IT Support for Melbourne Retailers: POS, Stock and Customer Wi-Fi

Retail IT lives or dies on whether you can take a payment. Good retail IT support keeps your point-of-sale and EFTPOS running through the Saturday rush, separates customer Wi-Fi from the till, syncs stock across stores and your online shop, and meets the card-handling rules — so a busy day stays a good one.

A shop that cannot process a card for an hour is losing sales and queueing customers out the door. The systems are not complex, but they have to be reliable at exactly the moment they are under most load — which is where most retail IT goes wrong.

The systems a retailer actually runs

Most Melbourne retailers run a cloud point-of-sale platform on a tablet or fixed terminal, not a server in the stockroom. The common ones we see are Square, Lightspeed Retail (which absorbed Vend) and Shopify POS. Each pairs with an EFTPOS terminal, a cash drawer, a receipt printer and a barcode scanner, and most talk to an ecommerce store and an accounting package behind the scenes. Because these are SaaS products, the vendor runs the application and the card-processing rails — but you still own the devices, the network, the staff accounts, the Wi-Fi, the internet connection and the integrations between systems. That is the half where outages and security incidents actually happen, and the half a good MSP looks after.

EFTPOS integration is where the pain hides

The single most common retail support call is “the card machine won’t talk to the till”. Integrated EFTPOS — where the terminal pulls the sale amount straight from the POS so staff do not rekey it — is faster and removes mistakes, but it adds a dependency: the POS, the payment terminal and the bank’s gateway all have to agree, and a firmware update, an expired pairing or a flaky link can break that chain. Tyro, Smartpay, the banks’ integrated terminals and Square’s own readers each behave differently, so knowing how to re-pair a setup quickly is the difference between a thirty-second fix and a closed register.

Inventory, stock and ecommerce sync

The moment a retailer sells both in-store and online, stock accuracy becomes an IT problem dressed up as a retail one. If the POS and the online store do not share a single source of truth for inventory, you oversell — taking an online order for the last item a walk-in just bought, then apologising and refunding. That failure traces straight back to a sync setting. Lightspeed Retail and Shopify both handle this natively when configured properly: one product catalogue, one stock count, updated as sales happen across every channel, and Square does the same within its ecosystem. The work is in getting the integration right — matching SKUs, mapping variants, deciding which system is authoritative, and handling edge cases like layby, click-and-collect and supplier returns. When two staff end up keeping rival spreadsheets, that is not a software limit; it is a setup that was never finished.

Customer Wi-Fi and back-of-house separation

Offering customers Wi-Fi is fine. Putting them on the same network as your point-of-sale is not — and that is the most common, most serious mistake we find in retail. Your till, EFTPOS terminals, back-office PC and stock devices belong on a trusted internal network, while customers and anything else untrusted sit on a separate guest network that can reach the internet and nothing else. They share the same physical connection but are logically walled off, usually with a VLAN and a guest SSID. A customer’s malware-infected phone should never be able to see your payment devices, and done properly this also stops a guest slowing card processing during peak trade.

This separation is not just good practice — it is effectively required by the card-handling rules. If your shop runs one flat network with the Wi-Fi password on a chalkboard, that is the first thing to fix, and our cybersecurity services treat segmentation as a baseline for any business that takes cards.

PCI DSS basics for card handling

Any business that accepts card payments has to comply with the Payment Card Industry Data Security Standard (PCI DSS). For most small retailers the scope is modest: using a reputable cloud POS and an integrated terminal means you never store card numbers yourself, which keeps you in the simplest compliance tier — usually a self-assessment questionnaire from your bank once a year.

“Modest” does not mean “ignore it”. The basics that apply to nearly every retailer: do not store full card numbers anywhere; keep customer Wi-Fi separated from payment devices; use unique staff logins rather than a shared one; patch POS devices and terminals; and change default passwords. None of that is exotic — it is the same hygiene the Australian Cyber Security Centre (ACSC) Essential Eight is built on. If a payment provider sends you a self-assessment questionnaire and you do not know where to start, that is a normal thing for an MSP to handle.

Uptime at trade and peak-season readiness

Retail has a brutal version of the uptime problem: your busiest weeks are Christmas, Boxing Day, end-of-financial-year and any major sale, and that is exactly when an outage costs the most. A POS failure at 11am on a quiet Tuesday is a nuisance; the same failure at 1pm on the Saturday before Christmas is real lost revenue and a queue of unhappy customers. Peak-season readiness is mostly unglamorous preparation done in advance:

• Test failover before you need it. Confirm the 4G/5G backup actually carries card processing when the fixed line drops — do not discover it does not on Boxing Day.
• Check device health. Tablets, terminals and printers patched and charged, with spare hardware on hand for the busy period.
• Have a number that answers. TechAssist runs a sub-15-minute response on P1/critical issues and a 24/7 NOC in Tecoma, so a register down at peak trade gets attention immediately.

Reliable internet with failover

Every system above depends on a working internet connection — cloud POS, integrated EFTPOS, stock sync and CCTV all stop being useful the moment it drops. The sensible setup is a business-grade primary connection plus automatic failover to a 4G or 5G service, so a wobble on the fixed line never stops the till. A failover that switches in seconds, prioritises payment traffic and alerts your provider turns a trading-stopping outage into something most customers never notice. Our Melbourne IT support covers connectivity and failover as part of a managed arrangement.

CCTV and physical security

Modern IP CCTV runs over your network and often stores footage in the cloud, so it needs bandwidth, it needs securing, and it should not share the network with your payment devices — the same segmentation logic applies. CCTV is also a notorious soft target: cheap recorders with default passwords and an open internet port are routinely hijacked, so cameras belong on their own segment, patched and protected with proper credentials. Footage of customers and staff is personal information, so retention and access matter too.

Multi-site management

One shop is mostly about reliability at trade. Several shops add coordination: consistent stock across locations, central reporting, the same security baseline everywhere, and fixing a problem in one store without driving there. Lightspeed and Shopify both do multi-location inventory and consolidated reporting well; the IT side is making every site identical and remotely manageable — the same network and device standards, central management of POS devices and Microsoft 365 accounts, and monitoring that flags an offline terminal before the staff there ring you. Our managed IT services are built around standardising and monitoring sites like this, so the stores do not drift into their own slightly broken configurations.

A Melbourne example

A homewares retailer in Camberwell we work with runs two shopfronts and a Shopify store. When they came to us each shop had a flat network — customers, till and EFTPOS terminal all on one Wi-Fi — stock was tracked separately so they regularly oversold during sales, and their single consumer connection had no backup. We standardised both stores: a business-grade connection with 4G failover, a guest Wi-Fi separated from the payment network by VLAN, one stock position synced across both stores and the online shop, integrated EFTPOS staff could re-pair themselves, a handled PCI self-assessment, and CCTV on its own segment with the default passwords gone. The following December they traded through the peak without a single payment outage, and the overselling stopped.

Frequently asked questions

Do I need PCI DSS compliance if I use Square or Lightspeed?

Yes, but the burden is small. Using a reputable cloud POS with an integrated terminal means you never store card numbers yourself, which keeps you in the simplest tier — usually a once-a-year self-assessment questionnaire — provided you cover the basics: customer Wi-Fi separated from payment devices, unique staff logins, patched devices and no default passwords.

What happens to my POS if the internet goes down?

Most cloud POS platforms keep selling briefly offline and sync when the connection returns, but integrated card processing usually needs to be online. The right answer is automatic failover to 4G or 5G so the outage barely registers, plus a standalone EFTPOS terminal as a manual fallback.

Can one IT provider manage all my stores?

Yes, and for a multi-store retailer that is the point. A managed arrangement standardises the network, devices and security baseline across every site and monitors them centrally, so a problem in one suburb is visible, and often fixable, without anyone driving there.

