Your sole internal IT person hands in their notice on a Tuesday afternoon. The next 90 days will quietly expose every undocumented decision, shared login, and unwritten vendor relationship they were holding together. Most Melbourne SMEs discover within a fortnight that they have no idea what their IT person actually did, and the cost of that ignorance compounds fast.
The shape of the problem
If you are running a 30 to 150-staff business in Melbourne with a single internal IT person, your operational risk is almost certainly higher than your insurer thinks it is. That person is the firewall, the documentation, the vendor relationship manager, the backup verifier, and the person who knows that the printer on level 2 has its own static IP because someone in 2019 wired it badly and nobody has fixed it since. When they resign, none of that lives anywhere else.
We have walked into this scenario more times than we can count since founding TechAssist in 2014. The pattern is consistent enough that we now treat it as a defined transition project rather than a panic. The 90-day window splits cleanly into three phases, and how you handle each one determines whether the next IT model you adopt is built on knowledge or built on guesswork.
This post walks through that window honestly. We will not pretend the handover is clean, because it almost never is. We will name the mistakes that bite later, lay out a realistic cost comparison for the three paths forward, and tell you what to do in the first 48 hours that will save you the most pain.
Week 1-2: Knowledge dump and credential capture
The clock starts the moment notice is given. Your departing IT person is, depending on the relationship, either genuinely trying to leave things tidy or already mentally checked out. Either way, the goal of the first fortnight is to extract every piece of operational knowledge from their head and every credential from their personal devices before they walk out the door.
The credential audit comes first
Before anything else, you need a complete list of every system the business uses, who owns the admin account, and where that credential is stored. In practice, most SMEs discover their IT person has been the sole holder of admin credentials to:
- The Microsoft 365 global admin account, often tied to their personal mobile for MFA
- The domain registrar (frequently a personal GoDaddy or Crazy Domains account from years ago)
- The DNS provider, which may or may not be the same as the registrar
- The firewall management console, with the vendor portal login on a Post-it note
- The NBN or fibre service account, registered to their personal email
- Backup software portals, antivirus consoles, RMM tools if they ran one
- Line-of-business application admin accounts
The MFA problem is the one that catches people. Personal phone-based MFA is the single most common landmine we find. If your departing IT person’s mobile is the second factor for your Microsoft 365 global admin, and you do not transfer that before they leave, you are one factory reset away from being locked out of your own tenant. Microsoft’s account recovery process for global admin lockouts is slow, painful, and requires documentation most SMEs cannot produce on demand.
Document the undocumented
The other priority for week 1-2 is sitting down with the departing engineer and walking through the actual environment. Not what is in the wiki, what they actually do day-to-day. The questions that produce the most value:
- What automations or scripts run on a schedule? Where do they live?
- Which vendor support contracts exist, when do they renew, and who is the named contact?
- What is the backup routine, where are backups stored, and when was the last successful restore test?
- Which servers or services are running on hardware that should have been replaced years ago?
- What workarounds exist that nobody else knows about?
- Which staff have local admin rights they should not have, and why?
A Caulfield-based legal practice we onboarded last year had their sole IT manager resign after 11 years. During the knowledge dump, he casually mentioned that the practice management database was being backed up by a PowerShell script he wrote in 2016 that ran on his personal laptop because the server scheduled task had stopped working in 2019 and he had not got around to fixing it. The firm had been one stolen laptop away from losing seven years of matter records without realising it.
Week 3-6: Vendor relationships and the ‘who pays for what’ audit
Once you have credentials and a working operational picture, the second phase is harder and less satisfying. You need to map every vendor relationship, every recurring charge, every Master Services Agreement, and every handshake deal your IT person ever made. This is the phase that tends to drag, because the information is fragmented across accounts payable, the IT person’s email folders, and the memories of long-tenured staff.
The vendor map
Start with the bank statements and the accounting system. Pull 12 months of card transactions and supplier invoices. Categorise every IT-related charge. You will find:
- SaaS subscriptions nobody uses anymore
- Hardware leases that auto-renew next quarter
- Support contracts on equipment that was decommissioned
- Domain renewals you did not know existed
- Monthly retainers to small contractors for specific systems
- Cloud bills (AWS, Azure) that have been growing 8% per quarter without anyone noticing
For each vendor, you want the named contract, the renewal date, the named contact, and the escalation path. Most SMEs find at least 5% of IT spend is going to things that no longer deliver value. For a business with $80,000 annual IT spend, that is $4,000 a year sitting in dead subscriptions.
The MSA discovery
Master Services Agreements with key vendors are often signed once, filed badly, and forgotten. When your IT person leaves, you need to know:
- What service levels are you actually entitled to?
