IT Strategy for Melbourne Not-for-Profits: Doing More With ACNC-Grade Constraints

Melbourne not-for-profits run on volunteer-grade IT until something breaks. This is a practical strategy guide for NFPs with 25 to 150 staff: maximising the Microsoft non-profit licensing offers, the volunteer-vs-staff identity model, ACNC governance basics for donor data, and a realistic three-year roadmap on an NFP budget.

Why NFP IT looks the way it does

The pattern is consistent across the Melbourne NFP sector. A founder built the IT environment 8 to 15 years ago, probably with the help of a tech-savvy volunteer, and it grew organically as the organisation grew. Permissions accumulated, mailboxes were shared, board members got admin access, a couple of well-meaning contractors built things that nobody now understands. The IT spend looks lean on paper because most of it was donated, volunteered, or quietly absorbed into operational lines. The risk position looks fine until you actually audit it.

The Australian Charities and Not-for-profits Commission (ACNC) governance standards do not prescribe specific IT controls, but they do require that responsible persons act with reasonable care and diligence, that the organisation’s assets (including data) are managed properly, and that conflicts of interest are managed. For an NFP holding donor financial data, beneficiary case files, or vulnerable-person information, IT is in scope for that diligence obligation whether or not the board has framed it that way.

And then there is the funding reality. NFPs are running with thin margins, restricted grants, and a board that wants every dollar to go to the mission. Spending $80,000 a year on IT looks indefensible until you compare it to the cost of an incident that takes the organisation offline for a week. The strategy below is built to maximise the impact per dollar in an NFP context, drawing on a decade of work with Melbourne charities, social enterprises, and community organisations since founding TechAssist in 2014.

Maximising Microsoft non-profit licensing

The single largest cost lever for an Australian NFP is the Microsoft non-profit offer, and it is the one most under-claimed. Eligible organisations (registered charities with ACNC, plus some NDIS providers and educational organisations) can access:

The offers most NFPs underclaim are the Business Premium discount and the Azure credit. We routinely see NFPs running on Business Basic (free) when Business Premium at $8 per user per month would give them dramatically better security at trivial extra cost. We also see NFPs paying for Azure consumption that the annual credit grant would have covered.

A community services NFP in Footscray that we work with had 95 paid staff on Business Basic plus a handful of E3 licences for the leadership team. Migrating the whole organisation to Business Premium (at NFP discounted pricing) cost them an extra $9,500 a year and gave them Defender for Business, Intune device management, conditional access through Entra ID P1, and the foundation for an Essential Eight Maturity Level 1 posture. The same upgrade at commercial pricing would have cost $34,000 a year. The NFP discount made the security upgrade affordable.

The catch with the Microsoft non-profit offers is that they have changed several times over the past three years. The free E1 grant disappeared in 2024; the free Business Basic grant remains but with seat limits; pricing has shifted. The current state at the time of writing is in the Microsoft Tech for Social Impact portal, and we recommend reviewing your entitlements annually. The work to revalidate is small; the saving is large.

Donor data and ACNC governance basics

The IT-relevant parts of ACNC governance for an NFP holding donor or beneficiary data:

Responsible persons and diligence

Governance Standard 5 requires responsible persons (board members, trustees) to act with reasonable care and diligence in the role. In practice, that means the board needs to be able to demonstrate that data assets are being managed properly. The audit trail that satisfies this is documented controls (a basic security policy, evidence of MFA enforcement, a register of vendors processing personal data, an incident response plan). Not enterprise-grade artefacts, but defensible documents that would survive scrutiny.

The Privacy Act position

The Privacy Act small business exemption (under $3 million turnover) used to cover many NFPs. Two important caveats: NFPs providing health services (which is many) do not get the exemption, NFPs that are funded by government contracts may have contractual obligations equivalent to the APPs, and the Privacy Act reforms are narrowing the exemption for everyone. The pragmatic position for an NFP of any size is to operate as if the APPs apply, because the donor base, the grant funders, and the boards increasingly expect that posture. Our piece on the Privacy Act for SMBs and what your IT team must do covers the detail.

Beneficiary case data

For NFPs holding case data on beneficiaries – homelessness services, family violence support, mental health services, refugee support – the data sensitivity is at the highest tier. The controls need to match: encrypted storage, strict access controls, audit logs, MFA enforced for every user, careful management of contractors. Funders for these services often impose explicit data security clauses; the IT posture is contractual as well as ethical.

The volunteer-vs-staff identity model

The identity question is where most NFP IT environments fall apart. A typical mid-sized NFP has paid staff, volunteers, board members, contractors, partner organisations, and donors all interacting with various systems. The traditional approach – everyone gets a full Microsoft 365 licence with full mailbox and tenant access – is expensive, dangerous, and unnecessary.

The model we recommend for Melbourne NFPs:

The Entra ID guest (B2B) model is the unlock. Guests don’t consume Microsoft 365 licences from your tenant; they use their own. You pay for the infrastructure once, and contractors, board members at other organisations, and partner orgs can access scoped resources without licensing cost. For an NFP with 60 paid staff, 20 regular volunteers, 8 board members, 12 contractors, and 4 partner orgs, the licensing footprint is 60 paid licences plus 20 donated Business Basic. The other 24 people are B2B guests at zero licence cost.

The discipline that makes this work is the lifecycle. Guest accounts need to expire when the contract ends; volunteer accounts need to deactivate when the volunteer stops volunteering; board members need their access removed when they leave the board. Without lifecycle hygiene, the tenant fills up with orphaned accounts and the security posture rots. Conditional access policies and access reviews in Entra ID can automate most of this, but somebody needs to set it up and watch it.

Grant-funded vs operational IT spend

One of the structural challenges for Melbourne NFPs: most funders restrict grants to direct program costs, and IT is treated as overhead. The result is a chronic shortfall in IT investment because operational funding does not stretch and grant funding will not cover it.

Three practical strategies:

Bundle IT into program costs where it genuinely is

If a program needs a case management system, the licensing, training, and support for that system is a program cost, not overhead. The same logic applies to the laptops the program staff use, the security tooling that protects the beneficiary data, the M365 licences that enable the case workers to collaborate. Many funders accept this when it is explained. The key is to budget the IT for the program at the proposal stage, with the line items broken out.

Apply for dedicated IT capacity grants

Several Australian foundations and government programs fund organisational IT capacity specifically: cyber security uplift grants, digital transformation grants, infrastructure modernisation grants. They are competitive but real money is available. A heritage and arts NFP we work with in Brunswick received a $45,000 cyber security uplift grant in 2025 that funded the full Essential Eight Maturity Level 1 implementation we had been recommending for two years.

Treat the IT investment as risk mitigation in the board narrative

Boards approve risk mitigation spend when they understand the risk. The ‘this is the security stack’ conversation rarely lands; the ‘a successful cyber attack on this organisation would cost X dollars, take Y weeks to recover from, and trigger Z mandatory disclosures’ conversation usually does. The IT spend becomes risk insurance, which boards understand better than infrastructure.

The realistic 3-year roadmap (25 to 150 staff NFP)

What does a sensible IT modernisation roadmap look like for a mid-sized Melbourne NFP that is starting from a typical legacy posture?

Year 1: Foundation and triage

Year 1 focus: the controls that most reduce risk for the least money. By the end of Year 1 the NFP should have a defensible Essential Eight Maturity Level 1 posture, a documented identity model, and a working DR position. Approximate cost for a 60-staff NFP: $40,000 to $60,000 above the existing baseline, much of which can be partially grant-funded.

Year 2: Optimisation and capability

Year 2 focus: making the staff genuinely productive and reducing the operational tax of accumulated technical debt. The SharePoint rebuild alone often returns 2 to 4 hours per staff member per week in time saved looking for documents.

Year 3: Strategic and scale

Year 3 focus: capability that lifts the mission, not just the operational base. By the end of Year 3 the NFP should be at a mature state where the IT investment is producing visible program impact – more case workers serving more beneficiaries, more donor reach per fundraising dollar, better impact measurement for funders.

The two NFP-specific traps

Two patterns we see repeatedly in Melbourne NFPs that deserve specific attention.

Trap 1: Founder-era shared mailboxes

Almost every long-running NFP has a set of shared mailboxes that date to the founder era: info@, admin@, donations@, volunteers@, plus a clutch of program-specific ones. They were set up with shared passwords, often without MFA, often with everyone who has ever worked there still having access. The risk is enormous and the cleanup is awkward because important communications are routed through them.

The fix is a structured project: identify every shared mailbox, identify the legitimate access list, convert to proper Microsoft 365 shared mailboxes with delegated access (which means access is tied to individual identities, MFA-protected, and auditable), and migrate the workflows that depended on shared passwords to proper licensed accounts. Not glamorous, but it removes a real attack surface. Expect 60 to 100 hours of work for a typical mid-sized NFP.

Trap 2: Board members with full SharePoint access from 2018

Board membership turns over, but historical access often does not. A typical mid-sized NFP has 4 to 8 former board members whose accounts are still active in the tenant with the access they had when they left. Some of them may also be working at competing or partner organisations now. The conditional access policies they fell under in 2018 are not the policies in force today.

The fix is an Entra ID access review, run annually, against the board membership records held by the company secretary. Every former member’s access is removed cleanly. Future board members are onboarded with a clear lifecycle (account provisioned at appointment, access removed within 7 days of departure, conditional access policy enforced).

This sounds like basic hygiene because it is. The fact that it is missing in 80% of the NFPs we have audited is the point.

Security posture: aligning to Essential Eight on an NFP budget

The Australian Signals Directorate’s Essential Eight is the de facto baseline for organisational cyber security in Australia. Maturity Level 1 is achievable for a mid-sized NFP at modest cost when the Microsoft non-profit licensing covers the underlying infrastructure. The strategies that map to NFP-relevant controls:

Maturity Level 1 across all eight strategies, for a 60-staff NFP, is achievable at around $25,000 to $40,000 in tooling and project costs above the existing licensing. Maturity Level 2 adds another $30,000 to $50,000 and is appropriate for NFPs with sensitive beneficiary data or government contracts that require it. For the broader context on aligning to the Essential Eight, our zero trust security model piece covers the complementary thinking.

The MSP question for NFPs

Most Melbourne NFPs that engage an MSP fall into one of three models:

1. Pro-bono or heavily discounted MSP – the MSP donates time, often through their own community engagement program. Variable quality; the MSP’s paying clients always come first.
2. Volunteer-led with MSP escalation – a tech-skilled volunteer manages day-to-day and engages an MSP for specific projects. Works well if the volunteer is genuinely skilled and committed; falls apart when they move on.
3. Standard per-user managed services engagement – the NFP pays standard rates for the engagement, sometimes with a sector discount.

The honest assessment after a decade of NFP work: the third model produces the best long-term outcome. Pro-bono engagements are inconsistent and don’t survive the MSP changing strategy; volunteer-led models work until they don’t, and the transition cost is high. A standard managed engagement at a sector-appropriate rate gives the NFP the same response model as a paying commercial client, which matters when something is on fire at 3 a.m.

For TechAssist, our NFP engagements run on the same model as our commercial managed clients: per-user fixed monthly pricing, sub-15-minute P1 response from our 24/7 NOC at Tecoma, same-business-day on-site response across Melbourne metro from our two offices (Tecoma and 575 Bourke Street CBD), and the same 13 Australian engineers across helpdesk, projects and security. We typically offer a sector-appropriate rate that reflects the NFP budget reality, but the service is the same. The discipline of running it as a real engagement is what makes it work for both parties. To talk through an NFP engagement, our team is reachable through the contact page, or our Melbourne managed IT services page covers the broader engagement model.

Frequently Asked Questions

We are a very small NFP (under 25 staff). Does this strategy still apply?

Most of it does, scaled down. The Microsoft non-profit licensing maximisation is still the biggest lever. The identity model still matters even at smaller scale. The Essential Eight Maturity Level 1 alignment is still achievable. The MSP engagement is the piece that scales differently; for very small NFPs, a co-managed model or a sector-shared service can be more affordable than a per-user managed engagement. Our co-managed IT support page covers that model.

How do we get board buy-in for an IT investment that competes with program funding?

Frame it as risk mitigation and capacity-building, not infrastructure. The board cares about the mission and about not having a catastrophic incident; they typically do not care about Entra ID conditional access policies. Show the worst-case scenarios with realistic numbers, show what an Essential Eight Maturity Level 1 posture costs to put in place, and frame the spend as protecting program continuity. Most boards approve when the trade-off is framed honestly.

What is the single most impactful change for an NFP starting from a typical legacy posture?

Enforcing multi-factor authentication on every account, with no exceptions for the founder, the board, or ‘the person who has been here forever.’ It costs nothing beyond the Microsoft licensing you already have. It prevents the most common attack pattern. It is the change most NFPs delay because it is annoying for users in the first week, and the change that most NFPs regret delaying after the first incident.

Can we just rely on the donated free Microsoft 365 Business Basic?

For very small NFPs with low risk profiles, possibly. For most mid-sized Melbourne NFPs holding donor or beneficiary data, no. Business Basic does not include Defender for Business, does not include Intune device management, and does not include the conditional access capabilities that an Essential Eight posture requires. The Business Premium upgrade at NFP-discounted pricing is one of the highest-ROI spending decisions an NFP can make.

How do we handle the long tail of historical accounts in our tenant?

Run an Entra ID access review, focused on accounts that have not signed in for 90 days. Most are former staff, former volunteers, former board members, or test accounts that were never cleaned up. Disable them (do not delete immediately; the licence cost is zero and the audit trail is valuable). After 90 days of being disabled without complaint, delete. The cleanup typically removes 20 to 40% of the tenant accounts in a long-running NFP.

Where do we start if we have no IT documentation at all?

Start with three documents: a tenant configuration baseline (what is currently configured, by whom, for what reason), an asset list (devices, accounts, key vendors), and a basic incident response plan (who calls whom when something happens). These three documents are 80% of the audit-readiness conversation and form the foundation that everything else builds on. The work is typically 20 to 30 hours of MSP time and is some of the highest-value spending in the first year of a managed engagement.

A FY27 IT budget template for a specific persona: a 50-person Melbourne professional services firm, $12 million revenue. Numbered line items, real dollar ranges, IT-spend-as-percentage-of-revenue benchmarks, and the four lines most SMEs forget. Built for CFOs who want defensible numbers, not vendor guesswork.

The persona this budget is built for

Specifics matter; a generic IT budget is useless. The numbers below are sized for:

• 50 staff total (45 desk-based knowledge workers, 5 partners or executives)
• Melbourne-based, single office plus remote work, typical CBD or inner-suburb location
• Professional services (consulting, legal, accounting, architecture, engineering consultancy) – knowledge-worker firm with no manufacturing, no point-of-sale, no production line
• Approximately $12 million annual revenue
• Microsoft 365 stack, hybrid cloud (light on-prem footprint, most workloads in Azure or SaaS)
• Standard cyber insurance requirements; aligned to Essential Eight Maturity Level 1 minimum
• No internal IT staff; engagement with an MSP on per-user fixed monthly pricing

If your business is materially different – 50 staff with a manufacturing plant in Dandenong, or a 50-staff healthcare practice with clinical software, or a 50-staff retailer with 12 store locations – the totals will move significantly. Use this as a baseline to adjust from. Our sector-specific guidance for Melbourne manufacturers, healthcare, and law firms covers the variations.

The benchmark: IT spend as a percentage of revenue

Industry benchmarks vary by sector, but for Australian professional services firms in the 30 to 100 staff band, IT spend as a percentage of revenue typically lands between 1.5% and 3.5%. The drivers of where you sit in that range:

For our persona ($12 million revenue), the FY27 budget should land between $240,000 and $360,000 in steady state, or up to $420,000 in a project-heavy year. The template below targets the middle of that range and produces a defensible $295,000 to $345,000 total. If your number is above this, look first at the projects line; if it is well below, look first at security and backup.

The line-itemed FY27 template

All numbers are in AUD, annual, for the persona above. Ranges reflect actual variance across our managed book in Melbourne; the midpoint is what we would budget for a typical firm in this segment.

1. Microsoft 365 licensing

The single largest recurring line for most professional services firms.

Subtotal for M365: $29,000 – $52,000. For our persona, $35,000 is realistic – Business Premium across the firm, Copilot for 20 selected users, Power BI for the analyst pool. The Business Premium vs E3 conversation hinges on whether you need the deeper compliance and identity protection of E3+P2; for most 50-staff professional services firms, Business Premium is sufficient.

2. Security stack (beyond what is included in M365)

Microsoft 365 Business Premium includes Defender for Business, Intune, and Entra ID P1. That is a strong baseline. Additional security tooling for a 50-staff firm typically covers:

Subtotal for additional security: $32,000 – $60,000. For our persona, $42,000 is realistic – MDR through the MSP, additional email security, DNS filtering, password manager, light external attack surface monitoring. This line item is where SMEs traditionally underspent and where the post-2023 cyber insurance market has forced the conversation. Our Melbourne cyber security services wrap most of these into a managed stack.

3. Managed IT services retainer (MSP)

For a 50-staff firm engaging an MSP on per-user fixed monthly pricing, the typical Melbourne market rate in 2026 is $110 to $170 per user per month for a comprehensive engagement that covers unlimited support, security operations, vendor management, and proactive maintenance.

Subtotal: $66,000 – $102,000. For our persona, $80,000 to $90,000 is realistic. Co-managed models (where you have some internal capability and the MSP fills gaps) typically land 30 to 40% lower; pure break-fix models are cheaper still but rarely advisable at this scale. For the context on what to expect from a Melbourne MSP at this price band, see our guide to choosing an MSP in Melbourne.

4. Hardware refresh sinking fund

The mistake most SMEs make is treating hardware as a lumpy capex purchase every three years. Better: a smooth annual sinking fund that covers the rolling refresh.

Subtotal: $38,000 – $40,000. Hold this as a separate fund; do not blend it into operational expense. When the refresh cycle hits, the fund pays for it without a quarterly cost spike. The 4-year laptop cycle assumes mid-range business laptops (Dell Latitude, HP ProBook, Lenovo ThinkPad mid-tier); premium devices (MacBook Pro, ThinkPad X1) push the per-unit number to $3,500 and the line to $44,000.

