sensitive than a contact list. The control is the procurement gate (someone signs off before the credit card goes in) and an annual list review. No questionnaire, no evidence, no annual reassessment.

Expect 30 to 60 Tier 3 vendors. The point is to have them on the list, not to spend any meaningful time on them.

The 12-question questionnaire that fits on one page

Long questionnaires (the SIG, the CAIQ, an internal 140-item monster) do not produce better risk decisions for SMEs. The vendor copies their answers from the last questionnaire, you have no way to verify most of it, and you sign anyway because you need the product. Strip it down to 12 questions that you will actually read.

Twelve questions. One page. Most credible vendors can answer it in 30 minutes; if a Tier 1 vendor takes three weeks to respond or sends boilerplate that does not address the question, that is your answer. We have seen serious Australian SaaS vendors fill this out in a working day. We have also seen offshore platforms ignore it entirely. Both outcomes are useful information.

What ‘evidence’ you actually need

The textbook says: review their SOC 2 report, walk through their controls, validate their penetration testing, examine their incident response runbooks. In practice, for an SME, the evidence stack is much simpler. Either the vendor has an independent third-party attestation that you can rely on, or they do not.

Accept (Tier 1 and Tier 2)

• SOC 2 Type II covering at least the last 12 months and covering the product you are using. Type I is a snapshot and is worth far less. The scope matters – if the SOC 2 covers their corporate environment but not the production service you are buying, it is window dressing.
• ISO 27001 certification with a recent certificate (within the three-year cycle) and a scope statement that includes the relevant systems. Insist on the scope statement, not just the certificate number.
• IRAP assessment at PROTECTED or higher, for any vendor handling government-adjacent or sensitive data.

Acceptable with caveats (Tier 2 only)

• A current public security page that lists controls in detail and names specific frameworks they align with.
• A signed letter from their CISO or equivalent stating the controls in place, where no certification exists.

Not acceptable for Tier 1

• ‘We follow industry best practice.’
• ‘We are SOC 2 compliant’ with no report attached.
• ‘Our hosting provider (AWS) is certified.’ AWS being certified does not certify the customer running on AWS.
• A self-assessment questionnaire as the only evidence.

This is where most SME vendor programmes drift. The temptation is to accept a marketing page and move on because the alternative is to delay a project. Hold the line on Tier 1. Be pragmatic on Tier 2.

The playbook for when a key vendor fails

Here is what the textbook gets wrong: it implies that a failed vendor risk assessment means you switch vendors. In SME reality, you almost never do. You have a contract, you have integrations, you have user training, and switching costs are punishing. The realistic outcome of a failed assessment is risk acceptance with compensating mitigations.

The playbook we run with clients has five steps.

Step 1: Identify the specific gap

Not ‘they failed the questionnaire.’ Specifically: they have no SOC 2, their breach notification is 30 days, they do not support SSO on our tier, they will not name their sub-processors. Write down the actual gap.

Step 2: Quantify the exposure

What is the worst credible outcome if this gap is exploited? Loss of which data set, of what volume, with what regulatory and reputational consequences? Document the number of records and the personally identifiable information categories.

Step 3: Design compensating controls

Most gaps can be mitigated on your side. If they do not support SSO on your tier, enforce a strong password manager policy, rotate the shared credentials quarterly, and put an alert on the account. If their breach notification is 30 days, monitor publicly available breach feeds yourself. If they will not name sub-processors, restrict the data set you send them. If they do not have MFA on admin accounts, do not send them your most sensitive data.

Step 4: Document the acceptance

A risk acceptance document that names the gap, the mitigations, the residual risk, the business benefit of continuing, and the executive who signed off. This is what makes the position defensible later. Insurance underwriters and OAIC investigators do not expect perfection; they expect documented, considered decisions.

Step 5: Set a review date

Twelve months from now, are the mitigations still in place? Has the vendor improved their controls? Should the risk acceptance be renewed, withdrawn, or escalated?

A 70-staff law firm in Camberwell we work with ran this playbook recently on a US-based legal AI vendor. The vendor had no SOC 2, no SSO on the relevant tier, and stored data in US-East. The partners wanted the product. The compensating controls: a dedicated tenant configuration that limited what content could be sent to the tool, an enforced data classification policy on the matter management side, quarterly review of the vendor’s audit log exports, and a contractual addendum on breach notification. Risk accepted, documented, signed by the managing partner, reviewed annually. That is a defensible position.

The Australian Privacy Act 1988 angle

The Privacy Act amendments that came through in 2024 and 2025 changed the conversation for SMEs. The small business exemption is being narrowed; the maximum penalty for serious or repeated breaches is now the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period. Vendor risk management is now a Privacy Act obligation in practice if not in name. The OAIC has been clear: if your vendor has a breach involving your customers’ data, you are the entity that has obligations to notify and remediate, not the vendor.

Australian Privacy Principle 8 (cross-border disclosure) is the clause that catches most SMEs. Sending personal information overseas – which you do every time you sign up for a US SaaS – generally requires that you take reasonable steps to ensure the overseas recipient does not breach the APPs. Your vendor risk assessment is the ‘reasonable steps’ evidence. Without it, you are exposed.