Getting retail IT right

None of this is complicated, but it has to be reliable when it counts: a POS and EFTPOS that work through the rush, customer Wi-Fi kept well away from the till, stock that matches across every channel, internet with real failover, and card handling that satisfies PCI without becoming a project. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and same-business-day on-site across Melbourne metro on per-user fixed monthly pricing. If your shop is running on a flat network and a single connection that drops at the worst moment, get in touch and we will tell you plainly what to fix before the next sale.

Engineering and architecture firms break IT in ways most providers never see: 40GB Revit models, Civil 3D surfaces that choke a slow link, and project archives that have to be readable in ten years. Good engineering IT support starts with the workload, not a generic desktop fleet, and builds the network, storage and access control around it.

If you run a structural, civil or MEP consultancy, or an architecture practice, your IT problems are not the same as a law firm’s down the road. You are pushing large binary files across a network all day, multiple people need the same model open, and a single corrupted file or lost version can cost a fortnight of drafting. This post covers how we approach IT for these firms, what actually matters, and where the money is well spent.

Why design firms are a different IT problem

The defining feature of an engineering or architecture practice is the file. AutoCAD drawings, Revit central models, ArchiCAD teamwork files, Civil 3D corridors, SolidWorks assemblies and 12d projects are large, change constantly, and are worked on by several people at once. A 200-person office sharing Word documents barely registers on a network. A ten-person structural team syncing Revit models will saturate a cheap switch and a consumer NAS by 10am.

Three things follow from that. First, your storage and network have to move big files fast and reliably. Second, your workstations have to be specified for CAD and BIM, not for spreadsheets. Third, your backup and version control have to assume that files will get corrupted, overwritten or deleted, because over a project’s life they will. Get those three right and most of the day-to-day pain disappears.

Workstations: local high-spec vs cloud

The first real decision is where the compute lives. For a Revit or SolidWorks user, that choice drives spend, performance and how flexible your team can be.

High-spec local workstations

For most CAD and BIM work, a properly specified desktop is still the best value. The components that matter, in order, are a high-clock-speed CPU (single-thread performance drives AutoCAD and Revit far more than core count), 64GB of RAM as a sensible floor for heavy Revit and Civil 3D work, a professional GPU (NVIDIA RTX series) for ArchiCAD and rendering, and fast NVMe local storage so the working copy of a model opens quickly.

The mistake we see most often is a firm buying mid-range business desktops because that is what the office down the corridor uses, then wondering why a model takes four minutes to open. CAD workstations are a specialist purchase. We spec them per role, because a drafter, a project engineer running analysis and a director who mostly reviews drawings do not need the same machine.

Cloud workstations (Azure and Frame)

Cloud workstations, such as Azure Virtual Desktop with GPU-backed instances or Frame, run the heavy machine in a data centre and stream the screen to whatever device the user has in front of them. They make sense in specific situations: a fast-growing firm that does not want to keep buying physical hardware, staff who move between sites or work from home on light laptops, contractors who need a machine for three months, or a firm that wants drawings and models to never leave the data centre for security reasons.

The trade-offs are real. GPU cloud instances are not cheap to run all day, every day, so they suit variable or remote workloads better than a drafter sitting in the office eight hours a day. Latency to the data centre matters, so the user’s internet has to be solid. For a Melbourne firm, keeping the workload in an Australian Azure region keeps that latency low and your data onshore.

Most firms we work with land on a mix: local workstations for full-time drafters in the office, cloud workstations for remote staff, site engineers and overflow. That is usually the right answer rather than going all-in on one model.

Storage, networking and the NAS that can keep up

This is where the largest performance gains hide, and where the cheapest providers cut corners. When several people open and save large models all day, the network and the storage device behind it are the bottleneck, not the workstations.

Fast networking inside the office

For a CAD or BIM office we want at least 10 gigabit between the file server or NAS and the core switch, and gigabit to every desk as a minimum, with 2.5 gigabit or 10 gigabit to the workstations that pull the biggest files. Cabling matters: Cat6A to the desk, properly terminated, not whatever was already in the wall when the firm moved in. A model that opens in 30 seconds instead of three minutes pays for the upgrade in a week of saved drafting time.

A NAS specified for the workload

A business-grade NAS with SSD caching and dual network links handles a design team well, provided it is sized for the data and the number of concurrent users. The trap is a consumer NAS bought to save a few hundred dollars that then can’t keep up once the team and the project archive grow. We size storage for where the firm will be in three years, not where it is today, because design data only ever grows.

Version control that suits BIM

Revit and ArchiCAD have their own collaboration models (Revit central files and worksharing, ArchiCAD Teamwork via BIMcloud) that handle multi-user editing of a single model. Those tools manage who is editing what, but they are not a backup. You still need point-in-time snapshots of the whole project so you can roll back a model to last Tuesday when something goes wrong, and a clear structure for AutoCAD and Civil 3D files where there is no built-in worksharing. We set up versioned storage so an overwritten or corrupted file can be recovered to a known-good state, not just to “the last time it synced”.

Collaboration across sites and with builders

Design work is rarely done in one room any more. A structural team may be split across two offices, the architect is in a different practice entirely, and the builder needs the latest drawings on site. Sharing 40GB models by email is not an option, and dragging them across a slow VPN frustrates everyone.

For multi-site firms, the practical patterns are a properly sized site-to-site link or SD-WAN between offices so the model lives in one place and both sites work against it, or cloud-hosted BIM collaboration (Autodesk Construction Cloud / BIM Collaborate, or BIMcloud for ArchiCAD) so the central model sits in the cloud and everyone syncs to it regardless of location. For sharing finished drawings with builders and clients, a controlled portal beats emailing files around, because you keep one source of truth and an audit trail of who got what.

A civil engineering firm in Box Hill we work with runs exactly this setup: Civil 3D and 12d drafters in the office on local workstations against a fast NAS, two project engineers who split time between the office and client sites on cloud workstations, and a cloud collaboration layer so the surveyor and the builder always pull current drawings. The point is that no single approach covers every user, so the design has to match how each person actually works.

Backup, IP protection and access control

Your drawings and models are the firm’s intellectual property and, in many cases, the deliverable a client has paid for. Losing them, or letting them leak, is a business-ending event. Two things protect against that: real backup and disciplined access control.

Backup that assumes things will go wrong

We build to the 3-2-1 principle: three copies of the data, on two different media, with one off-site. For a design firm that means the live NAS, a local backup appliance for fast restores, and an encrypted off-site or cloud copy for disaster recovery. The off-site copy matters because a NAS failure, a fire at the Box Hill office, or a ransomware hit can take out everything in the building at once. We test restores, because a backup you have never restored from is a hope, not a plan. If you want the detail on how this is built, our data backup and recovery service covers it, and the RTO vs RPO explainer is worth a read for setting realistic recovery targets.

Protecting IP from leaks and ransomware

Ransomware is the most common way design firms lose access to their own work, and immutable off-site backups are what get you back without paying. On the leak side, the Notifiable Data Breaches scheme under the Privacy Act, overseen by the Office of the Australian Information Commissioner (OAIC), applies where personal information is exposed in a breach, and your project data often carries client and contract details that fall under it. Aligning to the Australian Cyber Security Centre’s Essential Eight gives you a sensible baseline: application control, patching, multi-factor authentication and restricted admin privileges close off most of the common attack paths. Our cybersecurity services are built around that framework.

Project-based access control

Not everyone should see every project. Confidential tenders, defence work, or simply jobs where a staff member has a conflict all need walls. We structure file permissions by project and by team using Microsoft Entra security groups, so access is granted by role and project rather than file by file. When a contractor finishes, you disable one account and they lose access to everything at once. When a new project starts, you add the team to a group and they have what they need. It also gives you an audit trail of who accessed what, which matters when a client or a dispute asks the question.