5. Projects budget

The line item that gets cut first when revenue softens and then has to be reinstated when something breaks. Better to budget it explicitly:

Subtotal: $40,000 – $75,000. For our persona, $50,000 is realistic. A typical FY27 project list might include a SharePoint information architecture rebuild, an Entra ID conditional access refresh, a CRM integration, and the office Wi-Fi upgrade. Whatever the list is, it should be in the budget at the start of the year, not added quarter by quarter.

6. Cyber insurance

Cyber insurance premiums for Australian professional services SMEs in 2026 land around 0.4% to 0.8% of revenue for $5 million to $10 million of cover with reasonable retentions, assuming the security posture meets the underwriter’s requirements (MFA, EDR, backups, training, vendor risk management).

Subtotal: $30,000 – $55,000. For our persona, $42,000 is realistic. The premium has stabilised after the sharp increases of 2022-2024 but remains sensitive to your control posture; gaps in your security stack will push the premium up materially or trigger a coverage decline. The conversation with the broker is now half technical (controls), half financial (limits and retentions).

7. Training

Easily skipped, easily justified to skip, and the highest-ROI security spend in the budget.

Subtotal: $9,500 – $20,000. For our persona, $12,000 is realistic. Phriendly Phishing has strong Australian content and is our default recommendation for clients who want locally relevant training.

8. Contingency

10% of the total budget as a contingency reserve, held against unexpected events that the projects line cannot absorb (an early hardware failure outside the refresh cycle, a regulatory change forcing a tooling addition, a vendor that hikes prices unexpectedly).

Subtotal: $25,000 – $35,000.

The four line items most SMEs forget

Across hundreds of budget reviews with Melbourne SMEs, four line items show up in good budgets and are missing from average ones.

1. Vendor risk tooling and process

Either a dedicated platform (rarely justified at SME scale) or the time cost of running the lite vendor risk programme. We typically include this within the MSP retainer for our managed clients, but if you are running it internally, budget for 8 to 16 hours per month of someone’s time. For a 50-staff firm, this is $8,000 to $15,000 a year that often shows up nowhere.

2. AI licences you already pay for

Most firms now have Copilot for M365, ChatGPT Team or Enterprise, Claude.ai for Work or Teams, a specialised AI tool for their sector, and one or two pilots that grew into production. The cumulative AI line is rarely consolidated; it lives in expense claims, in a marketing budget, in a partner’s personal spend. Sum it up. For our persona, total AI tooling is typically $15,000 to $35,000 a year by FY27.

3. M365 backup

As discussed at length in our buyer’s guide on the topic, Microsoft does not back up your M365 data in a way that helps you recover from real incidents. Third-party M365 backup for 50 users is $1,800 to $3,600 a year. Cheap, essential, and missing from most budgets.

4. Exit and transition reserve

The unpleasant truth: at some point in the next 5 to 10 years, you will change MSPs, change your primary cloud platform, or be acquired. The cost of a clean exit is real – typically 4 to 12 weeks of overlap, documentation work, data extraction fees, and project management. Budget 5% of annual IT spend in a reserve, held separately, that exists for this purpose. For our persona, that is $15,000 a year sitting in a reserve account. You may not need it in any given year, but when the day comes, you will be glad it is there.

The CapEx vs OpEx question for FY27

The classic SME CFO question – ‘should we buy the laptops outright or lease them, should we buy the server or rent the cloud workload’ – has shifted meaningfully in the SaaS era. For most line items in this budget, the choice has been made for you: there is no CapEx option. Microsoft 365 is OpEx. The MSP retainer is OpEx. Cyber insurance is OpEx. The MDR service is OpEx.

The remaining CapEx choices are:

• Laptops: Buy outright is usually cheaper over a 4-year cycle than Device-as-a-Service, but DaaS smooths cash flow and includes refresh management. For a 50-staff firm, the financial difference is around $4 to $6 per device per month either way; the operational difference is more meaningful.
• Network equipment: Almost always CapEx. The lifespan is 5 to 7 years, and the rental models for switches and APs don’t make financial sense at this scale.
• Server hardware (if any): If you still run on-prem servers, CapEx remains the norm. The question to ask annually is whether the workload should be in Azure rather than on the server at all.

Our default recommendation for FY27 is to keep laptops and network equipment as CapEx with a sinking fund, and treat everything else as OpEx. Don’t over-engineer this.

The FY27 total

Adding the midpoints together for our persona:

$356,000 against $12 million revenue is 2.97% – in the upper half of the steady-state range. If FY27 is genuinely a steady-state year with no major projects, you could pull this back toward $300,000 by trimming the projects line. If FY27 has a major piece of work (M&A integration, platform migration, office relocation), the projects line should grow and the total can reasonably push past $400,000.

A real-world worked example

A 48-staff consulting firm in Collingwood approached us in 2025 with an FY26 IT budget of $185,000 that they suspected was too low. The reality check confirmed it: their security stack was a few years out of date, their MSP retainer was a break-fix arrangement that produced a constant stream of unbudgeted incidents, and there was no projects line.

The rebuild brought them to $310,000 for FY26, then approximately $330,000 for FY27 (this template). The increase landed in three categories: an additional $35,000 in security tooling and MDR, a $40,000 increase in the MSP retainer for a comprehensive managed model, and the previously-invisible projects budget at $50,000. Their cyber insurance premium dropped $9,000 the following year because the upgraded posture qualified them for a better rate. Net true cost increase: about $116,000, or just under 1% of revenue.

The conversation with the partners took two meetings. The first meeting was about why the number was going up; the second was about what they got for it (a defensible security posture, predictable monthly costs, no more invoice surprises, a real DR position, alignment with Essential Eight Maturity Level 1). The decision was unanimous after the second meeting. The lesson: SMEs underspend on IT because the value of the spend is invisible. Make it visible and the budget conversation gets easier.

How TechAssist works with the FY27 budget

For managed clients on our per-user fixed monthly pricing, the MSP retainer line on this template covers our entire engagement: the sub-15-minute P1 response from our 24/7 NOC at Tecoma, the same-business-day on-site response across Melbourne metro from either our Tecoma office or our 575 Bourke Street CBD office, and the work of our 13 Australian engineers across helpdesk, projects, security operations and vendor management. Founded in 2014, we have built the engagement model specifically for SMEs like the persona in this template: 30 to 150 staff, professional services or similar, Microsoft-aligned, Essential Eight focused.

The security tooling line, the M365 licensing, the cyber insurance premium and the hardware are direct vendor relationships that we manage on behalf of the client but bill at vendor cost. The projects line is scoped separately at the start of the financial year. The result is a budget that is predictable to within 5% across the year, which is what makes the CFO conversation work. For the broader picture of how the engagement is structured, see our MSP Melbourne page or reach the team through contact.

Frequently Asked Questions

We are smaller than 50 staff – how do we scale this down?

The fixed costs (cyber insurance, baseline security stack) don’t scale linearly with headcount. A 25-staff firm typically spends 3.0% to 4.0% of revenue on IT – higher than the 50-staff number – because the fixed costs are spread across fewer users. The per-user costs (M365 licensing, MSP retainer per user, hardware sinking fund) scale linearly. Apply the same template, adjust for size, and expect the percentage of revenue to be higher.

What about firms larger than 100 staff?

Past 100 staff, the conversation usually splits: an internal IT manager or director appears in the org chart, the security stack moves toward enterprise tooling, and the MSP relationship becomes co-managed rather than fully outsourced. Total IT spend as a percentage of revenue typically drops to 1.5% to 2.5% as scale efficiencies kick in.

How much of this should be CapEx versus OpEx for tax purposes?

This template lands roughly 90% OpEx and 10% CapEx (the hardware sinking fund). The OpEx-heavy mix is structurally favourable for cash flow but means the depreciation argument for tax is smaller than it was a decade ago. Talk to your accountant; the tax treatment of cloud and SaaS spend changes most years.

Should we budget for AI separately?

Yes. The AI line will grow meaningfully through FY27 and into FY28 as Copilot, agent-based tools, and sector-specific AI products scale up. Separating the AI line makes the growth visible and lets the leadership team make explicit decisions about it rather than discovering it on the credit card statement.

What is the most common budget mistake for a firm this size?

Underspending on security and overspending on premium hardware. We see firms with $3,500 MacBooks for every user but no MDR service and a self-managed Microsoft tenant. Inverting that ratio – mid-tier hardware, comprehensive security – produces a more defensible posture for the same total spend.

How do we benchmark our actual spend against this template?

Pull together your actual line items, map them to the eight categories above, calculate the percentage of revenue, and compare. If you would like an external review, we run IT budget assessments as a discrete piece of work for non-clients, with a one-page summary and a remediation list. Reach the team through the contact page.

Melbourne SMEs buying disaster recovery for the first time get stuck between three product categories, unrealistic RTO numbers, and a Microsoft 365 backup conversation nobody told them about. This is the buyer’s guide: what you are choosing between, the realistic 2026 price brackets, and the eight questions to ask any DR vendor before signing.

What this guide is and is not

This is not a planning guide. It is not ‘how to write a business impact analysis.’ It is the conversation you have once you have decided you need to buy something and you are trying to work out what to buy.

Three product categories cover almost every Melbourne SME DR purchase in 2026:

1. DRaaS – replicating production workloads to a cloud target so they can be failed over (Azure Site Recovery is the dominant Australian play, with VMware Cloud Disaster Recovery and Zerto in specialised cases)
2. On-premises BCDR appliances – a local appliance that backs up your servers and can stand them up locally or in the vendor’s cloud (Datto, Axcient, Acronis, Arcserve, Veeam with a hardware partner)
3. SaaS backup – third-party backup for Microsoft 365 and Google Workspace, which the platform vendors do not back up for you (Keepit, Backupify, CloudAlly, Veeam for M365, AvePoint, Dropsuite)

Most SMEs need pieces of all three, in different combinations. A 60-staff professional services firm in Richmond probably needs Azure Site Recovery for the two on-premises servers, a third-party M365 backup, and not much else. A 90-staff manufacturer in Dandenong with a line-of-business ERP, a SQL database, and a need for fast local recovery probably needs a BCDR appliance plus SaaS backup. A 100% cloud-native software company needs SaaS backup plus a workload-specific backup of their cloud database. The product mix follows the workload.

For the planning side of the conversation – the BIA, the RTO and RPO targets, the runbook – see our backup and disaster recovery 2026 guide, which is the companion piece to this one.

Category 1: DRaaS (Disaster Recovery as a Service)

The model is: your production workload runs where it is (on-prem, in Azure, in AWS), and a replication layer copies it continuously to a standby environment in a cloud target. When something fails, you fail over to the standby and run there until you can return to primary.

Azure Site Recovery (ASR)

The default option for Australian SMEs running on Hyper-V or VMware on-prem, or running production workloads in Azure. Replicates VMs to a secondary Azure region (typically Australia East to Australia Southeast, or vice versa). Failover is orchestrated, and you can test failover into an isolated network without disrupting production.

Strengths:

• Native Microsoft, integrates with the rest of the Azure estate
• Australia-sovereign target regions
• Pricing is genuinely SME-friendly: about $25 to $30 per protected instance per month for ASR itself, plus the storage and (during failover) the compute
• Failover testing is non-disruptive and well-supported

Weaknesses:

• RPO is typically 5 to 15 minutes for app-consistent recoveries; not the sub-minute that some marketing claims
• Complex to configure properly; SMEs often deploy it half-configured
• The compute cost during a real failover catches CFOs off guard – if you fail over 12 VMs and run them in DR for two weeks while you rebuild, that is a real Azure bill
• Requires Azure expertise that not every MSP has at the level needed for reliable orchestration

VMware Cloud Disaster Recovery

For SMEs running VMware on-premises with a meaningful estate. Replicates to a VMware Cloud target on AWS or to an alternative pilot-light site. Usually overkill for under-50-VM environments.

Zerto

The premium DRaaS choice. Continuous data protection rather than scheduled replication, RPOs measured in seconds, mature failover orchestration. Priced accordingly. We deploy Zerto for clients who genuinely need sub-minute RPO on critical workloads; it is not the right answer for an average SME.

Category 2: On-premises BCDR appliances

The model is: a physical or virtual appliance lives at your office or data centre, takes regular image-level backups of your servers (and often endpoints), and can either restore locally (fast) or stand the workloads up in the vendor’s cloud (slower, but works if your office is gone).

Datto

The category-defining product. Datto Siris appliances are sold exclusively through MSPs. The local appliance has its own compute, so it can stand up a failed server as a virtual instance on the appliance itself within minutes. Off-site copies replicate to Datto’s cloud (in Australia, hosted in Sydney and Melbourne data centres).

Strengths:

• Fast local recovery; the on-appliance virtualisation actually works
• Cloud failover is real, not theoretical, and Datto runs the orchestration
• Hardware refresh is part of the agreement; the appliance gets replaced on a cycle without a capex spike
• Good for SMEs that want a single thing to point at when the auditor asks ‘show me your DR’

Weaknesses:

• Per-protected-server pricing; can become expensive for environments with many small servers
• Vendor lock-in; getting your backup data out of Datto if you change providers is a project
• Local appliance is a single point of failure for local recovery; needs the off-site copy to be real
• The MSP-only sales channel means you cannot evaluate it without going through a partner

Axcient

Similar concept to Datto, with the local appliance and the cloud failover. Often the right answer for slightly smaller environments where Datto’s pricing is over the budget. The cloud failover capability is solid; the on-appliance virtualisation is functional but slightly less polished.

Veeam with hardware

The build-your-own option. Veeam is the backup software, paired with a Dell PowerEdge or HPE ProLiant or a purpose-built backup appliance (Dell PowerProtect, HPE StoreOnce). More flexible and often cheaper at scale than the all-in-one appliances, but requires the MSP or internal team to design, build, and operate the stack rather than buying it as a service.

This is what we recommend for clients who already have Veeam expertise and who want to avoid the vendor lock-in of the all-in-one appliances. It is what we run in our own environment.

Acronis and Arcserve

Adjacent options in this category, both with valid use cases. Acronis Cyber Protect adds a security overlay (anti-malware, anti-ransomware) on top of the backup product, which appeals to SMEs that want fewer products to manage. Arcserve UDP has a strong reputation for hybrid workloads. Both worth evaluating if Datto and Axcient don’t fit.

Category 3: SaaS backup (the conversation nobody told you about)

The single most common gap we see in Melbourne SME DR posture: Microsoft does not back up your Microsoft 365 data in a way that helps you recover from accidental deletion, ransomware encryption, malicious insider activity, or a SharePoint policy gone wrong. They protect their infrastructure, not your content. This is the Microsoft 365 shared responsibility model, and it is documented in their own service description.

What Microsoft does:

• Geo-redundant storage so a data centre failure does not lose your data
• Retention policies you configure (litigation hold, retention labels)
• Recycle bin and version history for a default period
• Point-in-time recovery for Exchange Online within a window

What Microsoft does not do:

• Full long-term backup of your mailboxes, OneDrive, SharePoint, and Teams content
• Granular recovery to a point earlier than the retention or recycle bin window
• Recovery of an entire tenant if it is wiped by a compromised admin
• Export of mailbox data in a portable, restorable format outside of Microsoft’s tooling

The conversation to have with your IT lead: ‘If a user gets compromised and the attacker deletes the contents of their OneDrive and emails, and we do not notice for 45 days, can we recover the data?’ The honest answer from native Microsoft is usually no – the 30-day default retention window has passed.

Third-party M365 backup tools solve this. Pricing is per-user-per-month, typically $3 to $6 in the Australian market, retention is configurable up to ‘forever,’ and recovery is granular (a single email, a single OneDrive file, a single Teams chat). The leaders:

For every Melbourne SME we manage that uses Microsoft 365 – which is all of them – a third-party M365 backup is part of the baseline stack. We default to Keepit for new deployments because the Australian data residency, retention model, and recovery experience are the best of the options, and the pricing is defensible for SME budgets.

Realistic price brackets for 2026

The number that comes out of a vendor sales call is rarely the number you end up paying once setup, support, replication storage, failover compute, and the inevitable additions are included. Approximate all-in monthly numbers for a 60-user Melbourne SME with 4 production VMs:

Add the implementation cost (typically $4,000 to $15,000 one-off depending on complexity) and the annual failover test (typically half a day of MSP time, billed at the going rate). For most 60 to 100 staff Melbourne SMEs, total DR spend lands between $14,000 and $30,000 per year all-in.

RTO and RPO: what vendors quote versus what they deliver

Vendor marketing materials quote ‘RTO of 5 minutes’ or ‘RPO of seconds.’ These numbers refer to the absolute best-case mechanical capability of the product under controlled conditions on the vendor’s test bench. They are not what you get in a real disaster.

Realistic numbers for the three categories under SME conditions, based on incidents we have run for clients:

The gap between vendor-quoted and realistic is not the vendor lying; it is the difference between the mechanical recovery time and the business-readiness time. When you negotiate, make sure the RTO in the contract is the business-readiness time, not just the time for the system to come up. Otherwise you are signing for a number that does not mean what you think it means.

The eight questions to ask any DR vendor before signing

1. What is your contracted RTO and RPO, and is it measured to system-online or business-ready? If they cannot answer this clearly, walk away.
2. Where is the off-site copy stored, and is the storage in Australia? Sovereign data residency matters for many SMEs, especially those with health, legal or government-adjacent data.
3. What is the additional cost during a real failover (compute, egress, storage)? The DR product price is the steady-state cost; the failover cost can be substantial.
4. How often do you test failover, who tests it, and what is the success rate? Untested DR is a hope, not a plan. Insist on at least an annual test.
5. What does it cost to extract our data if we leave? Vendor lock-in is real. Get the exit number on the contract.
6. What is the support model during an incident – phone, ticket, named engineer? When you are actually failing over, the time to get a human matters more than any other metric.
7. Who else like us are you protecting in Melbourne, and can we speak to them? Reference checks from similar-sized businesses cut through the marketing fast.
8. What is the upgrade and hardware refresh cycle, and who pays? For appliance-based products, this affects the multi-year total cost.