For the detail on what this means in practice, see our companion piece on the Australian Privacy Act for SMBs and what your IT team must do. The vendor risk programme described here is one of the four foundational pieces of that broader compliance posture, alongside data minimisation, identity hygiene, and breach response readiness.

The cyber insurance vendor list creep problem

Cyber insurance applications now routinely ask for a vendor list. Some carriers want the top 10 by data sensitivity; some want every vendor with access to your systems; the more thorough underwriters want the questionnaire results for your Tier 1 vendors. Three observations from running these applications for clients over the past two years.

First, the list grows every year and the questions get sharper. A 2023 application that asked ‘do you use any third-party SaaS providers’ became a 2025 application that asks ‘list all third-party providers with access to personal information, the data categories involved, and your last review date for each.’ Expect this trajectory to continue. Your vendor list and tiering work is also insurance application work.

Second, an inaccurate disclosure on the insurance application can void the policy. We have seen clients tick ‘all critical vendors reviewed in the last 12 months’ when the answer was closer to ‘three of them.’ If a breach involves an unreviewed vendor, the carrier may decline. Be honest on the form, even if the answer is uncomfortable.

Third, insurers increasingly want evidence that you have an MSP or internal team running this programme. A client of ours in Box Hill had a cyber renewal in late 2025 where the carrier asked for proof of an MSP relationship covering vendor risk before they would renew on the existing premium. The co-managed IT support arrangement we had in place satisfied the underwriter; without it, the renewal would have been 40% more expensive.

What to run yourself versus what to delegate

The split we recommend for a 30 to 150 staff SME is:

The work the MSP does is the technical assessment and the document handling. The work the business owns is the procurement decision and the risk acceptance. That separation matters. Risk acceptance is a business decision, not an IT decision; the MSP should not be signing it off, but should provide the analysis that informs it.

Our own approach at TechAssist is to maintain a vendor register for each managed client, run the questionnaire cycle from our 24/7 NOC at Tecoma, and bring findings to the client quarterly. When a P1 event involves a vendor (a Microsoft 365 outage, a confirmed third-party breach, a vendor that fails an audit), our sub-15-minute P1 response runs from the same NOC, and our 13 Australian engineers are the team that does the assessment work. No offshore questionnaire mills, no automated tooling that emails the vendor and walks away from the answer.

A realistic first 90 days

If you have nothing in place today and you want to start, here is the shape of the first quarter.

Weeks 1 to 2: List every SaaS, every vendor with a login, every contractor with system access. Pull it from your accounting system (every recurring expense), your password manager, and your single sign-on tenant. Expect to find 30 to 50 more than anyone thought existed.

Weeks 3 to 4: Tier the list. Most vendors will be Tier 3 in five minutes. The Tier 1 conversation is the one that takes time and judgement.

Weeks 5 to 8: Issue the 12-question questionnaire to Tier 1. Chase, read, file. Note the gaps.

Weeks 9 to 12: Risk acceptances or remediations for each Tier 1 gap. Document the position. Schedule the 12-month review. Brief the executive on residual risk.

At the end of 90 days you have a defensible vendor risk position, a paper trail for insurance and Privacy Act purposes, and a list that you can maintain in two to four hours a month rather than rebuilding from scratch every year. That is the goal of the lite programme: defensible, sustainable, and proportionate.

Frequently Asked Questions

Do we need a vendor risk programme if we are under the small business turnover threshold for the Privacy Act?

The small business exemption (under $3 million turnover) is being narrowed by the Privacy Act reforms, and even today the exemption does not apply to health service providers, businesses that buy or sell personal information, contractors to the Commonwealth, and a few other categories. More practically, your customers, your insurers, and your enterprise prospects increasingly require vendor risk evidence regardless of whether the Act technically applies to you. We recommend a lite programme for every SME with more than 20 staff.

Is a SOC 2 Type I report sufficient for Tier 1 vendors?

No. SOC 2 Type I is a point-in-time review and tells you very little about how the vendor actually operates the controls over time. For Tier 1, insist on a SOC 2 Type II covering at least six months and ideally twelve. Type I is acceptable for Tier 2 alongside other evidence.

What do we do about vendors that refuse to respond to the questionnaire?

For Tier 1, non-response is the answer. Either escalate to their account team (often the account manager can move the request through their internal security team) or accept that you cannot use them for Tier 1 workloads. For Tier 2, document the non-response, look at their public security page, and consider whether the gap is acceptable. Some smaller vendors genuinely do not have the team to respond, and that is itself a risk signal.

Should we use an automated vendor risk platform?

Probably not for an SME under 100 staff. The platforms (UpGuard, SecurityScorecard, BitSight, OneTrust) are excellent but priced for an enterprise budget and produce more data than a small team can act on. A spreadsheet, a shared mailbox for evidence collection, and a calendar reminder for annual review will do the job for most SMEs. Revisit the tooling question if you grow past 200 staff or if your customers start asking for vendor risk evidence in a specific format.

Who in the business should own vendor risk?

The accountability should sit with a named executive (CFO, COO or general manager in a typical SME). The day-to-day work can be delegated to an office manager, an internal IT lead, or your MSP. The risk acceptance decisions cannot be delegated below executive level.

How does this fit with our existing cyber security work?