Remote access that actually performs

Site engineers, directors working from home and interstate staff all need to reach the models, and this is where a lot of generic IT setups fall over. A plain VPN forcing a 40GB Revit file across a domestic connection is painfully slow and frustrates everyone into emailing copies around, which then breaks version control.

The approaches that work are cloud workstations, where the heavy machine and the file never leave the data centre and only the screen is streamed, so a director on home broadband gets near-office performance; or cloud-hosted BIM collaboration so remote users sync against a central model close to them rather than dragging files across a slow link. A blunt VPN to the office NAS is the option we move firms away from, because the physics of pushing large files over a consumer connection don’t change no matter how good the VPN is.

How TechAssist supports design firms

TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers (no offshore helpdesk). We work with construction, manufacturing and professional services firms across Melbourne metro, and the engineering and architecture practices among them have exactly the workloads described here. We run per-user fixed monthly pricing with no hourly billing for in-scope work, so a busy drafting period doesn’t come with a surprise invoice, and we offer same-business-day on-site across Melbourne metro from our Tecoma NOC and CBD office at 575 Bourke Street.

Whether you need workstations specified properly, a NAS and network that keep up with Revit, or backup and access control that protect your IP, the work starts with understanding how your team actually drafts. Our managed IT services and professional services IT support pages cover the broader picture, and if you want to talk specifics, get in touch.

Frequently asked questions

Should drafters use local workstations or cloud workstations?

For full-time, office-based CAD and BIM users, a properly specified local workstation is usually better value and faster, because there is no network dependency. Cloud workstations (Azure or Frame) come into their own for remote staff, site engineers and short-term contractors. Most firms run a mix rather than picking one for everybody.

What spec does a Revit workstation actually need?

Prioritise single-thread CPU performance, then 64GB of RAM as a sensible floor for heavy models, a professional NVIDIA RTX GPU, and fast NVMe local storage. Core count and cheap RAM matter far less than people assume. The right spec depends on the role, so a drafter, an analyst and a reviewer should not all get the same machine.

How do we share large models with builders without emailing files?

Use a cloud BIM collaboration platform such as Autodesk Construction Cloud or BIMcloud for the central model, and a controlled sharing portal for issuing finished drawings. That keeps one source of truth and an audit trail of who received what, instead of multiple stale copies floating around in inboxes.

How do we protect our drawings from ransomware?

Immutable, off-site backups are what get you back without paying a ransom, so build to a 3-2-1 model and test the restores. Pair that with the Essential Eight controls, particularly application control, patching and multi-factor authentication, to reduce the chance of being hit in the first place.

Can we keep our data in Australia?

Yes. Local workstations and an on-premises NAS keep data in your office, and if you use cloud workstations or cloud backup, those can be hosted in an Australian Azure region so your IP and any client information stay onshore.

Insurance brokers hold client money, financial records and personal data, and operate under an AFSL with real ASIC obligations. Good insurance broker IT support keeps your broking platform running, protects the trust account from email fraud, and gets the security controls in place that your own cyber insurer now expects.

General insurance brokers sit in an awkward spot. You are a small business by headcount but you carry the data risk of a financial institution and the payment-fraud exposure of a conveyancer. You handle premium funds in trust, you hold years of client financial and personal information, and you answer to ASIC for how the business is run. The IT underneath all of that is usually a couple of cloud platforms, Microsoft 365 and whatever the last broker set up. That gap is where the trouble starts.

What general insurance brokers actually run

Most Australian broking offices run on a dedicated broking platform rather than a generic CRM. The common ones are WinBEAT, Sunrise (and the SCTP transaction platform behind it), Insight, and the broader ebix stack that several of these sit within. These handle policy administration, quoting, the insurer transaction interface, client records, claims and the all-important trust-account and premium-funding reconciliation.

Some platforms are cloud-hosted; others still run as on-premises or hybrid installs with a database server in the office. Either way, the vendor secures the application, but you own the devices, the accounts, the network, the integrations and the backup of everything outside the platform. The recurring weak spots we find in broking offices: shared logins on reception machines, no multi-factor authentication on Microsoft 365, the broking database backed up to a USB drive that has not been tested in two years, and bank details for premium payments sitting in email threads anyone can read.

Cluster and network group requirements

Most independent brokers belong to a cluster or network group — Steadfast, AUB, Insurance Advisernet and similar. Membership is not just buying power; it increasingly comes with technology and security expectations. Network groups push standardised platforms, single sign-on into their portals, data feeds back to head office, and in some cases minimum cyber-security requirements you have to attest to. If you join or change groups, the IT migration — platform data, mailbox records, document history — needs to be planned, not improvised over a weekend. We treat that as a project with a rollback plan, because losing seven years of client correspondence mid-migration is not recoverable.

AFSL, ASIC and the obligations behind the IT

Holding an Australian Financial Services Licence (AFSL) brings general conduct obligations under the Corporations Act, and ASIC expects licensees to have adequate technological resources and risk-management systems. That is deliberately broad, but the practical reading is clear: you need systems that keep accurate records, protect client data, and let the business keep operating when something fails. ASIC’s own guidance on cyber resilience and outsourcing makes the point that you cannot contract away responsibility — if your IT or your software vendor has a problem, the obligation to your clients is still yours.

Record-keeping is the concrete part most brokers underestimate. You are expected to retain client files, advice records, policy documentation and trust-account records for years, and to be able to produce them. That makes backup and retention a compliance matter, not just an IT nicety. A broking database you cannot restore is a record-keeping failure waiting to be discovered at the worst time.

Client financial and personal data under the Privacy Act

Brokers hold a dense file on every client: names, addresses, dates of birth, financial details, claims history, sometimes health information for certain covers, and bank account details for premium payments. That is exactly the kind of personal and sensitive information the Privacy Act 1988 and the Australian Privacy Principles are built around.

If your business turns over more than $3 million you are squarely covered, and even smaller brokers are caught where they trade in personal information or provide certain services. Under the Notifiable Data Breaches scheme, a breach involving client data that is likely to cause serious harm must be assessed and reported to the Office of the Australian Information Commissioner (OAIC) and the affected clients. A compromised mailbox full of client financial records is precisely the scenario that scheme exists for — and for a broker, it is also a conversation with your AFSL obligations and your network group.

Business email compromise: the threat aimed straight at brokers

Of every risk on this page, this is the one that takes brokers down. Business email compromise (BEC) is where an attacker gets into a mailbox — usually through a phished password with no MFA — watches the email flow, and then redirects money. For a broker, the targets are obvious: premium payments from clients, refunds, and movements in and out of the trust account.

The classic version: a client emails about paying their premium, the attacker (sitting silently in your mailbox or theirs) replies with “updated” bank details, and the money lands in a mule account. By the time anyone notices, it is gone. The variant aimed at the trust account is worse, because the sums are larger and the reconciliation is monthly, so the theft can sit hidden for weeks.

The defences are unglamorous and they work:

• MFA on every mailbox, enforced, with no exceptions for the principal who finds it annoying. Most BEC starts with a password that worked because nothing else was in the way.
• Conditional access in Microsoft 365 to block sign-ins from unexpected countries and flag impossible-travel logins.
• A verbal verification rule for any change to payment details — phone the client on a known number, never the number in the email. This is policy, not technology, but it is the single most effective control.
• Email security that catches lookalike domains and external-sender warnings, plus mailbox-rule auditing so an attacker quietly forwarding your mail gets caught.

We go deeper on this in our guide to business email security, phishing and BEC. For a broker handling trust money, it is the first thing to fix.