One client of ours – a 40-staff law firm in Kew – went to contract with a national MSP that quoted a 30-minute RTO. The contract small print clarified that 30 minutes was system-online. When we ran their first DR test under our co-managed arrangement, business-ready was 5 hours. We renegotiated the contract on renewal to specify business-ready RTO with measurable check points. Different number, more honest contract.

Sample DR scope checklist (30 to 100 user SME)

The scope of work conversation with a DR vendor is where mistakes get baked in. Use this as a starting checklist:

If a vendor proposal does not cover every row of this table or does not explicitly note items as out of scope with a reason, ask before signing. A DR proposal that omits Microsoft 365 backup is a flag, not because the vendor is dishonest but because the gap will surface during a real incident at the worst possible time.

How TechAssist delivers this

We are vendor-agnostic on DR. Our default stack for a typical Melbourne SME is Azure Site Recovery for IaaS, Keepit for M365 backup, and Veeam for environments that need a richer on-prem appliance story. We also run Datto where it is the right answer and Zerto where the RPO requirement justifies it.

The delivery is what makes the difference. Our 24/7 NOC at Tecoma monitors backup jobs and replication health on every managed client, with sub-15-minute response for P1 events. When a real incident hits, our 13 Australian engineers (no offshore tier-one queue) take the call, and the same-business-day on-site response in Melbourne metro means an engineer can be at your office before lunchtime if hands on the equipment are needed. The per-user fixed monthly pricing model includes the DR management on managed engagements; the DR product cost is a separate, transparent line item passed through at the vendor rate. The two Melbourne offices – Tecoma and 575 Bourke Street CBD – give clients access in both directions of the metro area, with the CBD office useful for CBD-based clients who want a quick face-to-face during planning.

Founded in 2014, our DR practice has now run incidents across professional services, healthcare admin, manufacturing, and not-for-profit clients. The pattern across all of them is the same: the DR posture that works is one that has been tested, documented, owned, and reviewed annually. The product choice matters less than the discipline around it. To talk through your specific environment, our team is reachable through the contact page, or for the broader managed services context the Melbourne managed IT services page covers how DR sits in the overall engagement.

Frequently Asked Questions

Is Microsoft 365 backup really necessary if we have litigation hold?

Litigation hold is a retention control, not a backup. It prevents end users from permanently deleting items, but it does not protect against a compromised admin wiping the tenant, does not give you a portable export, and does not provide point-in-time recovery for arbitrary historical states. For any SME holding meaningful business data in M365 – which is all of them – a third-party backup is a baseline control, not an option.

Can we just rely on the local appliance and skip the cloud failover?

If the disaster is a ransomware attack that encrypts the local appliance, or a fire that takes the office, the local-only configuration is no protection at all. The cloud or off-site copy is what makes the DR posture survive a real disaster. Local appliance plus cloud copy is the minimum; local-only is not DR, it is backup with extra steps.

What is the difference between backup and disaster recovery?

Backup is the data; DR is the ability to operate from that data after a major incident. A nightly backup of your server is backup. The ability to fail that server over to a working environment within a contracted time is DR. Most SMEs need both, in coordinated form, not one or the other.

How often should we test failover?

At least annually for a full test, quarterly for component tests, and continuously for the automated health checks the platform should be running. A DR plan that has not been tested in 18 months is no plan; it is a hope.

Will our cyber insurance cover the cost of a DR failover?

Sometimes yes, sometimes no. Read the policy. Many cyber policies cover business interruption losses but exclude or limit the actual restoration costs. The cleanest approach is to budget for the failover cost as a separate line, and treat any insurance recovery as upside.

Does the same DR product work for our on-premises servers and our Azure workloads?

Mostly no. The categories were designed for different starting points. Azure Site Recovery covers both Azure-native and on-prem to Azure. The appliance-based BCDR products are typically on-prem first, with limited cloud-native coverage. If your workload split is meaningful in both directions, expect to run two products. Our Melbourne cloud services page has more on hybrid architecture.

Azure costs for Melbourne SMEs grow 30 to 50% a year without anyone noticing. Enterprise FinOps assumes a $5 million cloud spend; this is the SME version, sized for the $50k to $500k reality. Eight quick wins, governance guardrails that stick, and the three traps that catch almost every business.

Why SME Azure spend creeps

It is rarely one decision. A pilot tenant becomes a production tenant. A test virtual machine becomes a forgotten orphan with a 1 TB premium SSD attached. Defender for Cloud gets enabled on a free trial, ends up on the Standard tier across every subscription, and nobody can find the off switch by the time the invoice arrives. The dev environment that was ‘just for two weeks’ is still running 18 months later because no one wants to be the person who turned it off.

We see the same pattern across our managed clients. A business signs up for Azure at $3,000 a month. Two years later it is $11,000 a month, the workloads have not materially expanded, and the CFO is asking the right question for the first time. By then the answer is harder than it would have been at $4,000.

FinOps as a published discipline (the FinOps Foundation maintains the framework, Microsoft has published its own opinionated version) assumes you have a cloud platform team, a financial analyst, and an executive sponsor. For a 60-staff Melbourne business with a quarter-million-dollar Azure footprint, that is overkill. The lite version below takes the parts of FinOps that apply at SME scale and ignores the rest. We have run this with clients across professional services in the CBD, manufacturers out around Dandenong, and not-for-profits across the eastern suburbs as part of our Melbourne cloud services work.

What ‘normal’ SME Azure spend looks like

Some benchmarks from our managed book, useful as sanity checks on whether your number is in the right zone.

If your number is materially above the band for your profile, there is almost certainly waste. If your number is materially below, either you are doing something genuinely clever or you have under-provisioned somewhere that will cause a production incident later.

The eight quick wins

Most SMEs can take 20 to 35% off their Azure bill in a fortnight of focused work, without changing anything about what the business does. The targets in order of effort-to-saving ratio:

1. Rightsize the virtual machines

The Azure Advisor and the Azure Migrate tools both flag VMs running well below their provisioned capacity. The reality is most SMEs have two or three D8s_v5 instances that were sized off a panicked guess at the start of a migration and have been running at 8% CPU ever since. Moving them down two or three sizes typically saves 60 to 75% of the per-VM cost. Validate with seven days of metrics first; do not just take Advisor’s word for it.

One client of ours – a 55-staff engineering consultancy in South Melbourne – was running their file server VM as a D16s_v5 because the original migration consultant ‘matched the on-prem CPU count.’ Seven days of metrics showed 4% average CPU. Rightsizing to a D2s_v5 saved $720 a month with zero user-visible impact.

2. Kill the orphaned disks

Every time someone deletes a VM through the portal, the OS disk and any data disks survive unless deletion was explicitly chosen. Over a few years, an SME tenant will accumulate 20 to 60 orphaned managed disks, often premium SSDs at $0.15 per GB-month. A 1 TB orphaned premium disk is $150 a month for storing absolutely nothing useful.

Run a quick KQL query in Azure Resource Graph to find disks where ManagedBy is empty. Validate that none of them are being held intentionally (some teams keep a disk for a few months as a ‘soft delete’ before truly removing it), then delete the rest. Easy win, usually $400 to $1,200 a month.

3. Reserved instances or savings plans for the steady-state workloads

Anything that runs 24/7 in steady state – production servers, domain controllers, a SQL VM, a file server – is paying full pay-as-you-go pricing by default. A one-year Reserved Instance is roughly 30% cheaper; three years is closer to 50%. The Azure Savings Plan for compute is more flexible (it covers any VM family in any region for the commitment amount) but a slightly lower discount.

The decision rule we use: if the workload is going to run for at least the next 12 months as-is, take the one-year reservation. If it might move, resize, or change family within that window, take the savings plan. Three-year commitments only for genuinely static workloads.

4. Auto-shutdown for dev and test

Dev and test VMs do not need to run on weeknights or weekends. A standard Azure Automation runbook or the built-in Azure DevTest Labs auto-shutdown can cut a non-production VM bill by 65 to 75%. The cost is two hours of configuration and a 30-second wake-up delay when someone needs the box at 7am Monday. We have yet to meet a dev team that genuinely objected once the saving was shown.

5. Azure Hybrid Benefit

If you have Windows Server or SQL Server licences with active Software Assurance, the Azure Hybrid Benefit lets you bring those licences to Azure VMs and stop paying the per-hour Windows or SQL surcharge. The saving on a Windows Server VM is typically 40%; on a SQL VM it can be 60 to 75%. Almost every SME with Software Assurance is leaving this on the table because nobody enabled the toggle at deployment.

Check your existing fleet through Cost Management. Filter by ‘Windows’ or ‘SQL Server’ as a meter category. Anything not marked as Azure Hybrid Benefit is overpaying.

6. Archive cold storage

Storage account blobs default to the Hot tier. Anything older than 30 days that you have not touched should be in Cool ($0.0152 per GB-month versus $0.0184 for Hot) or, for compliance archives, the Archive tier ($0.00099 per GB-month). Lifecycle policies on the storage account do this automatically.

For a healthcare client of ours in Box Hill with a 14 TB compliance archive, moving the long-tail blobs from Hot to Archive saved about $230 a month. A small number per month but a clean, automated saving that compounds as the archive grows.

7. Kill unused public IPs

A standard static public IP is roughly $4.50 a month. Trivial individually, but most SMEs have 15 to 40 of them, half of which are unattached from their original VM or load balancer. Run an Azure Resource Graph query for public IPs with no associated resource, validate, delete.

8. Review egress

Outbound data transfer (egress) from Azure to the internet is roughly $0.087 per GB after the first 100 GB free per month. Backup tools that pull data out of Azure, a misconfigured replication target that goes through public endpoints rather than peering, a video conferencing recording archive that streams out to a local NAS – all of these can quietly produce $400 to $1,500 a month in egress charges that nobody knows about.

The fix is usually a routing change (route the traffic through a private endpoint or service endpoint) or a topology change (move the target into Azure rather than pulling the data out). The win is identifying the source first; Cost Management broken down by Meter Subcategory shows you where the egress lives.

The governance guardrails that actually stick

Quick wins are easy. Stopping the spend from creeping back up over the next 12 months is the hard part. The lightweight controls we recommend for SMEs – the parts of the textbook that work at this scale:

Subscription-level budgets and alerts

One budget per subscription, set to the monthly run rate plus 15%, with alerts at 80%, 100%, and 120%. The alerts should go to a real person (the CFO and the IT lead), not a shared mailbox. The 80% alert is the one that catches the problem before it becomes a quarterly variance discussion.

Do not bother with budgets at the resource group level for an SME; the maintenance overhead is not worth the precision. The subscription is the right granularity.

Tagging that the team will actually do

Enterprise FinOps documents will tell you to enforce 14 mandatory tags. The team will rebel. For SME purposes, three tags are enough: Environment (Prod / Dev / Test), CostCentre (or Department), and Owner (a person, not a generic mailbox). Enforce them with Azure Policy at subscription creation time so any new resource without the three tags is blocked.

Three tags get used. Fourteen tags get ignored, and then nothing gets used.

Quarterly cost review

One hour every three months. The IT lead and the CFO sit down with Cost Management, look at the trend, look at the top ten cost drivers, look at the variance against budget, and decide whether to act. That is the entire process. The output is a one-page note for the leadership team and a list of remediation actions for the next quarter.

This is the rhythm we run with our managed clients. It is also the rhythm where most of the savings actually surface, because it forces someone to look at the data on a cadence that catches problems while they are small.

The three traps

Three patterns catch almost every SME on Azure. Worth understanding them before they catch you.

Trap 1: Lift-and-shift over-provisioning

The most expensive single mistake we see. A business migrates 12 servers from VMware to Azure and tells the migration partner to ‘match the existing VM sizes.’ The existing on-premises VMs were sized for peak load that occurs maybe twice a year, on hardware that was bought five years ago. The Azure VMs run hot for two hours a quarter and idle the other 99% of the time, but are billed at peak capacity every hour. Add up across 12 VMs and you are paying three times what the workload needs.

The fix is to size for Azure metrics, not on-prem habits. Migrate first, then watch the metrics for two to four weeks, then rightsize aggressively. We have done this exercise often enough now that we build the rightsizing step into the migration plan from the start. If the migration partner does not include a post-migration optimisation phase, that is a warning sign.

Trap 2: The dev environment that became production

A developer or contractor spins up a dev environment to test a workload. The business comes to rely on it. Three years later it is processing real production data on a ‘temporary’ subscription with no monitoring, no backup, no DR, and no reserved instances. It is also costing twice what it should because no one ever optimised it.

The fix is governance at the subscription creation step. No new subscription without a documented owner and an explicit lifecycle (this is a permanent prod subscription, or this is a 90-day project subscription with an automatic shutdown date). Cleaning up after the fact is harder than preventing it.

Trap 3: Defender for Cloud tier sprawl

Defender for Cloud is genuinely good, and the Standard tier offerings (Defender for Servers, Defender for SQL, Defender for Storage, Defender for Containers, Defender for App Service, and so on) protect real attack surfaces. The trap is that they bill per resource and the tiers are enabled per subscription. Click the wrong toggle and you have Defender for Servers Plan 2 running on every VM across every subscription for $24 each per month.

We have seen SMEs paying $4,000 a month for Defender coverage when their actual security need would be served by $800 of targeted enablement. The fix is to choose the plans deliberately, enable per subscription, and review quarterly. Defender for Servers Plan 2 on the workloads that need it; off everywhere else. Defender for Storage on accounts with sensitive data; off on the public assets bucket. The protections matter; the indiscriminate enablement does not.

For the security-side conversation about what to leave on, our Melbourne cyber security services page outlines the decisions we apply on the managed side. Cost and security are the same conversation in Azure; you cannot optimise one without involving the other.

What the FinOps tooling landscape looks like for SMEs

The third-party FinOps tools (CloudHealth, Cloudability, Apptio Cloudability, Flexera) are excellent but enterprise-priced. For an SME at $50k to $500k annual Azure spend, the native Azure tooling is enough:

If your spend grows past $1 million a year, the third-party tools become defensible. Below that, the native tooling is fine and the discipline matters more than the platform.

A small-business worked example

A 65-staff manufacturing business in Bayswater came to us in late 2025 with an Azure bill of $14,800 per month and a CFO who could not get a straight answer about why. Two weeks of focused work:

• Rightsized seven over-provisioned VMs, saving $2,100 per month
• Deleted 23 orphaned premium disks, saving $1,400 per month
• Applied Azure Hybrid Benefit to 12 Windows VMs (they had Software Assurance through their CSP and no one had enabled the toggle), saving $1,800 per month
• Switched the steady-state production workloads to one-year savings plans, saving $1,200 per month
• Set up auto-shutdown on the dev and test environments, saving $600 per month
• Identified and re-routed an egress problem through a private endpoint, saving $400 per month
• Trimmed Defender for Cloud tier coverage to the workloads that actually needed Plan 2, saving $700 per month

Total monthly saving: $8,200, or about 55% of the original bill. The new run rate of $6,600 per month is a defensible number for the workload, with no production impact and no reduction in security posture (in fact a more deliberate one). Subscription budgets, three-tag enforcement, and quarterly review cadence are now in place. The job took us about 70 hours across two engineers from our 13-strong Melbourne team and was delivered alongside the regular per-user fixed monthly managed IT engagement.

FinOps and the broader cloud strategy

Cost optimisation is one strand of a wider conversation about whether the cloud architecture is right for the business. Sometimes the answer to a high bill is to optimise; sometimes it is to redesign. A 24/7 SQL workload that processes a fixed batch overnight may be better suited to Azure SQL serverless or even a scheduled VM. A file server that nobody touches for three months at a time might belong in Azure Files cool tier with a small AVD presence on demand. These are not quick wins; they are architecture changes. But once the quick wins are taken, the conversation moves to design.

For Melbourne SMEs that want a second opinion on whether the architecture is right before committing to another year of the existing spend, we run cloud architecture reviews as a discrete piece of work, separate from ongoing managed services. They are useful at the 12-month mark of any non-trivial Azure deployment. Reach us through the contact page if that is the conversation you need.

Frequently Asked Questions

Should we move away from Azure to save money?

Almost never the right answer for a workload that is already in Azure. Egress fees on a full re-platform are punishing, the operational disruption is real, and the cost difference between Azure, AWS and GCP for SME-typical workloads is usually under 15% once both are properly optimised. Optimise what you have before considering a move. The exception is a workload that genuinely fits a different platform’s primitives better (a heavy GCP BigQuery analytics workload, for example).

How often should we revisit our reserved instance commitments?

At the renewal point and at any major workload change. The Azure Savings Plan is more flexible than the older Reserved Instances because it does not lock you to a VM family; if your workloads shift, the savings plan keeps applying. We typically recommend a mix: reservations for the most stable workloads (domain controllers, file servers, the SQL VM that has run unchanged for three years), savings plans for the rest.

What does FinOps mean for our cloud backup and DR spend?

Backup storage tends to live outside the day-to-day cost conversation and grows quietly. Same principles apply: tier the storage (most backup data can live in cool or archive after 30 days), review retention against actual recovery needs, and watch the egress when you do a restore. Our companion piece on backup and disaster recovery for Melbourne businesses goes deeper on the design decisions.

Do we need a dedicated FinOps person?

Not at SME scale. The work is two to four hours a month for an experienced engineer plus a quarterly review with the CFO. We run it as part of the managed engagement for clients on our per-user fixed monthly pricing model. Hiring a dedicated FinOps person is a sensible move at around $2 to $3 million annual cloud spend, not before.

Will the optimisation work introduce risk to production?

It can if it is done carelessly. The discipline is: validate against metrics before any resize, take a backup before any storage change, do the work in a maintenance window, and have a rollback path. We have done hundreds of these exercises with our MSP Melbourne clients without a production incident, but the process matters. A weekend cowboy resize of a production SQL VM is how you cause an incident.

What is the role of the CFO in cloud cost management?

The CFO owns the budget and the variance conversation; the IT lead and the MSP own the technical optimisation. The quarterly review is the meeting where those two functions talk to each other. Most SME cost creep we see comes from a lack of that conversation rather than from any technical failure.

Cloud migration is the IT category where buyer disappointment is most common. The phrase covers projects from a five-day SharePoint setup to a two-year replatforming. Partners range from competent boutiques to outfits with junior consultants who will learn on your bill. Picking the wrong one locks in operational pain for five years.