- What are the notice periods if you want to terminate?
- Are there minimum spend commitments?
- Who has authority to raise priority support tickets?
For businesses considering a move to a managed IT services arrangement, this audit is non-negotiable. You cannot transition into a managed model cleanly without a complete picture of existing commitments. We have seen incoming MSPs surprised by 18-month telco contracts that the previous IT person signed without anyone realising.
Week 7-12: Decide the path forward
By week 7, you have credentials, documentation, and a vendor map. Now the actual strategic decision: replace, co-manage, or fully outsource. This is where most SMEs default to ‘replace like-for-like’ because it feels safest, but it is rarely the cheapest or the most resilient option.
Option 1: Replace internally
Hire another internal IT person. This is the path of least change but the highest single-point-of-failure risk. You are rebuilding the same fragile structure you just discovered the cost of. If you go this route, your new hire should inherit not only the credentials but also a contract clause requiring all admin access to use organisational MFA, all credentials to be stored in a business password vault, and all documentation to live in a business-controlled system. That is the bare minimum to avoid repeating this exercise in three years.
Realistic Melbourne salary for a competent internal IT generalist who can cover infrastructure, end-user support, and basic security is $90,000 to $115,000 including super, plus tools, training, and the productivity gap during recruitment (typically 3-4 months).
Option 2: Co-managed IT
Keep an internal person, but layer an MSP underneath them for the heavy lifting: 24/7 monitoring, after-hours coverage, escalation for complex problems, vendor management, and the security stack. The internal person focuses on what they are best at, which is usually being close to the staff and the business. This model works well for businesses with 50 to 250 staff who have a meaningful in-house IT need but not enough work to justify a team of three.
Our co-managed IT support model is designed for exactly this scenario, and it is often where businesses land when they have just lost a sole IT person and want resilience without complete outsourcing. The internal hire is junior to mid-level (so cheaper), the MSP carries the senior expertise and after-hours risk, and the business gets two layers of redundancy.
Option 3: Fully outsource to an MSP
No internal IT person. All support, infrastructure, security, and strategy moves to an MSP under a per-user fixed monthly contract. This is the right answer for most businesses under about 80 staff, and increasingly for businesses up to 150 staff who do not have specialist needs.
The economics are straightforward once you do the maths. A 60-staff Melbourne business paying $105,000 fully-loaded for an internal IT person, plus $25,000 in tools and licences they manage, is spending $130,000 a year for one person who takes leave, gets sick, and cannot cover after-hours. A per-user fixed monthly MSP arrangement for the same business typically lands between $110 and $160 per user per month depending on inclusions, which puts the spend in the $80,000 to $115,000 range with a contracted service level behind it. You also get the security stack, 24/7 monitoring, and a team rather than a person.
TechAssist runs a 24/7 NOC at our Tecoma office, which means when something breaks at 2am, somebody Australian is already looking at it. We also operate a CBD office at 575 Bourke Street, which matters if your staff are in the city and you want same-business-day on-site response across Melbourne metro. Our 13 Australian engineers cover the work that one internal person cannot, and our sub-15-minute P1 response target is contractual, not aspirational. If you want to choose an MSP in Melbourne properly, this is the question to ask: what is the contractual response time, and what happens if it is missed?
Realistic cost comparison: three paths
The numbers below assume a 60-staff Melbourne business with a typical mix of office and field workers, Microsoft 365 Business Premium, a small server footprint, and standard security needs. Adjust for your context, but the relative shape holds.
| Cost category | Replace internal | Co-managed | Fully outsourced MSP |
|---|---|---|---|
| Salary (including super) | $105,000 | $75,000 (junior/mid) | $0 |
| MSP retainer (60 users) | $0 | $48,000 | $95,000 |
| Tools and licences | $25,000 | Included in MSP | Included in MSP |
| Recruitment and onboarding (Y1) | $18,000 | $8,000 | $3,000 |
| After-hours coverage | Not covered | Covered by MSP | Covered by MSP |
| Single-point-of-failure risk | High | Low | Very low |
| Year 1 total cost | $148,000 | $131,000 | $98,000 |
| Year 2 ongoing | $130,000 | $123,000 | $95,000 |
The outsourced option is cheapest on paper, but the right answer depends on the business. A manufacturer in Dandenong South with heavy line-of-business software and a real shop-floor IT footprint might genuinely need an on-site person. A professional services firm in Hawthorn with 40 staff almost certainly does not.
Offboarding mistakes that bite later
These are the recurring patterns we see in the second year after a sole IT person leaves. None of them are dramatic. All of them are expensive.