Cyber insurance underwriting expectations — yes, for brokers too

There is a particular irony in brokers being underprepared for their own cyber-insurance application. The same underwriting questions you help clients answer now land on your desk, and they have hardened considerably. Insurers will not write a policy — or will price it punitively — without evidence of baseline controls.

The questions you can expect:

These map almost exactly onto the Australian Cyber Security Centre (ACSC) Essential Eight. If you implement the meaningful parts of the Essential Eight, you answer most of the underwriting questionnaire honestly and in the affirmative — which both gets you covered and lowers the premium. We cover this overlap for SMEs in our cyber insurance guide for Australian SMEs, and the controls themselves in our Essential Eight compliance work. Answering “yes” to a control you do not actually have is a fast way to have a claim declined, so it pays to make the answers true.

Document management and the renewals workflow

Broking runs on documents — schedules, certificates of currency, closings, endorsements, claims correspondence — and on a renewals cycle that never stops. The renewals workflow is where document management, email and the broking platform all have to work together, and where things fall through when the IT is loose.

A sound setup keeps client documents in the broking platform or a structured SharePoint library, not scattered across personal mailboxes and a Downloads folder. It means a broker who leaves does not take the only copy of a client’s history with them, and a renewal does not get missed because the reminder lived in one person’s inbox. If you run on Microsoft 365, getting Microsoft 365 configured properly — shared mailboxes, sensible SharePoint structure, retention policies — is what turns a pile of email into a system the next person can pick up. It also makes the record-keeping side of your AFSL obligations far easier to satisfy.

A Melbourne example

A general insurance broking firm in Hawthorn we work with — eight staff, member of a national cluster group, running WinBEAT and Microsoft 365 — came to us after a close call. A client emailed about paying a commercial property premium. What none of them knew was that the client’s mailbox had been compromised; the attacker replied from the real address with new bank details. The broker’s accounts person nearly paid it. What stopped her was an old habit of phoning to confirm anything over a few thousand dollars — and the new account did not match.

It rattled them, because the firm had no MFA on Microsoft 365, no conditional access, and a broking database backed up to a single drive plugged into the server. We rolled out MFA across every mailbox, conditional access to block overseas sign-ins, advanced email filtering with external-sender warnings, and proper monitored backups of both Microsoft 365 and the WinBEAT data with an isolated copy. We documented a payment-verification policy so the “phone to confirm” habit became a rule rather than one person’s caution. When their cyber-insurance renewal came round, they could answer the questionnaire truthfully for the first time, and the premium reflected it.

Frequently asked questions

Does the Privacy Act apply to a small insurance broker?

If you turn over more than $3 million a year, yes, directly. Smaller brokers can still be covered depending on what they do with personal information. Given the volume of client financial and personal data a broker holds, and the AFSL and ASIC obligations sitting alongside it, the sensible approach is to operate as though the Australian Privacy Principles apply regardless — the controls are the same ones your cyber insurer and network group already expect.

What is the biggest IT risk for a broking firm?

Business email compromise aimed at premium payments and the trust account. An attacker in a mailbox with no MFA can quietly redirect client money before anyone notices. MFA on every account, conditional access, and a strict phone-to-verify rule for any change of bank details are the controls that stop it.

Will better IT lower our cyber insurance premium?

Usually, yes. Insurers price on the controls you can evidence — MFA, tested backups, email filtering, endpoint protection and patching. Implementing the Essential Eight lets you answer the underwriting questionnaire honestly and in the affirmative, which improves both your ability to get covered and the price.

We’re switching cluster groups — what about the IT?

Treat it as a planned migration, not a weekend job. Platform data, mailbox records, document history and any single sign-on into the group’s portals all need to move cleanly, with a rollback position if something goes wrong. Losing years of client correspondence mid-migration is not recoverable, so it is worth doing methodically.

Getting it right without overspending

None of this is exotic. A broking firm does not need a bank’s security budget — it needs the basics done properly and kept that way: MFA on every account, conditional access, tested and isolated backups of both the broking platform and Microsoft 365, advanced email filtering, and a payment-verification rule that everyone actually follows. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. We support professional services firms across Melbourne metro on per-user fixed monthly pricing, with same-business-day on-site when you need hands on the ground. Our IT support for professional services and cybersecurity services are built for exactly this kind of business. If your broking office is running on goodwill and no MFA, get in touch and we will tell you plainly what to fix first.

Financial planning firms sit on a pile of sensitive client data — tax file numbers, super balances, estate details, bank accounts — under an AFSL, the Privacy Act and ASIC’s watch. Good financial planning IT support keeps Xplan and your platforms running, locks down email against payment fraud, and gives you a defensible security position when a licensee audit or a breach lands.

The risk profile is specific. Advisers move money on client instruction, hold years of sensitive records they are legally required to retain, and increasingly run their whole practice through cloud financial-planning software and CRM. That combination — money, sensitive data and email — is exactly what attackers target. Getting the IT right is not a nice-to-have for a planning firm; it is part of meeting your obligations as a licensee.

What sits behind an AFSL

If you provide personal financial advice you operate under an Australian Financial Services Licence, either your own or as an authorised representative of a dealer group. ASIC’s licensing obligations under the Corporations Act require you to have adequate resources and risk-management systems, and ASIC has been explicit that this includes cyber resilience. The RI Advice case made the point clearly — a licensee was found to have breached its obligations by failing to have adequate cyber-security risk management across its authorised representatives. Cyber is not treated as separate from your licence conditions; it is part of them.

For most planning firms that means you need to be able to show, not just assert, that you have controls in place: access management, multi-factor authentication, patching, backups, an incident response plan and oversight of the third parties handling client data. The Australian Cyber Security Centre (ACSC) Essential Eight is the sensible framework to anchor that against, and it maps cleanly onto what ASIC expects a well-run licensee to do. We cover the practical rollout in our guide to Essential Eight compliance in 90 days.

The Privacy Act and sensitive financial data

Planning firms hold some of the most sensitive personal information there is. The Privacy Act 1988 and the Australian Privacy Principles apply to most advice businesses, and the data you hold — tax file numbers, financial position, health information gathered for insurance advice — attracts a high level of protection. TFNs carry their own handling rules on top of the APPs.

Under the Notifiable Data Breaches scheme, a breach involving client financial records that is likely to cause serious harm must be assessed and, where required, reported to the Office of the Australian Information Commissioner (OAIC) and to affected clients. A compromised adviser mailbox full of statements of advice and identity documents is precisely the scenario that scheme exists for. The practical defence is unglamorous: encrypt devices, control access, keep a record of who can see what, and back everything up. We walk through breach obligations in more detail in our overview of our cybersecurity services.

The software stack: Xplan, CRM and platform integrations

Most Melbourne planning practices run on a financial-planning platform plus a CRM plus a stack of integrations into investment platforms. The common tools are Xplan (Iress), AdviserLogic and Midwinter for advice generation, modelling and statements of advice, sitting alongside CRM and document management. Those connect outward to platforms such as HUB24, Netwealth, BT Panorama and the major fund administrators, and inward to your Microsoft 365 environment.

Because the core tools are SaaS, the vendor secures the application. Your obligations do not disappear. You still own the accounts, the devices, the network, the data feeds and the backup of anything outside the platform. The recurring weak spots we find in advice firms:

• Shared or generic logins to Xplan or the CRM, instead of an individual account per adviser and support staff member.
• No multi-factor authentication on the practice-management platform or on Microsoft 365, so a single phished password gives an attacker the lot.
• Platform data feeds and document integrations configured once and never reviewed, with credentials that outlast the staff who set them up.
• Statements of advice, fact-finds and scanned ID documents sitting in a Downloads folder or a personal OneDrive rather than the managed system.

The IT job is making each of those integrations authenticated, monitored and owned, and making sure access is tied to individuals so it can be revoked the day someone leaves.