Vendor risk is one pillar of a broader programme that also includes endpoint and identity controls, backup and recovery, and incident response. Our Melbourne cyber security services wrap these pillars together for managed clients, and the vendor risk lite framework is part of the standard offering. If you want to talk through how the pieces fit for your business, our team is reachable through the contact page.

Cloud migration is the IT category where buyer disappointment is most common. The phrase covers projects from a five-day SharePoint setup to a two-year replatforming. Partners range from competent boutiques to outfits with junior consultants who will learn on your bill. Picking the wrong one locks in operational pain for five years.

This is a buyer’s guide written from the engineering side of the table. We will define what cloud migration services actually mean for an Australian SME in 2026 (mostly file server to SharePoint and OneDrive, on-prem Active Directory to Entra ID, and on-prem SQL or line-of-business systems to Azure). We will cover the three pricing models you will see and which one fits your situation. We will name the lift-and-shift trap that costs SMEs more in year three than the original project cost. And we will give you the 12 questions to ask a prospective migration partner before you sign anything.

TechAssist has been running migrations for Melbourne SMEs since we were founded in 2014. Our cloud services Melbourne team has migrated firms ranging from 8 to 250 staff, across professional services, manufacturing, healthcare, and not-for-profit. We have 13 Australian engineers, two offices (Tecoma and 575 Bourke St CBD), a 24/7 NOC, and per-user fixed monthly pricing for the run state after the migration. The engineering bias in this guide is real but the recommendations are the same we give clients we end up not working with.

What “Cloud Migration Services” Actually Means in 2026

The term has been used loosely for so long it has lost meaning. Let us define it concretely. For an Australian SME in 2026, “cloud migration” almost always means one or more of the following workstreams.

File server to SharePoint and OneDrive. This is the bread-and-butter SME migration. An on-premise file server (often a Windows Server running 2016 or 2019 that is past end-of-life on hardware) is being retired, and the file shares are being moved to SharePoint Online document libraries plus OneDrive for individual user files. The work is more nuanced than it sounds: permissions need to be modelled cleanly, mapped drive habits need to be transitioned, and the file structure usually needs to be restructured at the same time because the on-prem structure has accumulated 15 years of cruft.

On-premise Active Directory to Entra ID. The identity layer migration. Moving from a Windows Server domain controller to Entra ID as the primary identity provider, with hybrid join or full cloud join for Windows endpoints. This is the foundation for conditional access, device compliance, and most of the modern security controls. It is also the migration that quietly breaks the most legacy line-of-business applications, so the discovery work needs to be thorough.

On-premise SQL or line-of-business system to Azure. The infrastructure-as-a-service or platform-as-a-service migration. Moving a database or LOB application from on-premise servers to Azure SQL, Azure VMs, or App Service. This is where the lift-and-shift trap lives, and we will talk about it shortly.

Email migration. Moving from on-prem Exchange or a third-party mail provider to Exchange Online. This is increasingly a small workstream because most SMEs already moved email to the cloud years ago, but it still comes up for late-mover firms and for post-acquisition consolidation work.

Backup re-platforming. Moving from on-prem backup appliances to cloud-native or hybrid backup services that protect both on-prem and cloud workloads. This often gets bundled into the migration scope because the existing backup tool does not protect the new cloud workloads, and trying to bolt it on later costs more than rebuilding the backup strategy properly. See our backup and disaster recovery Melbourne 2026 guide for the broader picture.

For a typical Melbourne SME migration, two or three of these workstreams are bundled into a single engagement, with the file server and Entra ID work usually being the core, and the SQL or LOB workstream being the optional but heavier component.

The Three Pricing Models

The pricing model a partner offers tells you a lot about how they run projects. There are three common shapes for cloud migration engagements in the Australian SME market.

The honest take on which to choose: hybrid is the right answer for most Melbourne SMEs in the 30 to 100 staff range. Fixed-price discovery plus T&M build is the right answer when you have a legacy line-of-business application and the discovery phase needs to surface what the migration actually involves before anyone can credibly quote it. Full fixed price is the right answer when you have rigid budget approval processes that cannot tolerate any variance.

The model that should make you nervous: a low fixed price for an aggressive scope, where the partner is hoping to use change orders to recoup margin. This is the most common pattern of buyer disappointment we see. The kick-off feels great, the price feels right, and by week six you have approved $40,000 of change orders and the partner has rebuilt their margin on top of the original quote. The protection against this is a thorough discovery before the contract is signed.

The Lift-and-Shift Trap

This is the trap that costs Melbourne SMEs more in cloud cost over time than the migration itself. The partner takes your on-premise SQL Server, lifts it onto an Azure VM with the same specs, and shifts it to the cloud. The migration is fast, the bill at the end is low, and the project is declared a success.

The problem is what happens in year two and year three. The on-prem server was a one-time hardware capital cost amortised over five years. The Azure VM is a recurring operational cost forever. The specs that made sense on-prem (over-provisioned because hardware was hard to expand) are wasted in Azure because cloud workloads should be sized to actual load and scaled when needed. The result is a perpetual Azure bill that is two to four times what a properly designed cloud architecture would cost, with worse performance characteristics.

The fix is platform-as-a-service or refactoring during the migration, not after. Specifically: SQL Server should usually become Azure SQL Database (with elastic pool, or serverless tier for variable workloads), not an Azure VM running SQL Server. Windows Server file shares should become SharePoint and OneDrive, not Azure Files. Custom applications should be containerised or refactored to App Service where viable, not lifted onto VMs.