This is a buyer’s guide written from the engineering side of the table. We will define what cloud migration services actually mean for an Australian SME in 2026 (mostly file server to SharePoint and OneDrive, on-prem Active Directory to Entra ID, and on-prem SQL or line-of-business systems to Azure). We will cover the three pricing models you will see and which one fits your situation. We will name the lift-and-shift trap that costs SMEs more in year three than the original project cost. And we will give you the 12 questions to ask a prospective migration partner before you sign anything.

TechAssist has been running migrations for Melbourne SMEs since we were founded in 2014. Our cloud services Melbourne team has migrated firms ranging from 8 to 250 staff, across professional services, manufacturing, healthcare, and not-for-profit. We have 13 Australian engineers, two offices (Tecoma and 575 Bourke St CBD), a 24/7 NOC, and per-user fixed monthly pricing for the run state after the migration. The engineering bias in this guide is real but the recommendations are the same we give clients we end up not working with.

What “Cloud Migration Services” Actually Means in 2026

The term has been used loosely for so long it has lost meaning. Let us define it concretely. For an Australian SME in 2026, “cloud migration” almost always means one or more of the following workstreams.

File server to SharePoint and OneDrive. This is the bread-and-butter SME migration. An on-premise file server (often a Windows Server running 2016 or 2019 that is past end-of-life on hardware) is being retired, and the file shares are being moved to SharePoint Online document libraries plus OneDrive for individual user files. The work is more nuanced than it sounds: permissions need to be modelled cleanly, mapped drive habits need to be transitioned, and the file structure usually needs to be restructured at the same time because the on-prem structure has accumulated 15 years of cruft.

On-premise Active Directory to Entra ID. The identity layer migration. Moving from a Windows Server domain controller to Entra ID as the primary identity provider, with hybrid join or full cloud join for Windows endpoints. This is the foundation for conditional access, device compliance, and most of the modern security controls. It is also the migration that quietly breaks the most legacy line-of-business applications, so the discovery work needs to be thorough.

On-premise SQL or line-of-business system to Azure. The infrastructure-as-a-service or platform-as-a-service migration. Moving a database or LOB application from on-premise servers to Azure SQL, Azure VMs, or App Service. This is where the lift-and-shift trap lives, and we will talk about it shortly.

Email migration. Moving from on-prem Exchange or a third-party mail provider to Exchange Online. This is increasingly a small workstream because most SMEs already moved email to the cloud years ago, but it still comes up for late-mover firms and for post-acquisition consolidation work.

Backup re-platforming. Moving from on-prem backup appliances to cloud-native or hybrid backup services that protect both on-prem and cloud workloads. This often gets bundled into the migration scope because the existing backup tool does not protect the new cloud workloads, and trying to bolt it on later costs more than rebuilding the backup strategy properly. See our backup and disaster recovery Melbourne 2026 guide for the broader picture.

For a typical Melbourne SME migration, two or three of these workstreams are bundled into a single engagement, with the file server and Entra ID work usually being the core, and the SQL or LOB workstream being the optional but heavier component.

The Three Pricing Models

The pricing model a partner offers tells you a lot about how they run projects. There are three common shapes for cloud migration engagements in the Australian SME market.

The honest take on which to choose: hybrid is the right answer for most Melbourne SMEs in the 30 to 100 staff range. Fixed-price discovery plus T&M build is the right answer when you have a legacy line-of-business application and the discovery phase needs to surface what the migration actually involves before anyone can credibly quote it. Full fixed price is the right answer when you have rigid budget approval processes that cannot tolerate any variance.

The model that should make you nervous: a low fixed price for an aggressive scope, where the partner is hoping to use change orders to recoup margin. This is the most common pattern of buyer disappointment we see. The kick-off feels great, the price feels right, and by week six you have approved $40,000 of change orders and the partner has rebuilt their margin on top of the original quote. The protection against this is a thorough discovery before the contract is signed.

The Lift-and-Shift Trap

This is the trap that costs Melbourne SMEs more in cloud cost over time than the migration itself. The partner takes your on-premise SQL Server, lifts it onto an Azure VM with the same specs, and shifts it to the cloud. The migration is fast, the bill at the end is low, and the project is declared a success.

The problem is what happens in year two and year three. The on-prem server was a one-time hardware capital cost amortised over five years. The Azure VM is a recurring operational cost forever. The specs that made sense on-prem (over-provisioned because hardware was hard to expand) are wasted in Azure because cloud workloads should be sized to actual load and scaled when needed. The result is a perpetual Azure bill that is two to four times what a properly designed cloud architecture would cost, with worse performance characteristics.

The fix is platform-as-a-service or refactoring during the migration, not after. Specifically: SQL Server should usually become Azure SQL Database (with elastic pool, or serverless tier for variable workloads), not an Azure VM running SQL Server. Windows Server file shares should become SharePoint and OneDrive, not Azure Files. Custom applications should be containerised or refactored to App Service where viable, not lifted onto VMs.

The reason partners default to lift-and-shift is that it is fast and low-risk for them. It avoids the architectural conversations that take time and require Azure expertise that not every partner has. It also positions them for a profitable optimisation engagement in year two, when the bill is hurting and you come back asking for help.

If you are evaluating a migration partner, the lift-and-shift conversation is the single best test of their depth. Ask them what they would do with your specific workloads. If the answer is “lift to Azure VMs first, optimise later,” that is a partner who is going to leave you paying the on-prem tax in Azure forever. Walk away. The right answer is “let us look at each workload and design the target architecture before we move, even if it takes longer up front.”

The 12 Questions to Ask Before You Sign

These are the questions we would ask if we were on the buyer side of a migration engagement. The answers will tell you more than any case study.

One. Show me the discovery deliverable from your last three SME migrations. The discovery document is the single best indicator of how seriously a partner takes scoping. If they cannot show you a sanitised example, or if the example is two pages of high-level boxes, they are not doing real discovery.

Two. How will you handle the Azure cost forecast for year one, year two, and year three? You want a projected monthly Azure bill at each milestone, with the assumptions stated. Partners who cannot do this are guessing on the cost side, and guessing means surprises.

Three. What is your specific approach to file permissions during the SharePoint migration? File permissions are where the migration’s hidden complexity lives. The right answer involves a permissions audit, a model for SharePoint sites and Teams, and a plan for the inevitable exceptions. The wrong answer is “we will replicate the existing structure.”

Four. How do you handle the legacy line-of-business application that does not support Entra ID? Every SME has at least one. The right answer involves identifying it during discovery, modelling the options (hybrid join, application proxy, replacement, retirement), and pricing the work accordingly. The wrong answer is “we will figure it out during the build.”

Five. What is your incident response if the migration goes sideways at 8pm on a cutover Saturday? You want to know who is on call, what their response time commitment is, and what the rollback procedure looks like. Cutover weekends are when migrations fail spectacularly, and you need to know there is a human and a plan when it happens.

Six. Who are the named engineers on this project, and what are their certifications? Not “our team has Azure certifications.” You want names, role descriptions, and which specific engineers will be doing the architecture and implementation. Partners who staff projects with rotating cast members give you inconsistent work quality.

Seven. What does your post-migration run state look like, and what is the handover process? Most migration disappointment is not during the migration. It is in the six months after, when something breaks and the partner is no longer engaged. You want clarity on the handover, the run state ownership, and the path to ongoing support.

Eight. Can you share a reference from a Melbourne SME of similar size and complexity, in the last 18 months? You want the reference to be both recent (so the partner is still operating at the same standard) and comparable (so the work has actually relevant similarity to yours). Generic enterprise references are not useful for SME engagements.

Nine. What happens if Azure costs come in higher than your forecast? Specifically: who eats the difference, and what is the process for re-evaluating the architecture? A partner who says “we will work with you to optimise” without committing to any responsibility is offloading the architectural risk onto you.

Ten. How do you handle change requests during the build? You want a written change request process with size thresholds, approval steps, and a commitment that changes below a certain dollar value will be absorbed rather than charged. Without this, change requests become the partner’s margin recovery mechanism.

Eleven. What is your approach to security during and after the migration? The migration is the perfect moment to uplift conditional access, MFA, application control, and Essential Eight alignment. A partner who treats security as out of scope for the migration is leaving the most valuable work on the table.

Twelve. Where will my data live geographically, and what is the data residency commitment? For most SMEs the answer is Azure Australia East or Australia Southeast, but you want this stated explicitly, with the specific workloads named. This matters more than buyers usually realise, especially for clients in government supply chain or regulated sectors.

The partner’s answers to these twelve questions will tell you who you are dealing with. The partner who hedges or generalises is the partner who will surprise you later. The partner who has specific, named, defensible answers is the partner worth talking to in detail.

A Sample Scope-of-Work Skeleton

Here is the structure of a sensible SOW for a Melbourne SME cloud migration. Adapt this for your situation. If the partner’s SOW is shorter or thinner than this, push back.

The SOW should be 25 to 50 pages for a typical mid-complexity SME migration. Less than that, the partner has not done the thinking. More than 80 pages, the partner is hiding complexity in volume.

A Melbourne Example: 65-Person Engineering Consultancy in Hawthorn

A 65-person mechanical and electrical engineering consultancy in Hawthorn engaged us in late 2024 for what they thought would be a SharePoint migration and turned into a broader cloud migration including identity, file shares, and an on-premise project management database.

The discovery surfaced more complexity than expected. The file server held about 14TB of project files including CAD models, which needed careful handling for SharePoint sync behaviour. The Active Directory had 11 years of accumulated permissions, roles, and group nesting that needed cleaning before any migration could be clean. The project management database was a SQL Server application with custom integrations to Outlook and to their cost-tracking spreadsheets that no one had documented in seven years.

The decision early in discovery: refactor where it materially reduces ongoing cost, lift-and-shift only where refactoring offered no value. SQL Server moved to Azure SQL Database (single database, with elastic pool option for future growth) instead of a VM. File shares moved to SharePoint with a redesigned site structure mapped to project workstreams rather than the old folder hierarchy. Identity moved to Entra ID with hybrid join during a transitional period, then fully cloud-joined endpoints by month six.

Timeline: 14 weeks from discovery start to final cutover, plus a 12-week post-migration support window. Cost: $148,000 fixed for the standard workstreams plus $34,000 T&M for the SQL refactor, against an internal budget envelope of $200,000. Azure run cost: $1,640 per month at steady state, against a forecast of $1,800. They are now on per-user fixed monthly managed service with us, with 24/7 NOC monitoring out of Tecoma and same-business-day on-site coverage when something needs hands on gear.

The lift-and-shift counterfactual: a partner who had simply lifted the SQL Server to an Azure VM would have charged less for the project (maybe $115,000 total) but the Azure run cost would have been roughly $3,400 per month due to the VM sizing and the SQL Server licensing on Azure. Over five years, the lift-and-shift would have cost the firm about $105,000 more in Azure spend, plus the future optimisation work to fix it. The architectural decision during the migration saved more than the migration cost over the asset lifetime.

Where TechAssist Sits in the Partner Landscape

We are honest about our positioning. We are not a Big Four consulting firm and we do not bid on $5m enterprise transformations. We are not a one-person operation working from a home office. We are a mid-market Melbourne MSP with 13 Australian engineers and the scale to handle SME migrations end-to-end while still being a partner you can call and get the principal engineer on the phone.

Our sweet spot is 30 to 250 staff Melbourne SMEs, professional services and skilled industries, where the migration needs to be done properly the first time, on a budget that is real but not unconstrained, with a transition into a managed service relationship afterwards. Our per-user fixed monthly pricing on the run state means we are not incentivised to leave you with brittle infrastructure that creates ongoing ticket volume.

We are Essential Eight aligned and ISO 27001 capable, which matters for clients moving into regulated sectors or pursuing certifications. We sub-15-minute respond to P1 incidents and provide same-business-day on-site coverage across Melbourne metro from our Tecoma office and our 575 Bourke St CBD office.

If our positioning does not fit your situation, that is fine. The questions in this guide will still serve you well with another partner. If it does fit, we are happy to run a discovery conversation. See our MSP Melbourne overview for the broader service description, our co-managed IT support page if you have an internal IT lead, and our managed IT services Melbourne page for the full service breakdown.

For vertical-specific context, see our law firms, manufacturers, and healthcare pages. For the broader provider selection framework, our how to choose an MSP Melbourne and top managed service providers Melbourne articles cover the ground.

The Six Red Flags That Should End the Conversation

If you see any of these during the sales process, the conversation should end. We have seen each of these cause migration disasters, and the partner’s behaviour during the sales cycle is the best predictor of how they will behave during the project.

One. They quote without discovery. A partner who gives you a fixed price for a migration without spending real time understanding your environment is either selling you a project they cannot deliver, or has priced in so much risk that you are overpaying.

Two. They cannot name the engineers. The salesperson is great. The case studies are slick. The actual delivery team is a mystery. This is the pattern where you find out, after signing, that the engineers are junior offshore staff or contractors with no continuity.

Three. The Azure cost forecast is “we will optimise after migration.” This is the lift-and-shift trap signalled in advance. Walk away.

Four. The change request process is “we will handle it.” No written process, no thresholds, no commitment. This will turn into endless change orders during the build.

Five. They will not provide a Melbourne SME reference of comparable scale. Generic references and enterprise references are not useful. If they cannot point you to a comparable client in the last 18 months, they have not done the work at your level recently.

Six. They are uncomfortable when you ask about security uplift during the migration. The migration is the moment to fix conditional access, MFA, and application control. A partner who treats this as out of scope is missing the point of why most SMEs are migrating in the first place. Read our zero trust security model explained and cybersecurity services Melbourne resources for the security framing.

Frequently Asked Questions

How long does a typical SME cloud migration take?

For a 50-person business with a moderate-complexity stack (file server, on-prem AD, one or two LOB applications), the engagement runs 12 to 20 weeks from discovery to final cutover, plus 8 to 12 weeks of post-migration support. Smaller and simpler migrations can be done in 6 to 10 weeks. Larger and more complex migrations can run 6 to 9 months. Anyone promising a serious migration in 2 to 4 weeks is selling you a rushed project.

Can we keep our existing IT person and just engage a partner for the migration?

Yes, and this is a common pattern, but it requires clear scope boundaries. The partner runs the project, the internal IT person handles end-user support, change communication, and the on-the-ground coordination during cutover. Our co-managed IT support model is built for exactly this arrangement. The pattern that does not work is the internal person trying to “help” with the technical migration work in parallel, which creates accountability gaps.

What does an Azure bill for a 50-person SME look like at steady state?

Depends entirely on the architecture and what workloads you have moved. For a 50-person business that has migrated file shares to SharePoint, identity to Entra ID, and one moderate SQL workload to Azure SQL, the Azure-side bill is typically $800 to $2,200 per month at steady state. The Microsoft 365 licensing is separate and runs $30 to $50 per user per month depending on tier.

Is hybrid cloud (some workloads on-prem, some in Azure) still a sensible choice?

For some workloads, yes. Specifically: industrial control systems, very large file shares where bandwidth economics matter (some video production and CAD scenarios), and certain LOB applications with vendor support constraints. For most SME workloads, hybrid is a transitional state, not a destination. Plan to be fully in the cloud within three years of starting the migration, or you will end up paying for the worst of both worlds.

What about Microsoft 365 Copilot during the migration?

Deploy after the migration, not during. The Copilot value comes from clean SharePoint structure, properly permissioned document libraries, and a tenant that has been hardened. Trying to roll out Copilot before the migration is finished produces poor user experience because Copilot is searching across the messy interim state.

How do we make sure we are not locked into the partner after the migration?

This is the right question to ask before signing. The protections are documentation (you should own all architecture documentation, including admin credentials and root-of-trust certificates), portable architecture (avoid partner-specific tooling for the run state), and a clean handover process. Our run-state pricing is per-user fixed monthly with no lock-in clause, and the architecture we deploy is standard Microsoft and Azure constructs that any competent partner can take over if you ever decide to move. Reach our team via the contact page for a discovery conversation.

Hospitality IT is a niche of its own. A Friday 7pm POS failure is a revenue event. A dropped EFTPOS during Saturday service costs you walk-outs, comped meals, and angry reviews. Technology decisions venues make casually, based on what the previous chef used, set the operational ceiling for the next five years.

This guide is the practical version for Melbourne hospitality operators. We will walk through the actual POS landscape (Lightspeed, Square for Restaurants, Hub by Now Book It, Impos), the reservations platforms (SevenRooms, OpenTable, Now Book It), the payments stack (Tyro, Mx51, Square), the customer Wi-Fi versus staff Wi-Fi separation that catches almost every venue out, RSA and compliance data storage obligations, and what after-hours support actually costs when you do the maths honestly. Plus the four big hospitality IT traps we see in every second venue we onboard.

TechAssist supports a number of Melbourne hospitality clients across Carlton, Fitzroy, South Yarra, and the CBD. Our managed IT services Melbourne team treats hospo as its own discipline because the failure modes are different. P1 incidents are responded to in under 15 minutes from our 24/7 NOC at Tecoma, and same-business-day on-site coverage across Melbourne metro is standard. For Friday and Saturday service, that is the only response window that matters.

The Melbourne Hospitality Stack: What Actually Gets Used

Let us start with the realistic landscape. We are not going to list 47 vendors. We are going to list the platforms that we genuinely see deployed in Melbourne venues, the size of operation each fits, and where each one shines or struggles.

POS Platforms

Lightspeed Restaurant remains the dominant cloud POS for Melbourne mid-tier venues. Sit-down restaurants, gastropubs, mid-sized cafes. Strong reservations integration, decent inventory, solid reporting, and a maturing payments stack. Where it struggles: large multi-venue operators with central kitchen workflows, and any venue that needs deep table management with floor plan complexity beyond moderate.

Square for Restaurants is the price leader and is genuinely good for cafes, casual dining, and bar-led venues under about $1.5 million revenue per year. The hardware ecosystem is clean, the back-of-house is intuitive, and payments are baked in (which is a feature for some operators and a constraint for others). Where it struggles: high-volume Friday-Saturday service in venues that need granular table management or complex menu modifiers.