Email security and business email compromise

This is the single biggest financial risk a planning firm carries, and it deserves its own section. Business email compromise is where an attacker gets into — or convincingly impersonates — a mailbox and uses it to redirect money. For an advice firm the danger is payment and rollover instructions: a client emails asking to redeem an investment or change their nominated bank account, the adviser actions it, and the instruction was never really from the client. Or the attacker is inside the adviser’s mailbox, watching, and inserts fraudulent account details at the moment a genuine payment is due.

The controls that actually reduce this risk are layered:

• MFA on every mailbox, enforced through conditional access, so a stolen password alone is not enough. Our piece on conditional access policies in Microsoft 365 covers how to do this without making sign-in painful.
• Mailbox monitoring and alerting on the inbox rules attackers create to hide their tracks — auto-forwarding and “move to RSS feeds” rules are classic tells.
• A hard process rule: any change to client bank details or any payment instruction received by email is verified by a phone call to a known number, never to the number in the email.
• SPF, DKIM and DMARC configured so attackers cannot easily spoof your domain to your clients.

The technology stops most of it. The verbal-verification process catches what gets through. We go deeper on this in our article on business email security, phishing and BEC.

MFA, conditional access and identity

Identity is the perimeter for a cloud-based advice firm. Multi-factor authentication on every account that touches client data is the non-negotiable baseline — Microsoft 365, the planning platform, the CRM and the investment platforms. Conditional access then lets you go further: block sign-ins from outside Australia, require a managed and compliant device, and step up verification for risky logins. For a firm where a single mailbox compromise can move client money, this is the control that earns its keep. It also aligns with the zero-trust thinking we explain in our zero-trust security model overview.

Data retention and client portals

Advice firms have to keep records, and keep them a long time. Under the Corporations Act and ASIC’s rules, advice documents — including statements of advice and records of the advice given — must generally be retained for at least seven years, and fee disclosure and ongoing-service records carry their own retention requirements. That is a long time to keep sensitive data safe, searchable and recoverable.

The IT implications are straightforward but easy to neglect. Retained records need to live in managed, backed-up systems, not on a departed adviser’s laptop. Microsoft 365 retention is not a backup — it protects against some accidental deletion but will not save you from a compromised account wiping data or a malicious deletion. A dedicated backup of email, OneDrive and SharePoint is essential, and our data backup and recovery service is built around exactly this. Knowing your recovery targets — how long you could operate without systems (RTO) and how much data you could lose (RPO) — turns “we have backups” into something you can actually rely on.

Client portals are increasingly how firms share statements of advice, fact-finds and annual reviews securely instead of by email attachment. A properly configured portal — whether built into your platform or layered on Microsoft 365 — reduces the BEC risk and gives clients a defined place to upload identity documents. The catch is that a portal is only as secure as the identity controls behind it, which brings us back to MFA.

Where APRA CPS 234 flows down to you

Most standalone advice firms are not APRA-regulated. But the moment you serve, or sit inside the supply chain of, an APRA-regulated entity — a super fund, an insurer, an RSE licensee — their obligations under APRA CPS 234 start to flow down to you. CPS 234 requires regulated entities to manage the information-security capability of third parties that handle their data, which means they will push contractual security requirements onto their advice partners and service providers. In practice that shows up as security questionnaires, evidence requests and clauses requiring you to maintain defined controls and notify them of incidents. If you receive feeds from or share data with a regulated platform, expect this. We unpack the standard in our explainer on information security and CPS 234, and being Essential Eight aligned puts you in a strong position to answer those questionnaires honestly.

A Melbourne example

A boutique financial planning firm in Hawthorn we work with — four advisers and a handful of support staff running Xplan and Microsoft 365 — came to us after a close call. A client emailed asking to redirect a six-figure redemption to a new bank account. The email was genuine-looking and came from the client’s real address, but the client’s own mailbox had been compromised, and the account details were the attacker’s. The adviser nearly actioned it; a junior staff member happened to phone the client about something unrelated and the fraud unravelled by luck.

We rebuilt the foundations: MFA enforced through conditional access on every account, geographic sign-in restrictions, mailbox-rule alerting, SPF, DKIM and DMARC on their domain, and a documented process that every bank-detail change or payment instruction is verbally verified on a known number. We added a real Microsoft 365 backup covering their seven-year retention obligations and moved client documents out of personal OneDrives into a managed, access-controlled portal. The firm now relies on process and controls rather than luck.

Frequently asked questions

Does ASIC require financial planning firms to have cyber security?

Effectively, yes. ASIC’s licensing obligations require an AFSL holder to have adequate risk-management systems and resources, and ASIC has made clear — including through the RI Advice case — that this covers cyber-security risk management. A planning firm that cannot demonstrate basic controls across its advisers is exposed on its licence obligations, not just its data.

How long do we have to keep client advice records?

Advice documents such as statements of advice generally must be kept for at least seven years under the Corporations Act and ASIC’s rules, and fee disclosure and ongoing-service records carry their own retention requirements. Those records need to live in managed, backed-up systems for the full period, not on individual devices.

What is the biggest IT risk for an advice practice?

Business email compromise on payment and rollover instructions. Because advisers move money on client instruction, a compromised or spoofed mailbox can redirect funds before anyone notices. MFA, mailbox monitoring and a strict verbal-verification rule for any bank-detail change are the controls that matter most.

Does APRA CPS 234 apply to us if we are not APRA-regulated?

Not directly, but it flows down. If you handle data for, or sit in the supply chain of, an APRA-regulated entity such as a super fund or insurer, CPS 234 requires them to manage your information security. Expect security questionnaires and contractual control requirements as a condition of working with them.

Getting it right without overspending

A planning firm does not need an enterprise security budget — it needs the right controls done properly and kept that way: MFA and conditional access everywhere, hardened email with a verbal-verification process for payments, individual logins across Xplan and your CRM, a real backup that meets your retention obligations, and the discipline to be able to answer a licensee or CPS 234 questionnaire honestly. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma — no offshore helpdesk. We support professional services firms across Melbourne metro on per-user fixed monthly pricing, with sub-15-minute response on critical issues and same-business-day on-site when you need hands on the ground. If your practice is running on saved passwords and goodwill, get in touch and we will tell you plainly what to fix first.

Good childcare IT support keeps your sign-in kiosks running, your Child Care Subsidy claims flowing, your CCTV recording, and families’ data locked down — without a centre director becoming the accidental IT person. For long daycare, kindergarten and OSHC providers, the technology now sits at the heart of compliance, funding and safety.

Early learning is one of the most technology-dependent industries that rarely thinks of itself that way. A single morning touches a sign-in kiosk, a management platform, a funding system, room Wi-Fi and a bank of cameras — and when any of it breaks, parents can’t sign children in, subsidy claims stall, and educators are pulled off the floor.

What makes childcare IT different from a normal office

A childcare centre has shifting staff, children who must be accounted for at all times, sensitive records on every family, funding tied to accurate attendance data, and physical-safety systems that can’t fail quietly. The stakes are also regulatory: the Australian Children’s Education and Care Quality Authority (ACECQA) administers the National Quality Framework (NQF), and your technology has to support — not undermine — your obligations around record-keeping, supervision and child safety. Get the IT wrong and you create gaps that show up at assessment and rating.

Whatever your brand of childcare management software — the common platforms in Australian centres include Xplor, Storypark, QikKids, Kidsoft, OWNA and Hubworks — it is the spine of the operation, handling enrolments, attendance, billing, educator observations and the documentation that feeds your Quality Improvement Plan. Most are cloud-based now, which makes your internet connection and Wi-Fi non-negotiable.