The reason partners default to lift-and-shift is that it is fast and low-risk for them. It avoids the architectural conversations that take time and require Azure expertise that not every partner has. It also positions them for a profitable optimisation engagement in year two, when the bill is hurting and you come back asking for help.

If you are evaluating a migration partner, the lift-and-shift conversation is the single best test of their depth. Ask them what they would do with your specific workloads. If the answer is “lift to Azure VMs first, optimise later,” that is a partner who is going to leave you paying the on-prem tax in Azure forever. Walk away. The right answer is “let us look at each workload and design the target architecture before we move, even if it takes longer up front.”

The 12 Questions to Ask Before You Sign

These are the questions we would ask if we were on the buyer side of a migration engagement. The answers will tell you more than any case study.

One. Show me the discovery deliverable from your last three SME migrations. The discovery document is the single best indicator of how seriously a partner takes scoping. If they cannot show you a sanitised example, or if the example is two pages of high-level boxes, they are not doing real discovery.

Two. How will you handle the Azure cost forecast for year one, year two, and year three? You want a projected monthly Azure bill at each milestone, with the assumptions stated. Partners who cannot do this are guessing on the cost side, and guessing means surprises.

Three. What is your specific approach to file permissions during the SharePoint migration? File permissions are where the migration’s hidden complexity lives. The right answer involves a permissions audit, a model for SharePoint sites and Teams, and a plan for the inevitable exceptions. The wrong answer is “we will replicate the existing structure.”

Four. How do you handle the legacy line-of-business application that does not support Entra ID? Every SME has at least one. The right answer involves identifying it during discovery, modelling the options (hybrid join, application proxy, replacement, retirement), and pricing the work accordingly. The wrong answer is “we will figure it out during the build.”

Five. What is your incident response if the migration goes sideways at 8pm on a cutover Saturday? You want to know who is on call, what their response time commitment is, and what the rollback procedure looks like. Cutover weekends are when migrations fail spectacularly, and you need to know there is a human and a plan when it happens.

Six. Who are the named engineers on this project, and what are their certifications? Not “our team has Azure certifications.” You want names, role descriptions, and which specific engineers will be doing the architecture and implementation. Partners who staff projects with rotating cast members give you inconsistent work quality.

Seven. What does your post-migration run state look like, and what is the handover process? Most migration disappointment is not during the migration. It is in the six months after, when something breaks and the partner is no longer engaged. You want clarity on the handover, the run state ownership, and the path to ongoing support.

Eight. Can you share a reference from a Melbourne SME of similar size and complexity, in the last 18 months? You want the reference to be both recent (so the partner is still operating at the same standard) and comparable (so the work has actually relevant similarity to yours). Generic enterprise references are not useful for SME engagements.

Nine. What happens if Azure costs come in higher than your forecast? Specifically: who eats the difference, and what is the process for re-evaluating the architecture? A partner who says “we will work with you to optimise” without committing to any responsibility is offloading the architectural risk onto you.

Ten. How do you handle change requests during the build? You want a written change request process with size thresholds, approval steps, and a commitment that changes below a certain dollar value will be absorbed rather than charged. Without this, change requests become the partner’s margin recovery mechanism.

Eleven. What is your approach to security during and after the migration? The migration is the perfect moment to uplift conditional access, MFA, application control, and Essential Eight alignment. A partner who treats security as out of scope for the migration is leaving the most valuable work on the table.

Twelve. Where will my data live geographically, and what is the data residency commitment? For most SMEs the answer is Azure Australia East or Australia Southeast, but you want this stated explicitly, with the specific workloads named. This matters more than buyers usually realise, especially for clients in government supply chain or regulated sectors.

The partner’s answers to these twelve questions will tell you who you are dealing with. The partner who hedges or generalises is the partner who will surprise you later. The partner who has specific, named, defensible answers is the partner worth talking to in detail.

A Sample Scope-of-Work Skeleton

Here is the structure of a sensible SOW for a Melbourne SME cloud migration. Adapt this for your situation. If the partner’s SOW is shorter or thinner than this, push back.

The SOW should be 25 to 50 pages for a typical mid-complexity SME migration. Less than that, the partner has not done the thinking. More than 80 pages, the partner is hiding complexity in volume.

A Melbourne Example: 65-Person Engineering Consultancy in Hawthorn

A 65-person mechanical and electrical engineering consultancy in Hawthorn engaged us in late 2024 for what they thought would be a SharePoint migration and turned into a broader cloud migration including identity, file shares, and an on-premise project management database.

The discovery surfaced more complexity than expected. The file server held about 14TB of project files including CAD models, which needed careful handling for SharePoint sync behaviour. The Active Directory had 11 years of accumulated permissions, roles, and group nesting that needed cleaning before any migration could be clean. The project management database was a SQL Server application with custom integrations to Outlook and to their cost-tracking spreadsheets that no one had documented in seven years.

The decision early in discovery: refactor where it materially reduces ongoing cost, lift-and-shift only where refactoring offered no value. SQL Server moved to Azure SQL Database (single database, with elastic pool option for future growth) instead of a VM. File shares moved to SharePoint with a redesigned site structure mapped to project workstreams rather than the old folder hierarchy. Identity moved to Entra ID with hybrid join during a transitional period, then fully cloud-joined endpoints by month six.