Hub by Now Book It is the Australian hospitality platform that has been quietly winning the multi-venue mid-market. Especially strong in venues that prioritise reservations as a strategic capability. Reservations and POS are in one ecosystem, the Australian support is genuinely responsive, and the reporting is built for owner-operators. Where it struggles: venues that have already committed to a different reservations platform and do not want to consolidate.

Impos remains a serious option for venues that need on-premise resilience and deeper customisation. It is the option we see most often in established Melbourne CBD restaurants that have been running for ten-plus years and want offline-capable hardware. The Australian provenance is real and the support is local. Where it struggles: greenfield deployments where the operator wants a cloud-first stack with minimal hardware on premises.

Reservations Platforms

SevenRooms is the platform of choice for venues that treat guest data as a strategic asset. The CRM, the marketing automation, and the guest profiling are deeper than the alternatives. Used by most of the higher-end Melbourne dining group operators. The cost reflects the depth, and the platform is overkill for cafes or casual venues.

OpenTable is the global brand with the broadest discovery reach, especially for international visitors. The booking funnel converts well and the diner-facing experience is polished. The downside is the cover fee model, which adds up quickly for high-volume venues, and the integration depth is shallower than SevenRooms.

Now Book It (the reservations product, separately from Hub POS) is the Australian-grown option with strong local support and a fee model that suits high-volume operators better than OpenTable for many configurations. Good ecosystem integration including with Hub POS.

The reservations decision is less binary than POS because most venues run one reservations platform integrated to whichever POS they chose for other reasons. The integration quality between your POS and your reservations platform matters more than which reservations brand you choose.

Payments

Tyro is the dominant Australian merchant for hospitality. Integrates cleanly with Lightspeed, Hub, Impos, and several others. Reliability has improved significantly since the 2023 outage that affected a chunk of Australian hospo overnight, and the surcharge and fee structure is reasonable. The integration with Xero for end-of-day reconciliation is good.

Mx51 is the increasingly serious challenger, particularly for venues that want flexibility on the back-end acquirer relationship. Better suited to multi-venue operators with banking arrangements they want to preserve.

Square’s integrated payments work well for Square POS users and not at all for everyone else. If you are on Square POS, this is the natural answer. If you are not, it is irrelevant.

The honest take on payments: the difference between the major providers on rate is a few basis points. The difference on reliability and the failover story for when the integrated terminal stops working is huge. Always have a backup terminal that is not on the same network and not on the same provider. We will come back to this in the traps section.

Customer Wi-Fi vs Staff Wi-Fi: The Separation Almost Every Venue Misses

This is the most common Melbourne hospitality IT failure mode we see. The previous IT person or the NBN installer set up one Wi-Fi network. Staff use it, guests use it, the POS uses it, the EFTPOS uses it, the music streaming box uses it, the kitchen printer uses it, and the smart fridge thermometer uses it. Everything sits on the same flat network, and one compromised guest device can poke at everything else.

The correct configuration is three logically separated networks. Each on its own VLAN, with firewall rules between them.

That is the baseline. A venue with this structure has, in one configuration change, removed the most common Melbourne hospo network risk: an attacker pivoting from customer Wi-Fi to the POS network and capturing card data, or to the EFTPOS terminal and capturing transaction streams.

The cost to deploy this for a typical 80-seat Melbourne venue is roughly $3,500 to $5,500 in UniFi hardware plus six to ten engineer hours. The cost of not deploying it is, eventually, a card data incident, an insurance claim, and a regulator conversation. We covered the realistic cost of an incident in another article: for a venue, the productivity and revenue loss from a multi-day outage of POS or EFTPOS during peak service is brutal.

Our cybersecurity services Melbourne team treats network segmentation as table stakes for any hospitality client. Read our zero trust security model explained guide for the broader framework view.

RSA and Compliance Data Storage

Hospitality venues store more regulated data than they realise. RSA compliance records, ID verification records (especially for late-night venues), staff working hours under Fair Work, guest data including reservations preferences and dietary requirements, and CCTV footage of both staff areas and customer areas.

Each category has its own retention rules and access controls. The traps we see most often:

One. CCTV footage stored on a DVR with a default password, with no retention policy, and with access for anyone who knows the office PIN. The Australian Privacy Act applies to the CCTV footage in most venue configurations because the venue is collecting personal information about identifiable individuals. The retention should be defined (typically 28 to 90 days), access should be controlled, and there should be a process for handling subject access requests if they come up. They do come up, especially after incidents involving staff or patrons.

Two. Staff records stored on the kitchen office PC, with a shared password, and never backed up. This is a multi-failure scenario. The records are required for Fair Work compliance. If the PC dies (and the kitchen office PC always dies eventually because of the kitchen environment), the records are gone. The fix is moving staff records to a cloud HR platform like KeyPay, Tanda, or Deputy, which gives you backup, access control, and audit trails for free.

Three. Guest data being treated as the property of whichever staff member set up the reservations platform. When that staff member leaves, the data either goes with them or becomes inaccessible. The fix is treating the reservations platform as a business system with ownership clarity, admin access controlled by the operator, and exported backups on a regular cadence.

Four. Tip records, payroll exports, and EFT batch files stored on shared drives without access control. Anyone with the office Wi-Fi password can read or modify them. The fix is moving these to a properly permissioned cloud storage location with audit logging, and ensuring only operations and finance staff have access.

For the broader privacy framework, see our Australian Privacy Act for SMBs guide. Most hospitality venues fall under the Privacy Act because they collect personal information about identifiable individuals at scale, and the data handling expectations are not different from other industries even though the venue context feels different.

The Four Hospitality IT Traps

These are the four traps we see in roughly every second Melbourne hospo venue we onboard. None is exotic. All are preventable.

Trap One: Shared Admin Passwords

The POS admin password is “Manager01” or the year the venue opened. Every manager has it. The departing dishwasher had it. The casual who worked one shift in 2022 had it. There is no audit trail of who used it for what, and changing it is a multi-week project because no one is sure where it has been written down.

The fix is structural. POS admin access should be per-user, with named manager accounts and a clean offboarding process when staff leave. Most modern POS platforms support this; the venue just has not configured it. Add MFA on the POS admin login wherever the platform supports it. Change the back-of-house Wi-Fi password every time a manager-tier staff member leaves, or move to certificate-based device authentication so passwords are not the trust anchor.

Trap Two: The Cousin Who Set It Up

The venue’s IT was set up by the owner’s cousin, who is good with computers, did it as a favour during the fit-out, and is now uncontactable on a Saturday night when the POS server has stopped responding. There is no documentation, the admin credentials are in the cousin’s head, and the network diagram is on a sticky note that came off the wall in the kitchen renovation.

The fix is engaging an MSP for the structural work and accepting that the cousin saved the venue some money during fit-out but is not a sustainable operational answer. The fit-out IT is about 5 to 10 percent of overall fit-out cost in most Melbourne venues. The ongoing IT is the part that determines whether Friday service runs smoothly for the next decade.

Trap Three: No Failover EFTPOS

The venue has one integrated EFTPOS terminal per POS. When the integrated terminal stops talking to the POS (due to a software bug, a network issue, or a bank-side problem), the venue has no way to take payments. Saturday night service becomes a queue of customers who cannot pay, walking out, or paying via tap-to-phone on the manager’s personal Square reader, which then creates reconciliation headaches.

The fix is having at least one non-integrated, non-network-connected terminal as a failover. A mobile EFTPOS that connects via 4G, not via the venue Wi-Fi. Test it monthly. Have a written procedure for the duty manager to switch to manual mode and reconcile at end of day. Cost: roughly $30 per month for a standby Tyro mobile terminal. Cost of not having it: half a Friday night’s revenue, easily $8,000 to $25,000 depending on the venue size.

Trap Four: Wi-Fi From the Modem the NBN Guy Left

The venue is running on the NBN-provided modem-router with its single Wi-Fi network, default admin password, no VLANs, and no QoS. Every device in the venue shares one collision domain. The POS, the EFTPOS, the kitchen printer, the music streaming, the manager laptop, the guest phones. When 60 patrons all join guest Wi-Fi at 8pm, the POS terminals start dropping payments.

The fix is replacing the NBN modem-router with a proper small-business gateway and access point setup. UniFi is the most common choice for SME hospo: a Cloud Gateway, one or two access points sized for the venue, and a managed switch if there are wired devices. Total hardware cost typically $3,000 to $5,500 for a single-site venue. The performance and reliability difference on Saturday night is immediate.

The After-Hours Support Cost: The Realistic Maths

Hospitality operates outside of business hours, and any IT support model that does not is dangerous. Here is the realistic maths on the three common after-hours support arrangements we see.

The honest economics: for any venue with three or more POS terminals and an integrated payments setup, the managed service maths beats break-fix the first time a Friday or Saturday incident occurs that gets resolved in 15 minutes instead of 90. The peace of mind for the venue owner is worth more than the dollar value.

TechAssist provides this for Melbourne hospitality clients out of our 24/7 NOC at Tecoma. We have 13 Australian engineers and operate two offices (Tecoma and 575 Bourke St CBD) which is the response window that actually matters for a 7pm POS incident at a Smith Street venue. Our pricing is per-user fixed monthly, so the venue knows what it costs.

A Real Melbourne Example: 110-Seat Venue in Carlton

A 110-seat Italian restaurant in Carlton engaged us in mid-2024 after the third Friday-night POS outage in six months. The previous IT person was a friend of the head chef, was reachable about 30 percent of the time outside business hours, and had set up the venue with a flat network running on the NBN-provided modem.

The discovery surfaced the typical issues. One Wi-Fi network for everything. POS admin password was “Carlton2018” and known to every current and former manager. Integrated EFTPOS on the same network as guest Wi-Fi. CCTV DVR with the manufacturer’s default password and footage retained indefinitely. Staff records on the kitchen office PC, which had not been backed up since the bookkeeper changed in 2021.

The remediation took three weeks of evenings and one full Sunday installation. We deployed a UniFi stack with three VLANs (corporate, customer, AV/IoT), moved staff records to Tanda, rebuilt POS user accounts with named manager logins and MFA, added a 4G failover EFTPOS terminal, replaced the CCTV system with a network camera setup behind authentication, and put the venue on our managed service with 24/7 NOC monitoring.

Project cost: $14,800 one-off plus per-user fixed monthly managed service. Saturday-night incidents in the eighteen months since: two, both resolved remotely in under 25 minutes. Friday-night POS outages: zero. The owner has the maths in the venue’s annual review pack and brings it up at every fit-out conversation he has with other operators.

The Fit-Out Decision: Get It Right Before Service Day One

The single highest-leverage moment in venue IT is during fit-out, when the cabling, the network gear, the POS, the EFTPOS, and the CCTV are being installed at the same time. Decisions made (or not made) during this window are baked in for the next three to five years.

The fit-out checklist that we recommend for any new Melbourne venue:

Cat6A cabling to every POS terminal location, every CCTV camera location, every wireless access point location, the office, and the bar. Wi-Fi is the operational backbone but POS terminals on hard-wired connections are dramatically more reliable than Wi-Fi-only terminals. The cost of running an extra few cables during fit-out is trivial. The cost of running them after fit-out is enormous.

Two power points at every POS location, on different circuits where possible. POS failures during service are often power failures, not software failures, and dual circuits buy you resilience.

A dedicated comms cabinet with cooling, in a location that is not the kitchen and not the cellar. We see comms cabinets in walk-in cool rooms (humidity kills gear) and over the stove (heat kills gear). A small wall-mount cabinet in the office is fine.

A proper small-business gateway and managed switch, not the NBN modem-router. Specify this in the fit-out scope so it gets installed by the network installer alongside the other gear, not bolted on three months later.

CCTV running over IP through the same managed switch infrastructure, not on a parallel coax system. The cost difference is small, the maintainability difference is large.

4G backup for the gateway. A USB 4G dongle attached to the gateway is enough. When the NBN goes down (and it will), the POS and EFTPOS keep working on the 4G backup until the NBN comes back.

For multi-site operators, talk to us about managed IT services Melbourne as a programme rather than a per-venue arrangement. The economics improve significantly once you have three or more venues in the portfolio. For venue owners who want an internal manager handling the day-to-day and our team covering the structural and after-hours work, our co-managed IT support model works well.

What This Costs for a New Melbourne Venue

A realistic IT budget for a new Melbourne hospo fit-out, separated into capital and operational.

Total capital IT investment for an 80-seat venue: typically $30,000 to $48,000 including cabling and CCTV. Total operational IT cost: typically $1,200 to $2,800 per month before payments fees. These numbers scale roughly linearly with seat count up to about 200 seats, where the economics start to shift slightly in favour of larger systems.

Frequently Asked Questions

Can we just use Square for everything?

For a cafe or casual dining venue under about $1.5m revenue, yes, and it is a sensible choice. For mid-tier and higher venues, Square POS becomes constraining once you need deeper reservations integration, multi-venue reporting, or complex table management. The economics shift around the $1.5m revenue mark.

How important is 4G failover really?

Very, and the cost is negligible. About $30 to $60 per month for a 4G data plan that sits on the gateway as a backup path. When NBN goes down during peak service (and it does, every venue eventually), the POS and EFTPOS continue working on the 4G fallback for the 90 minutes or so it takes for NBN to recover. The first time it saves a Saturday night, it has paid for years.

Do we need PCI compliance?

If you process card payments through an integrated POS, you have PCI obligations, but most modern integrated payments setups (Tyro, Mx51, Square) push most of the technical compliance burden onto the payments provider through tokenisation and point-to-point encryption. The venue’s obligations are operational: not storing card data, controlling who has access to the POS, and following the payment provider’s compliance attestation process. A managed IT provider should handle the attestation work as part of the relationship.

What about CCTV in the kitchen?

Kitchen CCTV is legal under Victorian law with appropriate signage and a documented purpose (usually safety and incident review). The Fair Work and privacy obligations apply: staff should be aware, the footage retention should be defined, and access should be controlled. We recommend kitchen CCTV for venues that handle insurance claims involving slips, burns, or workplace incidents, because the footage is often determinative.

How do we handle staff using the office PC for personal browsing?

Either accept it and treat the office PC as a low-trust device (cloud HR system, cloud accounting, no sensitive data on the local drive), or lock it down and provide a separate staff break area device. The middle ground (a shared office PC with sensitive data on it) is the worst option because it eventually leaks data either deliberately or accidentally.

How do we find a hospitality-experienced IT provider?

Ask the question directly. How many Melbourne hospo clients do they support? What is their response time for a Friday 8pm POS incident? Have they integrated each of the major POS platforms? Do they understand the fit-out window? Most general MSPs do not have hospo experience and will treat your venue like an office, which is the wrong mental model. Reach our team via the contact page and we will arrange a venue walk-through. For broader provider selection, our how to choose an MSP Melbourne and top managed service providers Melbourne guides cover the framework.

Most cost-of-breach articles quote the IBM global average of 4.45 million US dollars. That number is useless if you run a 40-person professional services firm in Melbourne. It is calculated across global enterprises and tells you almost nothing about what a real incident costs an Australian SME.

This article does the opposite. It walks through a composite case study, anonymised but with real numbers from incidents we have helped respond to in late 2025, of a Melbourne professional services SME hit by a phishing-led business email compromise that escalated into a partial ransomware event. Line by line. Every number traceable to a real invoice, productivity calculation, or insurance excess. By the end you will have a defensible cost-of-incident model you can take to your board.

TechAssist has been responding to incidents like this since we were founded in 2014. Our cybersecurity services Melbourne team has worked on enough breaches across the Melbourne metro to know that the line-by-line numbers are remarkably consistent across firms of similar size. The variability is in the tail (insurance, customer churn, vendor questionnaires), and the tail is bigger than people expect.

The Case: A Hawthorn Professional Services Firm

The composite firm is 42 staff. Professional services, business advisory. Office in Hawthorn. Average revenue per consultant is $380,000 per year. Average gross margin around 55 percent. They had Microsoft 365 Business Standard (note: not Premium), a basic backup tool, MFA enabled but not enforced through conditional access, and a flat network with no segmentation. They had no formal incident response retainer, no tabletop exercises, and no cyber insurance until six months before the incident, when their bank required it as a condition of a working capital facility.

This is a deliberately realistic baseline. It is the security posture we see in roughly 30 to 40 percent of mid-market Melbourne firms when we first engage. Not abysmal, not great. Compliance with the obvious basics, gaps in the less-obvious depth.

The incident timeline: a senior consultant clicked a phishing link on a Wednesday afternoon, entered Microsoft 365 credentials into a credential-harvesting page, and the attacker logged into her mailbox at 4:47pm Melbourne time. By the time the consultant noticed something was off (Thursday morning), the attacker had set up inbox forwarding rules, created an OAuth app with mailbox-read permissions for persistence, and identified a finance team payment workflow they could exploit. Over the next four days, the attacker conducted classic business email compromise activities while also deploying ransomware on a file server the consultant had access to via mapped network drive.

The ransomware did not encrypt the entire estate. It encrypted approximately 40 percent of the file server contents, which included the active client engagement directory. The Microsoft 365 mailboxes and SharePoint were not encrypted but were exfiltrated, with evidence of approximately 12GB of data taken to an external server before the attacker was kicked out.

Line-by-Line: The Direct Costs

These are the invoices that hit the firm’s accounts payable system in the 90 days following the incident.

These are the invoices. They are the part most articles cover. They are also, in our experience, only about 35 to 45 percent of the actual total cost of the incident. The bigger numbers are the indirect costs, which we will get to next.

Line-by-Line: The Productivity and Revenue Losses

The firm was substantially offline for nine business days. Full operations did not resume for fourteen business days. Email was down for four days during the cleanup. The shared file environment was down or partially down for seven days. The active client engagement directory took the longest to fully restore because some of the data required reconstruction from local copies, email attachments, and supplier records.

Here is what the productivity loss looked like.

This is where the cost actually lives. The productivity loss is bigger than every invoice combined. And the only way to avoid this number is to maintain operations during the incident, which requires segmentation (so the incident does not take everything), backups that actually work (not just exist), and an incident response plan that has been rehearsed so the firm can keep working in a degraded mode while specialists clean up.