Child Care Subsidy and the CCSS gateway

The single most expensive thing that can go wrong is a break in your funding data. The Child Care Subsidy (CCS) subsidises fees for most Australian families, and it flows through the Child Care Subsidy System (CCSS). Your management software connects to the CCSS gateway to submit session reports, confirm enrolments and reconcile payments — a connection that runs over your internet link. When it drops — because the internet went down, a certificate expired, or someone changed a setting — session reports don’t submit on time, which means delayed payments, families chasing why their gap fee jumped, and an administrator manually reconciling weeks of attendance.

The protections that matter here are a business-grade internet service with automatic 4G/5G failover so kiosks and CCSS submissions keep working when the primary line drops, monitoring so we know the line is down before the office does, and documented certificate renewals so nothing silently expires.

Sign-in kiosks and iPads on the floor

Most centres now run sign-in/sign-out on a wall-mounted iPad at the entrance. Parents tap in, the attendance record updates, and that record is what your CCS session reports are built on — so if the kiosk is frozen or on a dead battery at 8:15am, you have a queue of parents and a hole in your attendance data.

iPads on the floor — used for observations and documentation in apps like Storypark and OWNA — are a fleet that needs managing, not a pile of personal devices. Without management, they end up on random iOS versions, signed into someone’s personal Apple ID, with no way to wipe one that goes missing with a child’s photos on it. Proper device management means enrolling every iPad in a mobile device management (MDM) platform so you can push apps, lock devices to kiosk mode, and remotely wipe anything lost or stolen.

Wi-Fi that actually reaches every room

Childcare buildings are hostile to Wi-Fi: thick walls, separate rooms for different age groups, outdoor play areas, and a single modem never designed to cover the whole centre. The result is a strong signal at reception and dead spots in the toddler room where the iPad won’t sync. Because so much now runs over the network, that’s the difference between attendance syncing in real time and an educator writing it on paper to enter later — which is how data gets lost.

The fix is a proper site survey and access points placed for coverage, with separate networks for staff devices, kiosks and families, so a parent’s phone can never reach your management system or cameras. A centre in Box Hill we work with had constant complaints about iPads dropping out in two of their five rooms; the cause was a single consumer router trying to cover the whole building. Three access points and a segmented network later, the dead spots and the paper backups disappeared.

CCTV and physical-IT security

Cameras are now standard at most centres, both for child safety and as a record if an incident is disputed. But CCTV is where physical security and IT security collide, and it is frequently the weakest link. Cheap systems often ship with default passwords, are exposed directly to the internet so staff can “check the cameras from home”, and never receive a firmware update — a combination that has put thousands of cameras worldwide onto the open internet. For a childcare centre, an exposed camera feed is a child-safety incident and a privacy breach at the same time.

Doing it properly means cameras on their own isolated network segment, no direct internet exposure, remote viewing only through a secured connection, default credentials changed, and firmware kept current — part of broader cybersecurity hygiene.

Protecting children’s and families’ sensitive data

A childcare centre holds some of the most sensitive personal information of any small business: children’s names, dates of birth, photos, medical conditions, allergies, custody arrangements, and parents’ financial details. Under the Privacy Act 1988 and the Australian Privacy Principles overseen by the Office of the Australian Information Commissioner (OAIC), you are responsible for protecting it, and a serious breach can trigger obligations under the Notifiable Data Breaches scheme.

The realistic threats aren’t sophisticated: a phished staff email, a lost iPad, a shared password on a sticky note, or a former educator who still has access. The controls that make the difference are multi-factor authentication on every email and management-software login (this alone stops most account takeovers), individual logins for staff rather than a shared “office” account, encrypted devices, and email security to catch the phishing and invoice fraud that targets centre administrators. Much of this aligns with the Essential Eight, the Australian Cyber Security Centre (ACSC) baseline — and you don’t need to be a bank to apply it.

Staff turnover and access

Early learning has high turnover and a lot of casual and relief educators, so every starter and leaver is an access event. The risk isn’t usually malice — it’s accounts that never get switched off. We regularly find centres where three or four former staff still have live logins months after they left. The fix is a documented onboarding and offboarding process: a new educator gets exactly the access they need on day one, and on their last day every login is disabled and any device is collected or remotely wiped. With per-user fixed pricing and no hourly billing for in-scope work, that becomes a quick, repeatable task.

Backups — for the data you can’t recreate

Cloud management platforms are resilient, but “it’s in the cloud” is not a backup strategy. If a staff member deletes a year of observations, an account is compromised, or a vendor has an outage, you need your own line of recovery — and the same applies to email, since Microsoft 365 doesn’t keep your data forever. A proper approach to backup and recovery covers your Microsoft 365 environment, your critical local data, and how your software vendor protects and restores data. The test isn’t whether backups are running — it’s whether you’ve confirmed you can actually restore from them.

What good childcare IT support looks like in practice

Centre directors and educators are not IT people, and shouldn’t have to be. The point of managed IT is that the kiosk works at drop-off, CCSS submissions go through, the Wi-Fi reaches every room, the cameras record, and there’s someone to call when something breaks.

TechAssist is a Melbourne-based MSP founded in 2014 with 13 Australian-employed engineers — no offshore helpdesk — and a 24/7 NOC in Tecoma. With same-business-day on-site support across the metro area, that matters when a kiosk goes down during the morning rush and you need someone, not a queued ticket.

Frequently asked questions

What happens to our Child Care Subsidy claims if the internet goes down?

Your software can’t reach the CCSS gateway, so session reports don’t submit until the connection is restored, which delays subsidy payments. The fix is a business internet connection with automatic 4G or 5G failover so the line — and your claims — keep running when the primary service drops.

Do you support our specific childcare management software?

We support the IT your platform runs on — internet, Wi-Fi, devices, accounts and security — across Xplor, Storypark, QikKids, Kidsoft, OWNA, Hubworks and others, working alongside your vendor’s support for in-app issues.

How do we keep children’s photos and records secure?

Multi-factor authentication on every login, individual staff accounts rather than shared ones, encrypted devices, managed iPads that can be wiped if lost, and email security to stop phishing. These align with the Australian Cyber Security Centre’s Essential Eight and your obligations under the Privacy Act.

Getting your centre sorted

If you run a long daycare, kindergarten or OSHC service across Melbourne and the technology has become one more thing to worry about, it doesn’t have to be. The right setup quietly does its job and protects the families who trust you with their children. Get in touch for a straight conversation about what your centre needs.

Aged care IT support means keeping clinical systems, resident records and connectivity running across facilities and homes — to a standard the strengthened Aged Care Quality Standards now expect. Get it wrong and you risk a data breach, a downgraded Star Rating, and care staff locked out at handover. Get it right and the technology becomes invisible.

Since 1 July 2025, residential and home care providers have operated under the new Aged Care Act and a strengthened set of Quality Standards. The compliance bar moved, and a lot of it now lands squarely on IT. This is a practical look at what aged care providers in Melbourne actually need from their technology, and where most of them are exposed.

Why aged care is a harder IT problem than it looks

On paper an aged care provider looks like any other mid-sized organisation: staff, devices, email, a few line-of-business systems. In practice it is one of the more demanding environments we support. You have a 24/7 operation where downtime affects vulnerable people, a workforce with high turnover and patchy device literacy, some of the most sensitive personal data in the country, and a regulator that can publish your performance as a Star Rating for families to read.

Residential and home care providers also run differently from each other. A residential facility is a fixed site — nurses’ stations, medication rooms, Wi-Fi that has to reach every wing including the ones with thick brick walls built in 1975. Home care is a distributed workforce: support workers driving between clients across the suburbs, logging visits on a phone or tablet, needing reliable mobile access to care plans without carrying paper. The IT looks similar from the outside and is genuinely different underneath.