Timeline: 14 weeks from discovery start to final cutover, plus a 12-week post-migration support window. Cost: $148,000 fixed for the standard workstreams plus $34,000 T&M for the SQL refactor, against an internal budget envelope of $200,000. Azure run cost: $1,640 per month at steady state, against a forecast of $1,800. They are now on per-user fixed monthly managed service with us, with 24/7 NOC monitoring out of Tecoma and same-business-day on-site coverage when something needs hands on gear.

The lift-and-shift counterfactual: a partner who had simply lifted the SQL Server to an Azure VM would have charged less for the project (maybe $115,000 total) but the Azure run cost would have been roughly $3,400 per month due to the VM sizing and the SQL Server licensing on Azure. Over five years, the lift-and-shift would have cost the firm about $105,000 more in Azure spend, plus the future optimisation work to fix it. The architectural decision during the migration saved more than the migration cost over the asset lifetime.

Where TechAssist Sits in the Partner Landscape

We are honest about our positioning. We are not a Big Four consulting firm and we do not bid on $5m enterprise transformations. We are not a one-person operation working from a home office. We are a mid-market Melbourne MSP with 13 Australian engineers and the scale to handle SME migrations end-to-end while still being a partner you can call and get the principal engineer on the phone.

Our sweet spot is 30 to 250 staff Melbourne SMEs, professional services and skilled industries, where the migration needs to be done properly the first time, on a budget that is real but not unconstrained, with a transition into a managed service relationship afterwards. Our per-user fixed monthly pricing on the run state means we are not incentivised to leave you with brittle infrastructure that creates ongoing ticket volume.

We are Essential Eight aligned and ISO 27001 capable, which matters for clients moving into regulated sectors or pursuing certifications. We sub-15-minute respond to P1 incidents and provide same-business-day on-site coverage across Melbourne metro from our Tecoma office and our 575 Bourke St CBD office.

If our positioning does not fit your situation, that is fine. The questions in this guide will still serve you well with another partner. If it does fit, we are happy to run a discovery conversation. See our MSP Melbourne overview for the broader service description, our co-managed IT support page if you have an internal IT lead, and our managed IT services Melbourne page for the full service breakdown.

For vertical-specific context, see our law firms, manufacturers, and healthcare pages. For the broader provider selection framework, our how to choose an MSP Melbourne and top managed service providers Melbourne articles cover the ground.

The Six Red Flags That Should End the Conversation

If you see any of these during the sales process, the conversation should end. We have seen each of these cause migration disasters, and the partner’s behaviour during the sales cycle is the best predictor of how they will behave during the project.

One. They quote without discovery. A partner who gives you a fixed price for a migration without spending real time understanding your environment is either selling you a project they cannot deliver, or has priced in so much risk that you are overpaying.

Two. They cannot name the engineers. The salesperson is great. The case studies are slick. The actual delivery team is a mystery. This is the pattern where you find out, after signing, that the engineers are junior offshore staff or contractors with no continuity.

Three. The Azure cost forecast is “we will optimise after migration.” This is the lift-and-shift trap signalled in advance. Walk away.

Four. The change request process is “we will handle it.” No written process, no thresholds, no commitment. This will turn into endless change orders during the build.

Five. They will not provide a Melbourne SME reference of comparable scale. Generic references and enterprise references are not useful. If they cannot point you to a comparable client in the last 18 months, they have not done the work at your level recently.

Six. They are uncomfortable when you ask about security uplift during the migration. The migration is the moment to fix conditional access, MFA, and application control. A partner who treats this as out of scope is missing the point of why most SMEs are migrating in the first place. Read our zero trust security model explained and cybersecurity services Melbourne resources for the security framing.

Frequently Asked Questions

How long does a typical SME cloud migration take?

For a 50-person business with a moderate-complexity stack (file server, on-prem AD, one or two LOB applications), the engagement runs 12 to 20 weeks from discovery to final cutover, plus 8 to 12 weeks of post-migration support. Smaller and simpler migrations can be done in 6 to 10 weeks. Larger and more complex migrations can run 6 to 9 months. Anyone promising a serious migration in 2 to 4 weeks is selling you a rushed project.

Can we keep our existing IT person and just engage a partner for the migration?

Yes, and this is a common pattern, but it requires clear scope boundaries. The partner runs the project, the internal IT person handles end-user support, change communication, and the on-the-ground coordination during cutover. Our co-managed IT support model is built for exactly this arrangement. The pattern that does not work is the internal person trying to “help” with the technical migration work in parallel, which creates accountability gaps.

What does an Azure bill for a 50-person SME look like at steady state?

Depends entirely on the architecture and what workloads you have moved. For a 50-person business that has migrated file shares to SharePoint, identity to Entra ID, and one moderate SQL workload to Azure SQL, the Azure-side bill is typically $800 to $2,200 per month at steady state. The Microsoft 365 licensing is separate and runs $30 to $50 per user per month depending on tier.

Is hybrid cloud (some workloads on-prem, some in Azure) still a sensible choice?

For some workloads, yes. Specifically: industrial control systems, very large file shares where bandwidth economics matter (some video production and CAD scenarios), and certain LOB applications with vendor support constraints. For most SME workloads, hybrid is a transitional state, not a destination. Plan to be fully in the cloud within three years of starting the migration, or you will end up paying for the worst of both worlds.