Note the calculation method. We are not double-counting. The 40 percent efficiency loss accounts for the fact that some work could continue on local copies, mobile devices, and via personal email. It is not a full revenue loss; it is the proportion of consultant time that was actually unproductive during the disruption period. For a fully air-gapped firm with no degraded-mode capability, this number would have been closer to $200,000.

The Indirect Costs: Where the Tail Really Hurts

The direct and productivity costs are large. The indirect costs are where the real long-term damage shows up, and these are the numbers boards consistently underestimate.

Customer churn. Two of the firm’s clients ended their engagement within four months of the incident. One cited the incident directly. The other did not, but the timing was clear. Combined annual revenue from those two clients: $340,000. Even attributing only 50 percent of the loss to the incident (because both clients had other contributing factors), the cost is $170,000 in lost annual revenue, or roughly $93,500 in gross margin in the first year. The two-year tail is materially worse.

Cyber insurance premium uplift. The firm’s cyber insurance premium at renewal increased from $11,400 per year to $34,800 per year, with a higher excess, more exclusions, and a requirement to demonstrate ongoing security controls (a quarterly attestation). Across a five-year window before they can credibly negotiate back down, that is roughly $117,000 in additional insurance cost.

Vendor security questionnaires. This is the cost that surprises most firms. Every existing enterprise client (and they had four) requested a detailed security questionnaire within three months of the incident becoming known. Each questionnaire required 8 to 14 hours of senior engineering time to complete, plus partner review and signoff. New business pursuits were paused for four months while they rebuilt their security posture sufficiently to credibly respond to procurement processes. We estimated the 14-month tail of vendor questionnaires and rebuilt pursuit activity at roughly $48,000 of internal time and $35,000 of opportunity cost from delayed new business.

Brand and recruitment impact. Harder to quantify. The firm reported two senior consultant hires falling through after the candidates raised the incident in second-round conversations. The estimated cost of the delayed hires and the additional recruitment spend was around $22,000.

The Total: A Real Number

Direct costs: $163,800. Productivity and revenue losses: $176,500. Indirect costs: $315,500. Total cost of the incident over the 14-month tail: $655,800.

That number, $655,800, is the realistic cost of a phishing-led BEC and partial ransomware incident for a 42-person Melbourne professional services SME with the security posture we described. Not 4.45 million dollars. Not 100,000 dollars. Somewhere between half a million and a million Australian dollars, depending on customer churn and how cleanly the insurance claim is handled.

If you scale this for a smaller firm (say 20 staff with $5m revenue), the number scales down roughly proportionally, but not linearly because the fixed costs (legal, IR, forensics) compress less. A similar incident at a 20-person firm typically lands between $300,000 and $500,000. For a 100-person firm, similar incidents land between $1.2 million and $2.5 million.

What Cyber Insurance Did and Did Not Cover

Cyber insurance is genuinely useful but is not a substitute for prevention. The Hawthorn firm’s policy covered most of the incident response retainer, forensics, legal counsel, and notification costs (about $99,000 of the first-party costs above the $25,000 excess). It did not cover the productivity loss, the customer churn, the premium uplift, or the indirect business impact.

The lesson: cyber insurance covers the bill from external responders. It does not cover the cost of being offline. It does not pay your consultants while they cannot work. It does not retain clients who have lost confidence. Insurance is a backstop for the invoiced costs. The productivity and tail costs are yours either way.

A second lesson: the insurer required, as part of claim acceptance, evidence of the controls the firm had attested to at policy inception. Their attestation said MFA was enforced on all users. In reality MFA was enabled but not enforced through conditional access, and the specific consultant whose credentials were compromised had MFA disabled via a legacy authentication grandfather clause. The claim was paid, but the next year’s renewal was tougher because the discrepancy was visible. Be careful what you attest to. Insurers will check.

What Would Have Prevented This Incident

Almost all of it was preventable, and almost none of the preventative controls were expensive relative to the incident cost. Here are the specific controls that would have prevented or substantially mitigated each phase.

The credential phishing would have been mitigated by phishing-resistant MFA (a hardware token or platform authenticator) instead of SMS or push notification MFA. Hardware tokens cost about $80 each. Platform authenticators (Windows Hello, Face ID) are free.

The credential theft, if MFA had been bypassed via a session-token phishing attack, would have been further mitigated by conditional access policies requiring a compliant device. The attacker’s session would have failed the device compliance check.

The OAuth app persistence would have been blocked by Microsoft 365’s Defender for Office 365 default policies (which block unverified app consent for users) and by an admin policy disabling user consent to apps without admin approval.

The lateral movement to the file server would have been mitigated by network segmentation (the consultant’s laptop should not have had unfiltered SMB access to the file server) and by application control (the ransomware payload should not have executed on the file server).

The ransomware impact would have been minimised by immutable backups with shorter recovery time objectives. The firm’s backup tool was working but the recovery process took four days because they had never tested it under realistic load.

The data exfiltration would have been detectable, and potentially preventable, by SharePoint download volume alerting and by data loss prevention policies on sensitive document libraries.

None of those controls is expensive. Microsoft 365 Business Premium (which includes most of them) costs about $36 per user per month, roughly $18,000 per year for the 42-person firm. The incident cost was $655,800. The math does not require a spreadsheet.

For the framework view, our zero trust security model explained guide covers how these controls fit together. For the backup and recovery side specifically, see our backup and disaster recovery Melbourne 2026 guide.

What Got Done in the Six Months After

The firm engaged us for remediation about three weeks into the incident response (their existing IT provider was not equipped to run incident response). Over the six months following the incident, the security posture was substantially rebuilt. Here is the rough sequence and cost.

The remediation cost less than the incident cost by a factor of five. If the same investment had been made before the incident, the incident would either not have happened, or would have been contained at a cost roughly an order of magnitude smaller.

The firm is now aligned with Essential Eight Maturity Level Two on most controls and is targeting Maturity Level Three for the controls that matter most to their client base. They moved to managed IT services Melbourne with us under per-user fixed monthly pricing, which gave them predictable costs and 24/7 NOC coverage out of our Tecoma office. P1 incidents are responded to in under 15 minutes, and same-business-day on-site coverage across Melbourne metro is the standard SLA.

Lessons for Boards and Owners

If you read nothing else from this article, read this section. These are the takeaways for non-technical decision-makers.

The IBM global average is irrelevant. Your number is between three and ten times your annual cybersecurity budget, and the multiplier is higher the worse your starting posture is. Calculate your number based on your headcount, your revenue per head, your billable model, and your client base.

The invoice is the smallest part. Productivity loss and indirect cost are 60 to 70 percent of the real total. Reducing the incident cost means reducing time-to-recovery and reducing customer impact, not just having someone to call when it happens.

Cyber insurance is necessary but not sufficient. It pays the bills from external responders. It does not pay your staff while they cannot work, and it does not prevent customer churn.

The controls that matter most are not expensive. Microsoft 365 Business Premium, conditional access, MFA enforcement, network segmentation, immutable backups, and application control collectively cost less than 5 percent of the realistic incident cost for an SME of this size.

Your client base will assess your security posture after an incident, and possibly before. If you serve enterprise clients, expect vendor questionnaires. If you serve government, expect IRAP-adjacent assessments. The post-incident scramble to answer questionnaires you should have answered years ago is one of the bigger hidden costs.

For the broader buyer’s guide on getting the right partner in place, see how to choose an MSP Melbourne and our top managed service providers Melbourne review. Privacy obligations are covered in our Australian Privacy Act for SMBs guide.

Frequently Asked Questions

How long does an incident response engagement typically take?

The intense phase is two to three weeks. Containment is days one to three. Forensics and scoping is the first ten days. Remediation continues for one to three months depending on the depth of the cleanup required. The notification and regulatory tail can run six to nine months. The vendor questionnaire and customer trust tail runs twelve to eighteen months.

Does paying the ransom make sense?

Almost never. In this case the firm did not pay because backups, while slow to restore, were intact. In cases where backups are not viable, paying the ransom is a partial gamble even with reputable negotiation specialists, and the legal and reputational ramifications are significant. The Australian Government discourages ransom payment and is moving toward mandatory reporting of payments. Our advice is to invest in recovery capability so paying is not on the table.

What is the single highest-leverage control to deploy first?

MFA enforcement with conditional access for every user. It is the single control that would have prevented the largest proportion of the incidents we have responded to over the last three years. Specifically: MFA enforced at the conditional access layer (not just enabled), with phishing-resistant methods (passkeys, platform authenticators, or hardware tokens) for at least admin accounts and high-value users.

Do I need a 24/7 SOC?

For most SMEs, no. A managed service provider with 24/7 NOC monitoring and a documented escalation path to an incident response specialist covers the same risk at a fraction of the cost of a dedicated SOC. We provide this as part of our managed service from our Tecoma NOC. Once you exceed 200 staff or move into highly regulated industries, the calculus changes.

How often should we run tabletop exercises?

Quarterly for the first year after starting a security programme. Twice yearly thereafter. The first tabletop usually exposes more gaps than the actual control review did, because it surfaces decision-making issues that controls do not address (who calls the lawyer, who briefs the board, who talks to clients).

Where do I start if my security posture is similar to the case study firm?

Start with an assessment. Not a vendor pitch. An honest evaluation of where your gaps are, what they would cost to remediate, and what they would cost if exploited. We do this for Melbourne SMEs out of our Tecoma office and our 575 Bourke St CBD office. Reach the team via the contact page and we will run the assessment with you.

Network segmentation gets explained as a zero-trust enterprise project with microsegmentation and identity-aware proxies. That framing scares SMEs off, which is a shame. A 30-person Melbourne business can segment its network usefully in a weekend with a UniFi stack and four VLANs. The hard part is sequencing the work so each step reduces real risk.

This guide is the practical version. We will walk through the minimum-viable segmentation that actually reduces lateral movement risk for an Australian SME, the priority order (guest Wi-Fi first, because it is the cheapest win and stops half the dumb risks), where SMEs over-engineer and waste budget, a sample VLAN and firewall rule pack you can adapt, and the trap of segmenting your network without doing the identity work alongside it.

TechAssist has been deploying these stacks for Melbourne SMEs since we were founded in 2014. Our cybersecurity services Melbourne team treats segmentation as one of the highest-leverage controls available to a small business. It is not the most exciting work, but it is the work that means a phished receptionist credential does not become a domain-wide ransomware incident.

What Network Segmentation Actually Is

Segmentation is the practice of dividing your network into separate zones so that a device or user in one zone cannot freely communicate with devices in another zone. Each zone is governed by firewall rules that say what traffic is permitted between it and other zones.

The simplest example: your guest Wi-Fi should not be able to talk to your office laptops. Your office laptops should not be able to talk to your CCTV cameras. Your CCTV cameras should not be able to talk to your phone system. Your phone system should not be able to talk to anything except the SIP provider. If you implement those four rules, you have already done most of the segmentation work that meaningfully reduces risk.

The reason segmentation matters is lateral movement. Modern ransomware does not just encrypt the machine it lands on. It enumerates the local network, finds open shares, weak credentials, and unpatched services on other devices, and spreads. A flat network gives the attacker the entire estate. A segmented network gives them one VLAN.

This is not zero trust, despite what some vendors will tell you. It is the perimeter approach with internal perimeters added. Zero trust is the next step beyond segmentation, where every connection is authenticated and authorised regardless of zone. Read our zero trust security model explained guide for that broader picture. For most SMEs, getting segmentation right is the prerequisite, and the right place to stop for now.

The Minimum Four VLANs for a Melbourne SME

If you run a 15-to-100-person business and you want a segmentation design that actually reduces risk without becoming a multi-month project, run four VLANs. We deploy this exact pattern several times a quarter across our client base.

Four VLANs sound trivial. The reason it is enough for most SMEs is that each one represents a meaningfully different risk profile. Guest devices are unmanaged and untrusted. IoT devices are notoriously badly patched and run weird firmware. Voice devices have their own QoS needs and should not be exposed to general office traffic. Corporate is the only zone where managed, patched, and authenticated devices live.

If you have a meaningfully different workload, like a manufacturing floor with PLCs, an OT environment, or a clinical environment with medical devices, add a fifth VLAN for that. Do not collapse it into the IoT VLAN. The blast radius if it gets compromised is too different.

Priority Order: Guest WiFi First

The single highest-leverage step you can take is splitting guest Wi-Fi from corporate Wi-Fi. It is cheap, it is fast, and it removes the most common dumb risk: a visitor’s compromised phone or a contractor’s malware-laden laptop pivoting onto your file server because they got the office Wi-Fi password.

The order we deploy in for a typical Melbourne SME segmentation engagement is as follows.

Week one. Guest Wi-Fi on its own VLAN with a captive portal, time-limited credentials, and a firewall rule that permits internet egress only. No access to internal subnets. This alone removes about 40 percent of the lateral movement risk for a typical SME.

Week two. Voice VLAN. Move the SIP phones onto their own VLAN, lock egress to your SIP provider’s IP range only, and prioritise QoS. This stops a compromised phone from talking to anything except the SIP provider and improves call quality at the same time.

Week three. IoT and AV VLAN. Move printers, cameras, smart TVs, AV gear, and any other unmanaged device onto its own VLAN. Permit only the management traffic the corporate VLAN needs (Bonjour and mDNS reflection for AirPrint, print server traffic, RTSP for camera viewing). Block everything else.

Week four. Corporate VLAN cleanup. Remove anything that should not be on the corporate VLAN, audit static IPs, document the segmentation in a network diagram, and set up monitoring alerts for inter-VLAN traffic that violates the rule set.

That is a four-week project for a typical 30-person Melbourne SME. Most of the cost is engineering time, not hardware. If you are already on UniFi, the hardware is essentially free, and the labour is roughly fifteen to twenty engineer-hours including documentation.

Where SMEs Over-Engineer

Segmentation has a way of attracting over-engineering. Here is what to skip if you are a 30-to-100-person business.

Microsegmentation. This is the practice of giving each workload or application its own segment with policies down to the application port level. It is the right answer for large enterprises with data centres and dozens of regulated workloads. It is not the right answer for a 40-person Melbourne law firm with one practice management system. Microsegmentation tooling costs more than the entire SME’s segmentation budget and adds operational complexity that the IT team cannot maintain.

Per-application firewalls. The pattern where each application has its own next-generation firewall with deep packet inspection rules. Same logic as above. It belongs to the enterprise data centre, not the SME network. For SMEs, a single perimeter firewall with sensible inter-VLAN rules covers the same risk at a fraction of the cost.

Identity-aware proxies for every internal application. Good idea in theory. In practice, deploying ZTNA across every internal app for a 30-person business takes three to six months of integration work, costs tens of thousands in licensing, and leaves the team frustrated. Start with corporate, guest, IoT, and voice segmentation. Then layer identity-aware access onto the two or three highest-value internal applications. Do not try to do all of it at once.

Dedicated SIEM and SOAR. SMEs that try to deploy a SIEM and incident orchestration platform alongside segmentation usually end up with both half-deployed. Use Microsoft Defender for Business or your MSP’s monitoring stack until you genuinely outgrow it. Our managed IT services Melbourne programme includes 24/7 NOC monitoring out of our Tecoma office, which covers what a small SIEM does for a fraction of the cost.

Sample VLAN and Firewall Rule Pack

Here is a sample rule pack that we deploy as a starting point on UniFi, pfSense, or Meraki gear. Adapt the IP ranges to your environment. The rules are written as “from-to: permit/deny.”

The thing to notice about this rule pack is how restrictive it is by default. Most SMEs run flat networks where everything can talk to everything. That is the disease. The cure is “deny by default” between VLANs and explicit permits only for the traffic you actually need. If you do not know whether a traffic flow is needed, it is not needed. Add it back if something breaks.

One detail that catches people out: print discovery. Modern printers use mDNS and Bonjour for discovery, which is broadcast-based and does not cross VLAN boundaries by default. You need either an mDNS reflector (UniFi calls it mDNS, Meraki calls it Bonjour Forwarding) configured between corporate and IoT VLANs, or you fix the printers in DNS with static A records and add them as IP-based printers. Both work. We usually prefer the static DNS approach because it is more deterministic.

The Trap: Segmenting Without Identity

This is the trap that costs SMEs more than any other in segmentation projects. You spend a weekend deploying four VLANs, you write a clean rule pack, you feel great, and then a phished user credential turns out to be a domain admin because identity hygiene was never done. The attacker authenticates as a privileged user, traverses your VLAN rules using legitimate credentials, and segmentation buys you nothing.

Segmentation is necessary but not sufficient. You also need identity hygiene. The minimum identity work to do alongside segmentation is as follows.

One. No standing domain admin. Domain admin rights are granted just-in-time, ideally through Privileged Identity Management in Entra ID, or at minimum through a separate dedicated admin account that requires MFA and is not used for email or browsing.

Two. MFA on everything. Not just email. RDP gateways, VPN, the firewall admin interface, the switch management interface, the wireless controller, the file server admin. If a credential gives access to something, that access requires MFA.

Three. Conditional access policies on Entra ID. At a minimum, require MFA for all users, block legacy authentication protocols, and require a compliant device for access to admin roles and high-value applications. This is included in Microsoft 365 Business Premium and is one of the highest-leverage controls available.

Four. Local admin password randomisation. Every Windows endpoint should have a unique, randomised local administrator password managed via LAPS or its modern equivalent in Intune. A consistent local admin password is one of the fastest paths to lateral movement, and most SMEs still have it.

Five. Application control allowlisting on at least the corporate VLAN endpoints. This is the hardest of the Essential Eight to deploy well, but it is also one of the most effective. See our deep dive on application control for the practical playbook.

Without those identity controls, segmentation is theatre. With them, segmentation becomes a meaningful second line of defence.

A Melbourne Example: 38-Person Architecture Practice in Richmond

A 38-person architecture practice in Richmond engaged us in early 2025 after a near-miss incident. A user clicked a phishing link, entered credentials into a fake Microsoft login page, and an attacker logged into their mailbox. The mailbox had access to a shared SharePoint library with five years of client documents, and the attacker started downloading files before MFA challenges (delayed by a policy gap) interrupted them.