The compliance layer: Quality Standards, Star Ratings and the portals

The strengthened Aged Care Quality Standards put more explicit weight on governance, information management and the security of personal information. Standard 2 (the organisation) and the governance expectations around it mean a provider’s board and management are now accountable for how information is handled and protected — and “we outsourced it to an IT company” is not an answer the Aged Care Quality and Safety Commission accepts. The accountability stays with the provider.

Practically, that means your IT arrangements need to be documented, your access controls need to be defensible, and you need to be able to show how resident information is kept secure. If you can’t produce that on request, you have a governance gap, not just a technical one.

Star Ratings raise the stakes again. Compliance, quality measures, staffing and residents’ experience feed into a public rating on My Aged Care. Systems that don’t capture data accurately — or go down during a quality audit period — can quietly drag the numbers that families use to choose a provider. The link between “our IT is reliable” and “our rating holds up” is more direct than most boards realise.

Then there are the portals. My Aged Care, the provider portals, the Government Provider Management System and the data submissions that flow through them all depend on the right people having the right access, secure sign-in, and accurate records at the source. When a staff member leaves and their access isn’t revoked, or when the wrong person can see the wrong client’s record, that is an IT and identity problem with a compliance consequence.

Clinical and care management systems

The system at the centre of an aged care provider’s day is its clinical or care management platform. In the Australian market that usually means one of AlayaCare, Leecare, Manad Plus or Telstra Health’s iCareHealth — plus medication management, rostering and finance systems hanging off the side.

Whether these are cloud-hosted or run on a server in the comms room, the IT job is the same: they must be available, fast, backed up, and reachable from wherever care happens. A nurse at a medication round or a support worker in a client’s lounge room cannot wait for a system to load. We treat these platforms as the priority for monitoring, patching and uptime, and we build the network and connectivity around keeping them responsive.

A residential provider in Box Hill we work with runs its clinical records in the cloud and its rostering separately. The risk wasn’t the software — both vendors run solid platforms — it was everything underneath: a single internet service with no failover, a flat network where a compromised reception PC could reach the medication system, and backups nobody had ever tested. None of that is the clinical vendor’s responsibility. It’s the MSP’s, and it’s where the real exposure sits.

Protecting highly sensitive resident data

Aged care providers hold a concentration of sensitive information that makes them a deliberate target: health records, medication histories, cognitive assessments, next-of-kin details, financial and Centrelink information, and increasingly the data of family members too. Under the Privacy Act and the Australian Privacy Principles, much of this is “sensitive information” attracting the highest level of protection, and a breach is reportable to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.

The sector’s risk profile has worsened. Healthcare and aged care are consistently among the most-breached sectors in OAIC reporting, and attackers know these organisations often run lean IT with older systems and a workforce that’s easy to phish. The cyber insurance market has noticed too — premiums and the controls insurers demand both reflect the elevated risk.

The defensive baseline we hold aged care clients to is the Australian Cyber Security Centre’s (ACSC) Essential Eight: application control, patching applications and operating systems quickly, configuring Microsoft Office macro settings, hardening user applications, restricting administrative privileges, multi-factor authentication, and regular tested backups. None of this is exotic. Most of the breaches we’re called in after would have been stopped or contained by getting the Essential Eight genuinely in place rather than half-done. If you want the staged version, we’ve written up how to reach Essential Eight maturity in 90 days.

Backups deserve their own mention. A tested, isolated backup is the difference between a ransomware incident being a bad week and being an existential event for a provider that can’t access medication records. We cover the discipline behind this in our guide to backup and disaster recovery for Melbourne businesses, and it applies double in aged care.

Connectivity, devices and a 24/7 operation

Connectivity that doesn’t drop at handover

A residential facility needs Wi-Fi that actually reaches every resident room, nurses’ station and medication room, and an internet connection that doesn’t take the clinical system offline when the single NBN service has a wobble. Redundant connectivity — a second link that fails over automatically — is not a luxury in a 24/7 care setting. We design facility networks with coverage and failover as the starting point, not an afterthought, and we segment the network so that resident, staff, clinical and guest traffic are properly separated.

Devices for mobile care staff

Home care support workers and roaming clinical staff need phones and tablets that are secured, enrolled and managed centrally. If a device is lost between a client visit in Ringwood and the next in Croydon, you need to remotely wipe the resident data on it within minutes — not discover it’s been sitting in someone’s glovebox unencrypted. Mobile device management through Microsoft Intune, enforced encryption, and conditional access tying sign-in to a managed device are the controls that make a fleet of field devices defensible.

Identity for a high-turnover workforce

Aged care has significant staff churn — agency staff, casuals, people moving between providers. Every starter needs the right access on day one and every leaver needs it gone the same day. Manual, ad-hoc account management is where access creep and orphaned accounts come from, and orphaned accounts are how breaches happen months after someone’s left. We run identity properly: standardised onboarding and offboarding, role-based access so a kitchen hand can’t see clinical notes, and conditional access in Microsoft 365 enforcing MFA and blocking risky sign-ins. Get identity right and a large slice of your risk disappears.

24/7 uptime expectations

Care doesn’t stop at 5pm, so neither can support. A system outage at 2am during a medication round is a clinical problem, not just an IT ticket. TechAssist runs a 24/7 network operations centre from our Tecoma office in Melbourne’s east, with a sub-15-minute response on P1 critical issues and same-business-day on-site across Melbourne metro. For a sector where downtime touches vulnerable people, those response times are the point, not a marketing line.

What good aged care IT support actually covers

TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk handling resident data. We price per user on a fixed monthly basis with no hourly billing for in-scope work, which matters in a sector that has to budget tightly and can’t absorb surprise IT bills. Our cybersecurity services and broader managed IT services are built to carry this kind of regulated, always-on workload.

Frequently asked questions

Do the strengthened Aged Care Quality Standards require specific IT controls?

They don’t prescribe particular products, but the governance and information-management expectations mean providers must be able to show that resident information is kept secure and access is controlled. In practice that points straight at Essential Eight controls, MFA, managed identity and tested backups — and the accountability stays with the provider, not the IT vendor.

Is our clinical software vendor responsible for security and backups?

Only for their platform. AlayaCare, Leecare, Manad Plus and iCareHealth secure and back up their own service, but everything around it — your network, devices, identity, email, and any data you hold outside their system — is yours to protect. That gap is exactly where most incidents happen and where an MSP earns its keep.

What happens if we have a data breach?

If the breach is likely to cause serious harm, it’s notifiable to the OAIC and to affected individuals under the Notifiable Data Breaches scheme, usually within 30 days of becoming aware. Having tested backups, logging and an incident response plan ready is what turns a breach from a crisis into a managed event.

Can you support providers with both residential facilities and home care?

Yes. The two models need different network and device designs but the same underlying disciplines — identity, data protection and uptime. We build for both, including the mobile-device and connectivity needs of a distributed home care workforce.

Where to start

If you’re an aged care provider unsure whether your IT would stand up to a Quality audit or a breach, the honest first step is an assessment: where your sensitive data lives, how access is controlled, whether your backups actually restore, and where the Essential Eight gaps are. Most providers we assess have two or three serious exposures they didn’t know about. Get in touch with TechAssist and we’ll give you a straight read on where you stand and what to fix first.

Allied health clinics carry the same privacy and security obligations as a GP practice, usually with a fraction of the budget and no in-house support. Good allied health IT support keeps your clinical software running, your telehealth stable, and your patient records protected to the standard the Privacy Act and AHPRA expect.

Physiotherapy, psychology, occupational therapy, dietetics, podiatry and speech pathology clinics all sit in the same regulatory bucket. They handle health information, so they are covered by the Privacy Act regardless of turnover — the usual $3 million small-business exemption does not apply to health service providers. A two-room psychology practice in Camberwell has the same baseline obligations as a 40-clinician group. That trips a lot of owners up, so it is worth getting the IT side right from the start.