What about Microsoft 365 Copilot during the migration?

Deploy after the migration, not during. The Copilot value comes from clean SharePoint structure, properly permissioned document libraries, and a tenant that has been hardened. Trying to roll out Copilot before the migration is finished produces poor user experience because Copilot is searching across the messy interim state.

How do we make sure we are not locked into the partner after the migration?

This is the right question to ask before signing. The protections are documentation (you should own all architecture documentation, including admin credentials and root-of-trust certificates), portable architecture (avoid partner-specific tooling for the run state), and a clean handover process. Our run-state pricing is per-user fixed monthly with no lock-in clause, and the architecture we deploy is standard Microsoft and Azure constructs that any competent partner can take over if you ever decide to move. Reach our team via the contact page for a discovery conversation.

Most Microsoft 365 vs Google Workspace comparisons are written by Microsoft Partners and read like a sales pitch. Here is the straight version. Google wins for sub-15-person startups, design agencies, and web-native teams. Microsoft wins for anything compliance-driven, anything with Windows endpoints, and anything that touches Excel-heavy finance or operations tooling.

That is the headline. The rest of this article shows the working. We will cover the licensing reality in 2026, the Copilot versus Gemini story without the marketing gloss, the security and admin gap that has quietly widened, Australian data residency and Privacy Act considerations, and the genuine cost of switching either direction. Spoiler: it is almost always three to five months of dual-running, and the migration is rarely the expensive part.

TechAssist has been running these conversations with Melbourne SMEs since we were founded in 2014. Our managed IT services Melbourne team has migrated firms in both directions, so the bias here is genuinely thin. If anything, our preference leans Microsoft for clients in regulated sectors and Google for clients whose entire workflow lives in a browser, but the answer depends on what you actually do for a living.

The Honest Summary Up Front

If you want the verdict before the detail, here it is. Pick Google Workspace if you are under 15 staff, your team lives in Chrome, you do not run any line-of-business application that requires Windows, and you do not have meaningful compliance obligations beyond the Australian Privacy Act baseline. Pick Microsoft 365 if you have Windows endpoints, finance staff who live in Excel, ISO 27001, Essential Eight or sector-specific compliance ambitions, or any line-of-business application that integrates with Outlook calendars, SharePoint document libraries, or Power BI.

The grey zone is the 15-to-50-staff Melbourne SME with mixed Mac and Windows endpoints, a handful of legacy Office documents, and a desire to use Gmail because the founder likes it. That is the zone where the decision actually matters, and where most of our consulting time goes.

Licensing and Pricing in 2026

The headline SKUs have not changed dramatically, but the value gap inside each plan has. Microsoft has loaded more security and compliance into the mid-tier Business Premium plan, while Google has shifted more of its AI value into the Gemini Business and Enterprise add-ons. The result is that the apples-to-apples comparison is genuinely harder in 2026 than it was two years ago.

Here is the realistic comparison for a 30-person Melbourne SME at current AUD list pricing, rounded for clarity. Your actual prices via a partner will be slightly lower, but the ratios hold.

The numbers look close. They are not. The security-grade tier comparison is the one most decision-makers get wrong. Business Premium on Microsoft includes Intune device management, Defender for Business endpoint protection, conditional access, Azure AD Premium P1 (now Entra ID P1), and Purview data loss prevention. Google Business Plus includes Vault retention, advanced endpoint management, and Drive labels, but it does not include the equivalent of conditional access without stepping up to Enterprise Standard or Plus, which approximately doubles the per-user cost.

For a 30-person firm in Cremorne with Windows laptops, Business Premium replaces three or four separate tools that you would otherwise buy: a mobile device management product, an endpoint security product, a multi-factor enforcement layer, and a data loss prevention tool. That is the bundle value that has widened. It is not visible in the headline SKU price.

Where Google Wins, Honestly

Google Workspace genuinely wins in three scenarios, and we recommend it for all three.

The first is the sub-15-person startup. If you are five to twelve people, you live in a browser, you collaborate constantly in shared documents, and your security threat model is mostly phishing and credential theft, Google Workspace is faster to deploy, easier to administer without an IT team, and the collaboration UX is better. Docs and Sheets real-time editing remains a notch ahead of Word and Excel on the web, and the unified search across Drive, Gmail, and Calendar is excellent.

The second is the design or creative agency. If your team is on Macs, you use Figma, Adobe Creative Cloud, and Slack, and your finance person is the only one who touches a spreadsheet seriously, the Microsoft stack is overkill. Google Workspace plus a third-party MDM like Kandji or Jamf will serve you well. We have a 22-person creative agency client in Fitzroy that runs exactly this stack and has zero appetite to switch.

The third is genuinely web-first businesses. SaaS companies, marketing agencies, online publishers, e-commerce operators. Teams whose entire workflow is browser tabs and where Microsoft’s deep desktop integration provides no value. Google is leaner here, and Gemini’s integration with Search and YouTube is genuinely useful for these workflows in ways that Copilot’s Office integration is not.

Where Microsoft Wins, Also Honestly

Microsoft 365 wins in more scenarios than Google fans like to admit, and the gap has widened in 2024 and 2025.