The post-incident review showed three problems. First, no conditional access policy requiring MFA on every sign-in. Second, no device compliance check, so the attacker authenticated from an unmanaged device with no resistance. Third, flat network with no segmentation, so if the attacker had pivoted from email to internal systems, nothing would have stopped them.

We deployed in three phases. Phase one was identity hardening: conditional access, device compliance, MFA enforcement, LAPS on the Windows fleet. Phase two was segmentation, exactly the four-VLAN pattern above, with the addition of a fifth VLAN for the Revit project file server because it is high-value and warrants its own zone. Phase three was monitoring: alerting on inter-VLAN traffic that violated rules, alerts on impossible-travel sign-ins, and alerts on download volume anomalies in SharePoint.

Total project cost: just under $34,000 across three months. Total engineer time: 58 hours. Hardware: $4,800 of UniFi gear that replaced a single flat-network router and a consumer-grade access point. They have had zero security incidents in the eighteen months since.

The most important detail: the segmentation work would have been worthless without the identity work that came first. We do not deploy VLANs as a standalone project anymore. Segmentation comes packaged with identity hardening, or it does not come at all.

Hardware Choices: UniFi, Meraki Go, or Meraki Proper

Three tiers cover almost all Melbourne SME deployments. Each has trade-offs.

UniFi from Ubiquiti is the SME favourite for good reason. Hardware is one-time-cost, no recurring licences, the controller is good, and the gear is genuinely capable of handling four-to-six VLANs and the rule pack above. The trade-off is that you (or your MSP) own the operational lift. If the controller falls over, no vendor support phone number rescues you. We deploy UniFi for clients with an MSP relationship in place, because the MSP carries the operational responsibility.

Meraki Go is the entry-level cloud-managed option from Cisco. It is easy to set up, has a clean phone app, and is a good fit for businesses under 20 staff who want minimal operational complexity. The trade-off is feature ceiling. Once you want VLAN-aware DHCP scopes, more than basic firewall rules, or advanced visibility, you hit the ceiling. We tend to deploy Meraki Go for businesses we do not co-manage.

Meraki proper (the full Cisco Meraki dashboard) is the right answer for SMEs with serious compliance ambitions or with multi-site setups. The licensing cost is real (typically $80-$200 per device per year), but the cloud management, deep visibility, and reliability are excellent. We deploy this for clients in regulated sectors and for clients with three or more sites where central management saves enough engineer time to pay for itself.

None of these is the wrong answer. The right answer depends on whether you have an MSP, your compliance trajectory, and how much operational lift you want to carry yourself. Our MSP Melbourne team scopes the hardware decision as part of the segmentation engagement so the gear matches the operating model.

Monitoring: How You Know Segmentation Is Working

Deploying segmentation and not monitoring it is half the job. You need to know when a rule is being violated, when a device is in the wrong VLAN, and when traffic patterns indicate something abnormal.

The minimum monitoring set for an SME deployment:

Alert on denied inter-VLAN traffic above a threshold. A few denied packets are normal background noise. A sustained pattern of denied traffic from one IoT device trying to talk to a corporate file share is a signal worth investigating.

Alert on new devices in any VLAN. Especially the corporate VLAN. If an unknown MAC address suddenly appears, you want to know.

Alert on devices moving between VLANs. This should almost never happen during normal operations. If a device hops from IoT to corporate, something is misconfigured or, worse, someone is poking at the network.

Alert on rule changes. The firewall rule pack is now a security control. Changes to it should be logged, ideally reviewed, and definitely not made silently.

Our 24/7 NOC out of Tecoma handles this monitoring for our managed clients. We respond to P1 incidents in under 15 minutes and are on-site across Melbourne metro within the same business day when something needs hands on gear. For clients running their own ops with our co-managed IT support model, we share the monitoring with the internal team and escalate when thresholds are crossed.

How This Fits With Essential Eight and ISO 27001

Segmentation is not explicitly an Essential Eight strategy, but it is referenced under several of them and is foundational to a Maturity Level Two posture. Restricting administrative privileges, restricting Microsoft Office macros, and application control all become more enforceable when segmentation has limited the blast radius of any single compromised endpoint.

For ISO 27001, segmentation falls under Annex A.13 (Communications Security) and contributes evidence for several other controls. We do not certify clients (we are ISO 27001 capable, not a certifying body), but we have helped a number of Melbourne SMEs pass certification audits, and segmentation always shows up positively in the auditor’s review.

For Privacy Act obligations, segmentation reduces the population of data potentially affected in a breach, which can change the calculus on notifiable data breach decisions. See our Privacy Act for SMBs guide for the data handling context.

What This Costs for a Typical Melbourne SME

The all-in cost for a 30-to-50-person SME segmentation engagement, including identity hardening and ongoing monitoring, breaks down roughly as follows.

Total project cost typically lands between 20 and 30 thousand dollars depending on existing hardware, site complexity, and how much identity work is needed alongside the segmentation. The ongoing monitoring sits inside our per-user fixed monthly managed service pricing, so there is no surprise on the operational side.

Compared to the cost of a single ransomware incident (we covered this in another article and the realistic number for an SME is between $150,000 and $400,000 including downtime and customer churn), the segmentation project pays for itself if it prevents one incident. The maths is usually obvious in the boardroom.

Frequently Asked Questions

Can I do segmentation myself with a consumer router?

No. Consumer routers do not support meaningful VLAN tagging, and the firewall capabilities are not granular enough to write the kind of rule pack that makes segmentation worth doing. You need at minimum a small-business gateway like a UniFi Cloud Gateway, a Meraki Go GX, or an equivalent. The hardware costs less than a couple of staff laptops, so the price is not the obstacle.

Will segmentation slow down my network?

On modern gear, no. The gateway processes inter-VLAN routing at line rate, and the firewall rules add microseconds of latency, not milliseconds. The only place we see performance issues is when an SME tries to deploy deep packet inspection and TLS interception on undersized hardware. If you size the gateway correctly for your throughput, segmentation is invisible to users.

Do I need separate physical switches for each VLAN?

No. VLANs are logical, not physical. One managed switch handles all four VLANs at once, tagging traffic on the uplink to the gateway. The only reason to use physically separate switches is for an OT or industrial environment with very strict isolation requirements, and that is not most SMEs.

What about working from home: do segmentation rules apply on the VPN?

This is the part that gets missed. If your remote workers VPN in and land in the corporate VLAN by default, your segmentation has a hole. The fix is either a separate VPN VLAN with its own rule set, or, better, moving away from VPN entirely and using Entra ID conditional access with device compliance checks for application access. The latter is the modern approach and avoids the VPN-as-trust-domain problem entirely.

How often should the rule pack be reviewed?

Quarterly at minimum, and after any significant change to the application stack. We review rule packs as part of our managed client quarterly business reviews, and we use those reviews to remove rules that are no longer needed (which is more common than adding new ones).

What if a vendor needs access to one of my internal systems?

Vendor access should land in a dedicated vendor-access zone with explicit rules to the specific systems they need. Do not give vendors guest Wi-Fi credentials and ask them to VPN. Do not give them corporate Wi-Fi access. A dedicated zone with explicit permissions, ideally with MFA and time-bound credentials, is the right pattern.

How do I get started?

The honest first step is an assessment. We will look at your existing network, your endpoint fleet, your identity setup, and your compliance trajectory, and we will give you a sequenced plan. We do this for Melbourne clients regularly out of both our Tecoma office and our 575 Bourke St CBD office. Reach the team via the contact page and we will sort out a discovery session.

Most Microsoft 365 vs Google Workspace comparisons are written by Microsoft Partners and read like a sales pitch. Here is the straight version. Google wins for sub-15-person startups, design agencies, and web-native teams. Microsoft wins for anything compliance-driven, anything with Windows endpoints, and anything that touches Excel-heavy finance or operations tooling.

That is the headline. The rest of this article shows the working. We will cover the licensing reality in 2026, the Copilot versus Gemini story without the marketing gloss, the security and admin gap that has quietly widened, Australian data residency and Privacy Act considerations, and the genuine cost of switching either direction. Spoiler: it is almost always three to five months of dual-running, and the migration is rarely the expensive part.

TechAssist has been running these conversations with Melbourne SMEs since we were founded in 2014. Our managed IT services Melbourne team has migrated firms in both directions, so the bias here is genuinely thin. If anything, our preference leans Microsoft for clients in regulated sectors and Google for clients whose entire workflow lives in a browser, but the answer depends on what you actually do for a living.

The Honest Summary Up Front

If you want the verdict before the detail, here it is. Pick Google Workspace if you are under 15 staff, your team lives in Chrome, you do not run any line-of-business application that requires Windows, and you do not have meaningful compliance obligations beyond the Australian Privacy Act baseline. Pick Microsoft 365 if you have Windows endpoints, finance staff who live in Excel, ISO 27001, Essential Eight or sector-specific compliance ambitions, or any line-of-business application that integrates with Outlook calendars, SharePoint document libraries, or Power BI.

The grey zone is the 15-to-50-staff Melbourne SME with mixed Mac and Windows endpoints, a handful of legacy Office documents, and a desire to use Gmail because the founder likes it. That is the zone where the decision actually matters, and where most of our consulting time goes.

Licensing and Pricing in 2026

The headline SKUs have not changed dramatically, but the value gap inside each plan has. Microsoft has loaded more security and compliance into the mid-tier Business Premium plan, while Google has shifted more of its AI value into the Gemini Business and Enterprise add-ons. The result is that the apples-to-apples comparison is genuinely harder in 2026 than it was two years ago.

Here is the realistic comparison for a 30-person Melbourne SME at current AUD list pricing, rounded for clarity. Your actual prices via a partner will be slightly lower, but the ratios hold.

The numbers look close. They are not. The security-grade tier comparison is the one most decision-makers get wrong. Business Premium on Microsoft includes Intune device management, Defender for Business endpoint protection, conditional access, Azure AD Premium P1 (now Entra ID P1), and Purview data loss prevention. Google Business Plus includes Vault retention, advanced endpoint management, and Drive labels, but it does not include the equivalent of conditional access without stepping up to Enterprise Standard or Plus, which approximately doubles the per-user cost.

For a 30-person firm in Cremorne with Windows laptops, Business Premium replaces three or four separate tools that you would otherwise buy: a mobile device management product, an endpoint security product, a multi-factor enforcement layer, and a data loss prevention tool. That is the bundle value that has widened. It is not visible in the headline SKU price.

Where Google Wins, Honestly

Google Workspace genuinely wins in three scenarios, and we recommend it for all three.

The first is the sub-15-person startup. If you are five to twelve people, you live in a browser, you collaborate constantly in shared documents, and your security threat model is mostly phishing and credential theft, Google Workspace is faster to deploy, easier to administer without an IT team, and the collaboration UX is better. Docs and Sheets real-time editing remains a notch ahead of Word and Excel on the web, and the unified search across Drive, Gmail, and Calendar is excellent.

The second is the design or creative agency. If your team is on Macs, you use Figma, Adobe Creative Cloud, and Slack, and your finance person is the only one who touches a spreadsheet seriously, the Microsoft stack is overkill. Google Workspace plus a third-party MDM like Kandji or Jamf will serve you well. We have a 22-person creative agency client in Fitzroy that runs exactly this stack and has zero appetite to switch.

The third is genuinely web-first businesses. SaaS companies, marketing agencies, online publishers, e-commerce operators. Teams whose entire workflow is browser tabs and where Microsoft’s deep desktop integration provides no value. Google is leaner here, and Gemini’s integration with Search and YouTube is genuinely useful for these workflows in ways that Copilot’s Office integration is not.

Where Microsoft Wins, Also Honestly

Microsoft 365 wins in more scenarios than Google fans like to admit, and the gap has widened in 2024 and 2025.

The first and biggest is compliance. If you are pursuing ISO 27001, aligning with the Essential Eight, or operating in a sector with specific data handling requirements (legal, health, financial services, government supply chain), Microsoft Purview, Defender, and Entra ID together give you the audit trail, the controls, and the certifications evidence that auditors expect. Google can technically achieve much of this, but the auditor-readiness gap is real, and we have seen it cost clients during certification.

The second is Windows endpoint reality. Most Australian SMEs run Windows. Intune is now genuinely good. Autopilot deployment for a new laptop is a fifteen-minute experience for the user, and the device arrives at the desk pre-enrolled and pre-configured. Google’s endpoint management story for Windows is workable, but it is not in the same league. If your fleet is Windows, this matters every single week.

The third is finance and operations integration. Power Query, Power Pivot, Power BI, and the broader Power Platform tie into Excel and Outlook in ways that have no Google equivalent. If your finance manager is building cashflow models, your operations team is reconciling job costing across two systems, or your sales lead lives in pipeline spreadsheets, the Microsoft ecosystem is genuinely more productive.

The fourth is line-of-business application integration. Practice management systems in Melbourne law firms, patient management in healthcare practices, ERP and MRP systems in manufacturing, and most Australian accounting and payroll platforms integrate more deeply with Microsoft than Google. The Outlook calendar plug-in, the SharePoint document repository, the Teams meeting integration. These are table stakes for serious vertical software.

Copilot vs Gemini: The Honest Take

Both AI assistants are useful. Both are overhyped by their vendors. Both will be markedly better in twelve months than they are today. Here is what we are seeing in actual SME use in 2026.

Copilot in Microsoft 365 is genuinely useful when it can see across your tenant. Drafting emails from meeting notes, summarising long Teams threads, generating first-draft PowerPoint from a Word brief, and pulling figures from Excel into commentary. The killer use case for SMEs is Teams meeting summaries with action items. Once finance and operations staff have used this for a month, taking it away is painful. The weak spot is reliability on numerical reasoning in complex spreadsheets, and the occasional confident hallucination when pulling data from SharePoint sites it should not be searching.

Gemini in Workspace is strong on text generation in Docs, summarising Gmail threads, and the integration with Google Search for research is genuinely useful. The meeting note-taking in Meet is good. The weak spot is that Gemini in Sheets is not yet at Copilot in Excel parity for serious analytical work, and the Drive search story is less mature than SharePoint plus Copilot for document-heavy organisations.

The honest answer on cost-benefit: at $46 per user per month for Copilot, you need each user to save roughly 45 minutes a week to break even on a $100k salary. We are seeing that achieved in about 60 percent of seats in client deployments, with marketing, sales, and executive assistants getting the highest return, and field-based staff getting the lowest. Gemini at $34 per user per month has a slightly easier payback maths but a slightly narrower set of killer workflows. If you are deciding whether to buy AI for your suite at all, the answer in 2026 is yes for office-based staff and no for field, retail, or shop-floor staff.

The Security and Admin Gap

This is the section where we annoy Google fans. The security and administration gap between Microsoft 365 Business Premium and Google Workspace Business Plus has widened, and pretending otherwise is not helpful to clients.

Conditional access is the clearest example. On Microsoft, you can write a policy that says “users in the finance group can only access the payroll system from a managed device, on a trusted network, with a fresh MFA challenge, between business hours, from Australia.” That policy is enforced at the identity layer for any application using Entra ID for sign-in. On Google, the equivalent context-aware access requires Enterprise tier, and the policy expressiveness is meaningfully thinner.

Endpoint management is the second example. Intune with Defender for Business gives you device compliance evaluation, attack surface reduction rules, controlled folder access, web content filtering, and integration with conditional access in one stack. Google’s endpoint management is fine for Chromebooks, workable for Mac, and basic for Windows.

The third is data loss prevention. Purview DLP can scan content in SharePoint, OneDrive, Exchange, Teams, and increasingly third-party SaaS via Defender for Cloud Apps. Google DLP works well within Drive and Gmail but does not extend as broadly.

None of this means Google is insecure. It is not. It means that if your cybersecurity services Melbourne requirements include detailed conditional access policies, device-based access controls, or aligning to Essential Eight Maturity Level Two, Microsoft gets you there with less bolting-on. Read our zero trust security model explained guide for the framework view.

Australian Data Residency and the Privacy Act

Both Microsoft and Google host Australian customer data in Australian data centres for the core services. Microsoft uses the Australia East and Australia Southeast regions for Exchange Online, SharePoint Online, OneDrive, and Teams. Google uses Australian data centres for Workspace core data at rest. So far, so similar.

The differences appear at the edges. Microsoft publishes detailed data location commitments for each workload, and the Advanced Data Residency add-on lets you pin certain services more strictly. Google’s data residency commitments are good but less granular below the core service level. For most SMEs, this does not matter. For clients we work with in government supply chain or in regulated sectors where data sovereignty questionnaires come up, it matters significantly.

Both vendors comply with the Australian Privacy Act and the Notifiable Data Breaches scheme as data processors. Your obligations as a data controller do not go away by choosing either. If you handle personal information at scale, read our Australian Privacy Act for SMBs guide for the practical checklist.

The Real Cost of Switching

This is where most articles lie to you. They quote the migration tooling cost, which is small, and ignore the dual-running cost, the retraining cost, and the lost-productivity tail, which are large.

Here is the realistic switching cost for a 50-person Melbourne SME moving from Google Workspace to Microsoft 365 or vice versa. We will use a worked example: a 50-person property services firm in Hawthorn we migrated in early 2025 from Google to Microsoft because they had taken on a client who required vendor security questionnaires they could not answer cleanly.

That is the real cost. The migration project line is the only one most quotes show you. The dual-licensing, the productivity dip, and the change management are usually invisible until you are deep in the project. We had this client back to full productivity by week eight, and the ROI is positive within the second year because they retained the client whose questionnaire triggered the move. But if you switch suites without that kind of trigger, the payback is much harder to justify.

The honest test we run with clients: if you cannot articulate a specific business reason for the switch that is worth at least 1,500 dollars per user, do not switch. Stick with what you have and make it better.

Melbourne Examples: When We Recommend Each

A 12-person digital marketing agency in Collingwood. All Macs, Slack, Figma, web analytics tools, two finance staff using Xero. We recommended Google Workspace Business Plus plus Kandji for Mac MDM. Total stack cost roughly $850 per month. They are happy, audit-clean for their compliance needs, and the founder loves the Gmail UX.