What allied health clinics actually run

Most allied health practices in Melbourne run on cloud-based practice-management software, not a server in the back room. The common platforms — Cliniko, Halaxy, Nookal, Power Diary and Coreplus — handle appointments, clinical notes, invoicing, Medicare and DVA claiming, and increasingly NDIS billing.

Because these are SaaS products, the vendor secures the application and database. Your obligations do not disappear, though. You still own the devices, accounts, clinic network, integrations and the backup of anything outside the platform — and that half is where most incidents happen. The recurring weak spots we find: unpatched, unencrypted laptops with a saved Cliniko login; shared reception accounts with no multi-factor authentication; booking widgets, payment terminals and SMS reminders that touch patient data without being configured properly; and assessment reports or scanned referrals sitting in a Downloads folder or on a USB stick. That last one is the data that gets lost.

Telehealth that actually holds up

Telehealth went from optional to core during the pandemic and has not gone back. Psychology and speech pathology run a large share of sessions over video, and the problem is almost never the platform — it is the clinic’s internet and the practitioner’s setup.

Reliable telehealth comes down to a few unglamorous things: a business-grade connection with enough upload bandwidth, a 4G or 5G failover so a session does not drop when the NBN has a wobble, Quality of Service on the router so video is prioritised over a background 2 GB update, and a decent headset and webcam. We have seen practitioners blame Coreplus or Halaxy for dropouts when the real fault was a consumer router and a single connection carrying four concurrent sessions. Upload speed is the number that matters and the one most retail plans bury — if you run more than two or three sessions at once, size it deliberately.

My Health Record and secure messaging

My Health Record connectivity

Eligible allied health providers can connect to My Health Record to view shared health summaries, discharge summaries, pathology and imaging. Connecting requires conformant software (most major platforms support it), an HPI-O for the organisation, HPI-I numbers for practitioners, and a NASH PKI certificate to authenticate the connection. The NASH certificate has to be installed and renewed correctly or the connection silently stops working — a task for someone who has done it before, not a practice manager guessing at midnight.

Secure messaging with Argus and Medical-Objects

Secure messaging through Argus or Medical-Objects is how allied health clinics exchange referrals, assessment reports and correspondence with GPs and specialists in an encrypted, point-to-point way. If you accept referrals from GP clinics, they will often expect you to be reachable on one of these networks. Getting the directory listing, software integration and message routing right is a setup job that removes a privacy risk fax and ordinary email both carry.

Privacy, AHPRA and your legal obligations

Two regimes matter here, and they overlap. The Privacy Act 1988 and the Australian Privacy Principles apply to every health service provider, with no turnover threshold. Health information is sensitive information and attracts the highest level of protection. Under the Notifiable Data Breaches scheme, an eligible breach involving patient records must be assessed and, where it is likely to cause serious harm, reported to the Office of the Australian Information Commissioner (OAIC) and affected individuals. A lost laptop full of psychology case notes is exactly what that scheme exists for.

Separately, AHPRA and the National Boards set professional obligations on registered practitioners — physiotherapists, psychologists, occupational therapists, podiatrists and speech pathologists — including keeping accurate clinical records and protecting confidentiality. The controls that satisfy the Privacy Act are the same ones that meet those obligations: access control, encryption, retention and a record of who accessed what.

None of this requires gold-plating. The Australian Cyber Security Centre (ACSC) Essential Eight is a sensible baseline, and most clinics can implement the meaningful parts — multi-factor authentication, patching, application control and backups — without a large spend. We cover the practical version in our guide to healthcare IT support, the OAIC and My Health Record, and the broader picture in our cybersecurity services.

Multi-practitioner access control

Most allied health clinics grow by adding practitioners, and access control is usually what gets left behind. The principle is simple: each person has their own login, sees only what their role requires, and loses access the day they leave. In practice:

• Individual accounts in Cliniko, Nookal or whichever platform you run — never a shared “reception” login that three people use.
• Multi-factor authentication on every account that touches patient data, including the practice-management platform and Microsoft 365 mailboxes.
• Role-based permissions so a casual admin cannot export the entire client database.
• A leaver process that disables accounts immediately. Locum and contractor physios who rotate through clinics are a particular risk if access is never revoked.

If your clinic runs on Microsoft 365, conditional access policies let you enforce MFA and block sign-ins from unexpected locations without making life painful for staff. We walk through that in our piece on conditional access policies in Microsoft 365.

NDIS and Medicare billing

Billing is where allied health gets operationally messy, because a single clinic might invoice Medicare, DVA, private health funds, NDIS plan managers, self-managed participants and the agency itself. Cliniko, Halaxy, Nookal, Power Diary and Coreplus all handle Medicare and DVA claiming through integrated channels, and most now support NDIS invoicing. The IT job is making sure those integrations are configured and authenticated correctly, and that the financial data — which is also personal information — is backed up and access-controlled like everything else. Incorrect NDIS claiming is not just an accounting problem; it can become a compliance issue.

Backup of patient data

“It’s in the cloud, so it’s backed up” is the most dangerous assumption in allied health IT. SaaS platforms protect against their own infrastructure failing. They do not protect you from a staff member deleting a client record, a compromised account wiping data, or a billing dispute cutting off your access. A proper backup position covers three things:

1. Practice-management data. Where the platform allows export or third-party backup, take it. Know how to get your patient and clinical data out if you ever need to.
2. Microsoft 365. Email, OneDrive and SharePoint need a dedicated backup — Microsoft’s retention is not a backup, and referrals live in mailboxes.
3. Local files and devices. Anything on the reception PC or a practitioner’s laptop needs to be backed up and, ideally, not stored there at all.

Knowing your recovery targets matters too — how long you could operate if the system went down (RTO) and how much data you could lose (RPO). Our backup and disaster recovery overview covers how to set those.

A Melbourne example

A multidisciplinary allied health clinic in Box Hill we work with — physio, podiatry, dietetics and psychology under one roof — came to us after a near-miss. A practitioner’s laptop was stolen from a car. It had a saved login to their practice-management system and a folder of exported assessment reports on the desktop — none of it encrypted, no MFA on the account. They had no clear way to know what was on the device or whether the OAIC needed notifying.

We rebuilt the basics: full-disk encryption on every device, MFA across the practice-management platform and Microsoft 365, conditional access to block unexpected sign-ins, a real Microsoft 365 backup, and a policy of not storing patient files locally. Their My Health Record and Argus connections were configured and documented so renewals do not get missed. The clinic now has a defensible position if a device goes missing again.

Frequently asked questions

Does the Privacy Act apply to my small allied health clinic?

Yes. Health service providers are covered by the Privacy Act and the Australian Privacy Principles regardless of turnover. The $3 million small-business exemption does not apply to organisations that provide a health service and hold health information, so even a solo psychology or physiotherapy practice is covered.

What does My Health Record connection require?

Conformant practice-management software, an HPI-O for the organisation, HPI-I numbers for practitioners, and a NASH PKI certificate. The NASH certificate must be installed correctly and renewed on time, or the connection stops working without an obvious error.

Do I really need to replace fax for referrals?

Secure messaging through Argus or Medical-Objects is the appropriate way to exchange referrals and reports with GPs and specialists. It is encrypted point-to-point, it is what referring clinics increasingly expect, and it removes the privacy risk fax and ordinary email both carry.

Getting it right without overspending

None of this is exotic. Allied health clinics do not need an enterprise security budget — they need the basics done properly and kept that way: encrypted devices, MFA everywhere, a real backup, sound access control, and the My Health Record and secure messaging connections maintained by someone who has done it before. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma. We support healthcare practices across Melbourne metro on per-user fixed monthly pricing, with same-business-day on-site when a clinic needs hands on the ground. If yours is running on goodwill and a consumer router, get in touch and we will tell you plainly what to fix first.