The first and biggest is compliance. If you are pursuing ISO 27001, aligning with the Essential Eight, or operating in a sector with specific data handling requirements (legal, health, financial services, government supply chain), Microsoft Purview, Defender, and Entra ID together give you the audit trail, the controls, and the certifications evidence that auditors expect. Google can technically achieve much of this, but the auditor-readiness gap is real, and we have seen it cost clients during certification.

The second is Windows endpoint reality. Most Australian SMEs run Windows. Intune is now genuinely good. Autopilot deployment for a new laptop is a fifteen-minute experience for the user, and the device arrives at the desk pre-enrolled and pre-configured. Google’s endpoint management story for Windows is workable, but it is not in the same league. If your fleet is Windows, this matters every single week.

The third is finance and operations integration. Power Query, Power Pivot, Power BI, and the broader Power Platform tie into Excel and Outlook in ways that have no Google equivalent. If your finance manager is building cashflow models, your operations team is reconciling job costing across two systems, or your sales lead lives in pipeline spreadsheets, the Microsoft ecosystem is genuinely more productive.

The fourth is line-of-business application integration. Practice management systems in Melbourne law firms, patient management in healthcare practices, ERP and MRP systems in manufacturing, and most Australian accounting and payroll platforms integrate more deeply with Microsoft than Google. The Outlook calendar plug-in, the SharePoint document repository, the Teams meeting integration. These are table stakes for serious vertical software.

Copilot vs Gemini: The Honest Take

Both AI assistants are useful. Both are overhyped by their vendors. Both will be markedly better in twelve months than they are today. Here is what we are seeing in actual SME use in 2026.

Copilot in Microsoft 365 is genuinely useful when it can see across your tenant. Drafting emails from meeting notes, summarising long Teams threads, generating first-draft PowerPoint from a Word brief, and pulling figures from Excel into commentary. The killer use case for SMEs is Teams meeting summaries with action items. Once finance and operations staff have used this for a month, taking it away is painful. The weak spot is reliability on numerical reasoning in complex spreadsheets, and the occasional confident hallucination when pulling data from SharePoint sites it should not be searching.

Gemini in Workspace is strong on text generation in Docs, summarising Gmail threads, and the integration with Google Search for research is genuinely useful. The meeting note-taking in Meet is good. The weak spot is that Gemini in Sheets is not yet at Copilot in Excel parity for serious analytical work, and the Drive search story is less mature than SharePoint plus Copilot for document-heavy organisations.

The honest answer on cost-benefit: at $46 per user per month for Copilot, you need each user to save roughly 45 minutes a week to break even on a $100k salary. We are seeing that achieved in about 60 percent of seats in client deployments, with marketing, sales, and executive assistants getting the highest return, and field-based staff getting the lowest. Gemini at $34 per user per month has a slightly easier payback maths but a slightly narrower set of killer workflows. If you are deciding whether to buy AI for your suite at all, the answer in 2026 is yes for office-based staff and no for field, retail, or shop-floor staff.

The Security and Admin Gap

This is the section where we annoy Google fans. The security and administration gap between Microsoft 365 Business Premium and Google Workspace Business Plus has widened, and pretending otherwise is not helpful to clients.

Conditional access is the clearest example. On Microsoft, you can write a policy that says “users in the finance group can only access the payroll system from a managed device, on a trusted network, with a fresh MFA challenge, between business hours, from Australia.” That policy is enforced at the identity layer for any application using Entra ID for sign-in. On Google, the equivalent context-aware access requires Enterprise tier, and the policy expressiveness is meaningfully thinner.

Endpoint management is the second example. Intune with Defender for Business gives you device compliance evaluation, attack surface reduction rules, controlled folder access, web content filtering, and integration with conditional access in one stack. Google’s endpoint management is fine for Chromebooks, workable for Mac, and basic for Windows.

The third is data loss prevention. Purview DLP can scan content in SharePoint, OneDrive, Exchange, Teams, and increasingly third-party SaaS via Defender for Cloud Apps. Google DLP works well within Drive and Gmail but does not extend as broadly.

None of this means Google is insecure. It is not. It means that if your cybersecurity services Melbourne requirements include detailed conditional access policies, device-based access controls, or aligning to Essential Eight Maturity Level Two, Microsoft gets you there with less bolting-on. Read our zero trust security model explained guide for the framework view.

Australian Data Residency and the Privacy Act

Both Microsoft and Google host Australian customer data in Australian data centres for the core services. Microsoft uses the Australia East and Australia Southeast regions for Exchange Online, SharePoint Online, OneDrive, and Teams. Google uses Australian data centres for Workspace core data at rest. So far, so similar.

The differences appear at the edges. Microsoft publishes detailed data location commitments for each workload, and the Advanced Data Residency add-on lets you pin certain services more strictly. Google’s data residency commitments are good but less granular below the core service level. For most SMEs, this does not matter. For clients we work with in government supply chain or in regulated sectors where data sovereignty questionnaires come up, it matters significantly.

Both vendors comply with the Australian Privacy Act and the Notifiable Data Breaches scheme as data processors. Your obligations as a data controller do not go away by choosing either. If you handle personal information at scale, read our Australian Privacy Act for SMBs guide for the practical checklist.