A 35-person mechanical engineering consultancy in Box Hill. Windows fleet, AutoCAD and Revit, project management in a Microsoft-integrated platform, finance team building project costing models in Excel. We recommended Microsoft 365 Business Premium, Intune-managed Windows 11 devices delivered via Autopilot, Defender for Business, and Copilot for the senior engineers and finance team only. Total stack cost roughly $2,800 per month for the M365 layer. They cleared an ISO 27001 surveillance audit cleanly last quarter.

A 28-person allied health practice in Camberwell. Mixed Mac and Windows, patient management system that integrates deeply with Outlook calendars, NDIS and Medicare claiming. We recommended Microsoft 365 Business Premium for the integration reasons, Intune for device management, Defender for endpoint protection, and a structured Purview information protection deployment because patient information requires strict handling. Total cost slightly higher than Google would have been, but the integration requirements ruled Google out at the discovery stage.

For our broader take on choosing partners and platforms, see how to choose an MSP Melbourne and our top managed service providers Melbourne overview.

How TechAssist Approaches the Decision

We are platform-agnostic for genuine reasons. We were founded in 2014, we have 13 Australian engineers between our Tecoma office and our 575 Bourke St CBD office, and we operate a 24/7 NOC out of Tecoma. We migrate clients in both directions every quarter. Our per-user fixed monthly pricing does not change based on which suite you choose, so we have no commercial incentive to push either.

For new clients in our MSP Melbourne programme, we run a one-day platform assessment. We look at your endpoint fleet, your line-of-business applications, your compliance trajectory, your team’s working style, and your current pain points. We recommend Microsoft or Google based on the answer, not based on the margin. We respond to P1 incidents in under 15 minutes, and we run same-business-day on-site visits across Melbourne metro when something needs hands on hardware. The platform under the hood matters less than the discipline around it.

Our cloud services Melbourne team can scope a migration in either direction with a realistic dual-running budget and a change management plan, not just a tooling quote. Our co-managed IT support model also works if you have an internal IT lead who wants to keep the strategic decisions in-house and outsource the operational lift.

Frequently Asked Questions

Can a small business get away with just the entry-level plan?

For a five-to-ten-person business with low compliance requirements, the entry-level plan plus a third-party MFA enforcement layer and a basic backup tool will work. For anything more, the security and management gap between the entry tier and the security-grade tier is large enough that the entry tier is a false economy. We see clients spend more remediating after a security incident than they saved over three years of running on the entry tier.

What about Outlook on Mac with Google Workspace?

It works, but it is not great. If your team is on Mac and your founder wants Gmail, lean into the Google ecosystem fully rather than trying to bridge Outlook to Gmail. The hybrid setup creates calendar invitation issues, contacts sync issues, and frustrating support tickets. Pick one ecosystem.

Is Copilot worth it for a 20-person business?

For ten of those twenty people, yes. For the other ten, probably not. Buy Copilot for the seats where it will see daily use: executive assistants, sales, marketing, finance leads, and anyone whose job involves drafting documents, summarising meetings, or building reports. Do not buy it for field staff, warehouse staff, or part-time admin staff. The per-seat economics only work when actually used.

How long does a Microsoft to Google or Google to Microsoft migration actually take?

The migration tooling runs over a weekend. The dual-running window is three to five months. The team is at full productivity on the new platform by week eight to twelve. The cleanup of the old tenant takes another month or two. Anyone who tells you it is a one-month project is selling you a migration, not a successful outcome.

What about hybrid: some users on Microsoft and some on Google?

Avoid it unless you have a genuinely good reason, like a recent acquisition you are integrating. Hybrid creates shared calendar friction, email signature inconsistency, document collaboration confusion, and double the admin workload. We have a few clients running hybrid for legitimate transitional reasons. None of them are happy about it.

How do I get an honest scoping conversation?

Talk to us. We will tell you which platform fits your business and which one does not, and we will do that regardless of what you end up choosing. Reach our team via the contact page or call the office. The conversation is free and the recommendation will be straight.

For Australian SMEs under 200 seats, the four real cloud phone options in 2026 are Microsoft Teams Phone, 3CX, RingCentral, and Aircall. Each one is the right answer for a specific business profile and the wrong answer for others. This buyer’s guide compares them honestly on cost, fit, number porting, and resilience for Australian conditions.

Why this guide exists

Most Australian buyer’s guides for cloud phone systems read like a vendor brochure with a different cover. The advice is generic, the comparisons are shallow, and the local detail (porting timelines with TPG or Aussie Broadband, ACMA implications, what happens during an outage on the NBN) is missing. We have deployed and supported all four of these platforms inside our managed IT engagements since founding TechAssist in 2014, and the local detail is where most of the cost and risk hides.

This guide is opinionated. We will tell you which platform we recommend by default for which profile, and where we have seen each one go wrong. The goal is not to sell you on a particular vendor; it is to help you make a defensible choice that you will still be happy with in three years.

The four real options

Microsoft Teams Phone

The right answer for businesses that already run Microsoft 365 E3 or E5, want one platform for chat, video, and voice, and have a relatively standard office and remote staff mix without heavy call centre or sales dialler requirements.

Strengths:

• Single identity, single client, single admin centre with the rest of your Microsoft estate
• Native Teams app on every device people already have
• Tight integration with calendar, presence, and meeting recording
• Operator Connect or Direct Routing options give flexibility on the carrier side
• Compliance and call recording aligned to the broader Microsoft 365 compliance stack

Weaknesses:

• Native call queueing and IVR are basic compared to a dedicated UCaaS or contact centre platform
• Real call centre features (skill-based routing, advanced wallboards, supervisor monitoring) require add-ons or a third-party contact centre integration
• Sales-dialler workflows are clunky; no native power dialler
• Voice quality depends heavily on the network and the device; soft phones on personal Wi-Fi can be unreliable

Best fit: professional services, accounting, legal, healthcare admin, and any organisation where the phone is a normal-volume business tool rather than the primary production system. For a 38-staff South Yarra law firm we recently deployed, Teams Phone with Operator Connect through an Australian carrier was the obvious answer because the firm already had M365 Business Premium and the call volume was about 40 inbound calls per partner per day.

3CX

The right answer for businesses that want maximum control, are comfortable with a more technical platform, and either want to self-host or run on a tightly managed instance. Also the right answer for businesses migrating from a legacy on-premises PBX who want a familiar feature set.

Strengths:

• Strong feature parity with traditional PBX systems (call queues, ring groups, advanced IVR, hot desking)
• Can be self-hosted in Azure, AWS, or on-premises; or run on a 3CX-hosted instance
• Per-system pricing rather than per-user pricing, which can be significantly cheaper at scale
• Strong third-party SIP trunk support, so you can choose your Australian carrier
• Good softphone and mobile apps; reasonable Teams integration if needed

Weaknesses:

• Requires technical administration; not a ‘set and forget’ platform
• Self-hosted instances need patching, monitoring, and backup (real infrastructure work)
• UI is functional rather than polished; staff onboarding is harder than Teams
• 3CX itself has had security incidents in recent years (the 2023 supply chain compromise) which raised concerns; subsequent response has been adequate but worth noting

Best fit: businesses that already have IT capacity (internal or co-managed), value control over the platform, and have specific feature requirements that consumer-grade UCaaS platforms do not meet. We run 3CX in our own environment and for a number of clients where the cost model and the feature set are right. For a 65-staff manufacturing business in Dandenong South, 3CX with SIP trunks from an Australian carrier and a redundant pair of instances in Azure was the right call because the on-premises requirement (a few hundred handsets across two sites with paging integration) ruled out the pure-cloud UCaaS options.

RingCentral

The right answer for businesses that want a full unified communications-as-a-service experience with a polished UI, strong analytics, and built-in contact centre options for when the business grows into them.

Strengths:

• Polished, consumer-grade user experience across mobile, desktop, and web
• Built-in video, messaging, fax, SMS, and voice in one platform
• Strong analytics and reporting out of the box
• Contact centre add-on (RingCX) is mature and integrates natively when needed
• Strong CRM integrations (Salesforce, HubSpot, Zoho) without third-party connectors

Weaknesses:

• Per-user pricing is at the higher end of the market
• Australian carrier and number porting flexibility is more limited than 3CX
• Bundle includes features many SMEs do not use, which inflates the per-seat cost
• Account management can be inconsistent; SMEs sometimes feel underserved

Best fit: customer-facing businesses with 30 to 150 staff that have outgrown a basic phone system, want a single platform across all communication channels, and have a clear customer service or sales operation. For a 72-staff e-commerce business in Cremorne we work with, RingCentral with the contact centre module was the right call because the customer service team needed proper queueing, wallboards, and supervisor monitoring that Teams Phone could not match.

Aircall

The right answer when sales or customer experience is the dominant phone use case, when CRM integration is the highest priority, and when you are willing to add another tool to your stack to get a sales-optimised experience.

Strengths:

• Built specifically for sales and CX teams; the workflows reflect that
• Excellent CRM integration (Salesforce, HubSpot, Pipedrive, Zendesk) with screen pops and automatic logging
• Power dialler, click-to-call, and call coaching features are native
• Fast to deploy; user onboarding is friendly
• Good analytics for call outcomes and rep performance

Weaknesses:

• Not designed as a general business phone system; not the right tool for receptionist or main-line scenarios
• Australian number availability and porting can be slower; mostly serves international and metropolitan use cases
• Per-user pricing is competitive but stacks with whatever else you use for general office calling
• Voice quality is heavily dependent on the user’s network

Best fit: dedicated sales or customer success teams within a larger business that already has a general phone system. We have deployed Aircall for the sales team at a Hawthorn SaaS business while leaving Teams Phone as the general business platform. The two run side by side, the sales team gets the dialler experience they need, and the cost is contained to the 12 sales seats.

Side-by-side cost comparison

The table below assumes a 50-user Australian SME with a standard mix of office calling. Prices are 2026 Australian list, GST exclusive, and assume an annual commitment. Real negotiated prices for SMEs are often 10% to 20% below list.

The cost comparison hides important differences. Teams Phone looks cheap on this view because much of the platform cost is already paid for in your Microsoft 365 licence. 3CX looks cheaper still on a pure platform basis, but the operational cost of running and maintaining the platform is real and not captured in the per-user price. Aircall is the most expensive per seat, but in practice you only deploy it to a sales team subset, not the whole business.

Number porting timelines and carriers

Number porting in Australia is the most underestimated risk in a phone system change. Promised porting timelines and actual porting timelines often diverge by weeks. The factors that matter:

Carrier of the losing number

Porting away from Telstra is typically 4 to 8 weeks for a complex port (multiple numbers on a hunt group) and 1 to 3 weeks for a simple port (single number). Porting away from Optus or TPG is similar. Smaller wholesale carriers can be faster (1 to 2 weeks) but the process is also more dependent on the human being on the other side.

Carrier of the gaining number

For Teams Phone, you can use Operator Connect carriers (multiple Australian options including TPG, Vonage, and several smaller providers) or Direct Routing through your own carrier. Operator Connect is faster to provision but you trade flexibility. Direct Routing requires a session border controller setup but gives you choice of carrier.

For 3CX, you choose your SIP trunk carrier independently. Aussie Broadband, Maxotel, and TPG Wholesale are common choices for Australian SMEs. Maxotel in particular has a reputation for responsive porting support among smaller deployments.

For RingCentral and Aircall, the carrier is bundled. You do not choose; you accept the carrier the platform uses. This simplifies the buying decision but reduces flexibility.

The porting risk plan

Whichever platform you choose, plan the port itself as a discrete project with its own risk management. Recommended practice:

• Submit port requests at least 30 days before go-live
• Keep the old service active and paid until 7 days after port completion
• Test inbound calls from at least three external networks (mobile, landline from a different carrier, international if relevant) before decommissioning the old service
• Plan a fallback path: divert old numbers to mobile during the cutover window in case of disputed port
• Have a written escalation path with both carriers; know who to call when something stalls

For complex multi-site deployments, factor in 6 to 8 weeks of porting lead time. Trying to compress this is a frequent source of go-live failures.

ACMA and ATO implications

ACMA

The Australian Communications and Media Authority regulates how Australian businesses can use phone numbers and what carriers must do. The relevant points for a cloud phone deployment:

• You must use Australian-registered numbers for Australian business operations (you cannot just use a US-issued RingCentral or Aircall number for your Australian customers)
• Emergency calling (Triple Zero) must work and must report a usable location. Many cloud phone systems require explicit configuration of E000 location data per device or per user
• Lawful intercept obligations apply to carriers, not to you directly, but your carrier must be compliant

The E000 location requirement is the one most often missed. If your staff are working from home with a softphone, the system needs to know their location at sufficient detail that emergency services can be dispatched correctly. RingCentral and Teams Phone both handle this; 3CX requires explicit configuration; Aircall is more limited.

ATO and record keeping

The ATO requires businesses to maintain records of business transactions, which can include call records for sales and customer service interactions. Cloud phone systems typically retain call records and recordings for a default period (30 to 90 days), which is shorter than the typical ATO retention requirement of 5 years.

If you record calls, you need to store the recordings somewhere durable for the retention period. Most platforms offer extended retention as an add-on or via export to your own storage. Build this into the deployment design.

Fallback plans for outages

Cloud phone systems fail. They fail less often than on-premises PBXs, but when they fail they fail completely. Your fallback plan needs to be:

• Documented in writing and tested at least annually
• Triggerable by a non-IT staff member if needed
• Capable of routing inbound calls to mobiles within 5 minutes

The standard fallback is a carrier-level call forwarding rule that activates on platform unreachable. Most Australian carriers support this for inbound DID numbers. The rule sends all inbound calls to a designated mobile (usually the reception manager) when the cloud platform stops responding. When the platform recovers, the rule deactivates.

For businesses where the phone is mission-critical (medical practices, professional services with tight client SLAs, customer service operations), consider running two carriers in active-passive configuration. The cost is meaningful but the resilience is the highest you can achieve outside of a dedicated contact centre platform.

For a Camberwell healthcare practice we manage, the phone system runs Teams Phone with Operator Connect through one carrier and a secondary direct route through a different carrier as failover. The cost premium is about $400 a month for the secondary path. They have used it twice in 18 months and both times the failover saved the day.

How to decide

The decision tree we use with clients is:

1. Do you already have Microsoft 365 E3 or E5, or Business Premium with Teams Phone add-on? If yes, start with Teams Phone unless there is a specific reason not to.
2. Is your call volume primarily sales-driven, with CRM integration as a top requirement? If yes, evaluate Aircall as a sales-team overlay on top of a general phone system.
3. Do you have a customer service team of 5 or more that needs proper queueing, wallboards, and supervisor features? If yes, evaluate RingCentral or RingCX.
4. Do you have specific feature requirements (paging integration, dense IVR, hot desking) that consumer-grade platforms do not meet, and do you have or want technical control over the phone platform? If yes, evaluate 3CX.
5. If none of the above clearly dominates, default to Teams Phone for the Microsoft 365 integration alone.

Implementation realities

Cloud phone deployments fail more often than they should, almost always for the same reasons. The four to plan against:

• Underestimating the porting timeline. Already covered above. Treat it as the critical path.
• Underestimating user training. Phone behaviour is muscle memory. Switching staff to a new system without dedicated training results in two months of awkward calls and lost business.
• Underestimating the network impact. Voice traffic competes with Teams meetings, file syncs, and everything else on the network. QoS is essential; on a typical NBN connection, prioritising voice traffic prevents call quality degradation during peak hours.
• Underestimating the headset standard. A $35 headset is not the same as a $180 business headset. Voice quality complaints are 50% headset and 50% network in our experience. Standardise on a known-good business headset and budget for it.

This kind of deployment work sits naturally inside a managed IT services arrangement with per-user fixed monthly pricing. Our 13 Australian engineers handle cloud phone deployments out of our 24/7 NOC in Tecoma and our 575 Bourke Street CBD office, with sub-15-minute P1 response when something goes wrong post-go-live. The same-business-day on-site capability for Melbourne metro matters when you have 40 desk phones to physically replace.

If you want a sharper conversation about which of the four platforms is the right fit for your specific business, get in touch. The right answer depends on context that a buyer’s guide cannot fully cover.

Frequently Asked Questions

Can we keep our existing PBX and just add cloud features?

Yes, with hybrid models. 3CX in particular supports a hybrid mode where some users are on the cloud client and others remain on legacy SIP handsets. This is a sensible transition path for businesses with significant existing handset investment. Teams Phone also supports a hybrid model through Direct Routing, where your existing PBX can serve as the gateway during migration. The hybrid period typically lasts 3 to 6 months.

What about Zoom Phone?

Zoom Phone is a legitimate fifth option that we deliberately excluded from the main comparison because in our experience it sits awkwardly between Teams Phone and RingCentral without clearly winning on either dimension for Australian SMEs. If your business is Zoom-first for meetings (which is unusual in Australian SMEs but happens), Zoom Phone is worth evaluating. For most Australian SMEs already on Microsoft 365, the simpler answer is Teams Phone.

How do we handle remote and hybrid staff with the chosen platform?

All four platforms support remote work natively through softphone clients. The practical issues are home network reliability, headset quality, and emergency calling location data. The home network reliability question often pushes businesses toward providing a mobile data backup option for staff who do customer-facing calls from home.

What is the typical implementation timeline?

For a 50-seat deployment, expect 6 to 10 weeks end to end. Two weeks for design and procurement, two weeks for tenant configuration and pilot user testing, four to six weeks for porting (often the long pole), and one week for cutover and immediate post-cutover support. Rushed implementations are the single largest source of go-live failures.

How does the choice of cloud phone system intersect with cybersecurity?

Cloud phone systems are an identity surface and a data surface. Voicemail recordings, call recordings, and contact lists are all sensitive data subject to the Privacy Act. The platform’s identity model should integrate with your existing identity provider (Microsoft Entra ID in most cases), and the call recording retention and encryption should align with your broader data protection posture. This is why we evaluate cloud phone choices as part of a broader cybersecurity conversation rather than as a standalone procurement.

What is the right number of carriers to use?

For most SMEs, one carrier with carrier-level failover (call divert on unreachable) is sufficient. For mission-critical phone use cases, two carriers in active-passive configuration. Three or more is over-engineered for sub-200-seat businesses. The marginal resilience past two carriers does not justify the cost or complexity.