Shared admin accounts
The departing IT person had a personal admin account they used for everything. When they left, somebody changed the password but did not disable the account. Six months later, an attacker who phished those credentials in 2023 finally gets around to using them. The audit log shows the admin account was used, but nobody knows which human pressed which key. Disable departing admin accounts. Do not just rotate the password.
Personal phone-based MFA
Already covered above, but it bears repeating because it is the single most common failure mode. Every MFA factor needs to be on a business-controlled device or a business-controlled mechanism (such as a security key held by the business, or a service account authenticator app on a business device).
Undocumented automations
Scripts, scheduled tasks, Power Automate flows, Zapier workflows, all running quietly in the background, all created by the departing person, none of them documented. The first failure happens nine months later when something breaks and nobody can find the source. Audit every scheduled task on every server, every Power Automate flow in the tenant, and every connector in any iPaaS tool. Document what each does, who owns the business outcome, and what happens if it stops.
Vendor portals registered to personal emails
The Telstra account, the Microsoft partner relationship, the AWS root account, the domain registrar, all created in 2017 using a personal Gmail address because it was faster than waiting for IT to set up a shared mailbox. Hunt every one of these down before the departing person walks out. Once they are gone and the vendor only accepts identity verification via that personal email, you have a multi-month problem.
Local admin rights on workstations
Many sole-IT-person businesses run with local admin rights distributed liberally. The IT person gave it out as a workaround for software installs and never took it back. This is a security problem that needs fixing during the transition, not after, because incoming MSPs will see this as a red flag and either price it in heavily or refuse the engagement. Restricting local admin is also one of the Essential Eight controls that the ACSC has been pushing for years.
What to do in the first 48 hours
If you are reading this because your IT person just resigned, here is the order of operations for the first two days. Everything else can wait.
- Change the Microsoft 365 global admin password and MFA factor. Today. Use a business-owned phone or hardware token.
- Add a second global admin account belonging to a director, with separate MFA, as an emergency access account.
- Pull a list of all admin role assignments in Microsoft 365 and document which humans hold which roles.
- Identify the domain registrar and DNS provider and confirm the business has account control. If not, start the recovery process immediately.
- Engage a transition partner if you do not have internal capacity for the next 11 weeks of work. This is not a normal-business-week task.
If you want help running this transition cleanly, that is the bread and butter of our Melbourne MSP practice. We have done it dozens of times. The pattern is repeatable. The mistakes are predictable. The 90 days will pass either way.
Frequently Asked Questions
How long should the notice period be for a sole IT person?
Contractually, whatever your employment agreement says, usually four weeks. Practically, you want to be in a position where you could survive a one-day departure if the relationship turned sour. That means documentation, credential capture, and a transition plan ready to execute. If you only have the standard notice period and no plan, four weeks will not be enough.
Should we let the departing IT person help us choose the replacement?
Generally, no. Their incentives and the business’s incentives are not aligned. They may favour a friend, or push toward a model that protects their professional reputation rather than what fits the business. Use the departing engineer for knowledge transfer, not for vendor selection.
What if the departing person was a contractor, not an employee?
The risk profile is similar but the legal lever is different. Contractors usually have weaker IP and confidentiality protections by default unless the contract was written carefully. Check the contract for credential ownership, work product ownership, and data handling clauses. If the contractor was using their own tooling (their RMM, their backup software, their monitoring), you need to migrate off that tooling before they leave, not after.
Is co-managed IT just outsourcing with extra steps?
No, and this is a common misconception. Co-managed works because the internal person handles the relationships, the business knowledge, and the ground-level support, while the MSP handles the depth, the after-hours, the security stack, and the senior expertise. The internal person is the face. The MSP is the backbone. It works for businesses that have enough IT work to keep one person busy but not enough to justify a team.
How does the Essential Eight fit into all of this?
The Essential Eight is the ACSC’s baseline cybersecurity framework, and it is becoming a de facto expectation for Australian SMEs working with government, financial services, or healthcare clients. A sole IT person rarely has the bandwidth to implement and maintain all eight controls properly. The transition out of a sole-IT model is a natural moment to assess your cybersecurity posture against the Essential Eight and pick a path forward that closes the gaps.
How quickly can an MSP take over from a departing internal IT person?
For a clean transition, six to eight weeks from contract signature to full handover is realistic. We have done faster in emergency scenarios, but the work suffers. The first two weeks are discovery and credential transfer, the next two weeks are tooling deployment and policy alignment, and the final two to four weeks are co-running while the departing person is still available for questions. If you are starting that conversation, do it the week the resignation lands, not the week before the person leaves.