The Real Cost of Switching

This is where most articles lie to you. They quote the migration tooling cost, which is small, and ignore the dual-running cost, the retraining cost, and the lost-productivity tail, which are large.

Here is the realistic switching cost for a 50-person Melbourne SME moving from Google Workspace to Microsoft 365 or vice versa. We will use a worked example: a 50-person property services firm in Hawthorn we migrated in early 2025 from Google to Microsoft because they had taken on a client who required vendor security questionnaires they could not answer cleanly.

That is the real cost. The migration project line is the only one most quotes show you. The dual-licensing, the productivity dip, and the change management are usually invisible until you are deep in the project. We had this client back to full productivity by week eight, and the ROI is positive within the second year because they retained the client whose questionnaire triggered the move. But if you switch suites without that kind of trigger, the payback is much harder to justify.

The honest test we run with clients: if you cannot articulate a specific business reason for the switch that is worth at least 1,500 dollars per user, do not switch. Stick with what you have and make it better.

Melbourne Examples: When We Recommend Each

A 12-person digital marketing agency in Collingwood. All Macs, Slack, Figma, web analytics tools, two finance staff using Xero. We recommended Google Workspace Business Plus plus Kandji for Mac MDM. Total stack cost roughly $850 per month. They are happy, audit-clean for their compliance needs, and the founder loves the Gmail UX.

A 35-person mechanical engineering consultancy in Box Hill. Windows fleet, AutoCAD and Revit, project management in a Microsoft-integrated platform, finance team building project costing models in Excel. We recommended Microsoft 365 Business Premium, Intune-managed Windows 11 devices delivered via Autopilot, Defender for Business, and Copilot for the senior engineers and finance team only. Total stack cost roughly $2,800 per month for the M365 layer. They cleared an ISO 27001 surveillance audit cleanly last quarter.

A 28-person allied health practice in Camberwell. Mixed Mac and Windows, patient management system that integrates deeply with Outlook calendars, NDIS and Medicare claiming. We recommended Microsoft 365 Business Premium for the integration reasons, Intune for device management, Defender for endpoint protection, and a structured Purview information protection deployment because patient information requires strict handling. Total cost slightly higher than Google would have been, but the integration requirements ruled Google out at the discovery stage.

For our broader take on choosing partners and platforms, see how to choose an MSP Melbourne and our top managed service providers Melbourne overview.

How TechAssist Approaches the Decision

We are platform-agnostic for genuine reasons. We were founded in 2014, we have 13 Australian engineers between our Tecoma office and our 575 Bourke St CBD office, and we operate a 24/7 NOC out of Tecoma. We migrate clients in both directions every quarter. Our per-user fixed monthly pricing does not change based on which suite you choose, so we have no commercial incentive to push either.

For new clients in our MSP Melbourne programme, we run a one-day platform assessment. We look at your endpoint fleet, your line-of-business applications, your compliance trajectory, your team’s working style, and your current pain points. We recommend Microsoft or Google based on the answer, not based on the margin. We respond to P1 incidents in under 15 minutes, and we run same-business-day on-site visits across Melbourne metro when something needs hands on hardware. The platform under the hood matters less than the discipline around it.

Our cloud services Melbourne team can scope a migration in either direction with a realistic dual-running budget and a change management plan, not just a tooling quote. Our co-managed IT support model also works if you have an internal IT lead who wants to keep the strategic decisions in-house and outsource the operational lift.

Frequently Asked Questions

Can a small business get away with just the entry-level plan?

For a five-to-ten-person business with low compliance requirements, the entry-level plan plus a third-party MFA enforcement layer and a basic backup tool will work. For anything more, the security and management gap between the entry tier and the security-grade tier is large enough that the entry tier is a false economy. We see clients spend more remediating after a security incident than they saved over three years of running on the entry tier.

What about Outlook on Mac with Google Workspace?

It works, but it is not great. If your team is on Mac and your founder wants Gmail, lean into the Google ecosystem fully rather than trying to bridge Outlook to Gmail. The hybrid setup creates calendar invitation issues, contacts sync issues, and frustrating support tickets. Pick one ecosystem.

Is Copilot worth it for a 20-person business?

For ten of those twenty people, yes. For the other ten, probably not. Buy Copilot for the seats where it will see daily use: executive assistants, sales, marketing, finance leads, and anyone whose job involves drafting documents, summarising meetings, or building reports. Do not buy it for field staff, warehouse staff, or part-time admin staff. The per-seat economics only work when actually used.

How long does a Microsoft to Google or Google to Microsoft migration actually take?

The migration tooling runs over a weekend. The dual-running window is three to five months. The team is at full productivity on the new platform by week eight to twelve. The cleanup of the old tenant takes another month or two. Anyone who tells you it is a one-month project is selling you a migration, not a successful outcome.

What about hybrid: some users on Microsoft and some on Google?

Avoid it unless you have a genuinely good reason, like a recent acquisition you are integrating. Hybrid creates shared calendar friction, email signature inconsistency, document collaboration confusion, and double the admin workload. We have a few clients running hybrid for legitimate transitional reasons. None of them are happy about it.

How do I get an honest scoping conversation?

Talk to us. We will tell you which platform fits your business and which one does not, and we will do that regardless of what you end up choosing. Reach our team via the contact page or call the office. The conversation is free and the recommendation will be straight.