Windows 10 End of Life: What Melbourne Businesses Must Do Now

Windows 10 reached windows 10 end of life on 14 October 2025. Microsoft has stopped shipping security updates, bug fixes and technical support for it. Every Windows 10 machine still running in your business is now an unpatched, slowly widening hole in your defences — and the clock has already passed midnight.

This isn’t a future problem to schedule for next quarter. If you’ve been telling yourself “we’ll deal with it later”, later arrived in October 2025. The good news: the path forward is well understood, and you have more options than panic-buying a truckload of new laptops. The bad news: every month you wait, the risk and the cost both climb.

What “end of support” actually means

End of support is not a switch that bricks your machines. Windows 10 still boots, your line-of-business apps still run, and your staff probably won’t notice anything different on the surface. That’s exactly what makes it dangerous. The operating system keeps working while the protection underneath it quietly rots.

From 14 October 2025, Microsoft no longer issues:

  • Security updates for newly discovered vulnerabilities. When a critical flaw is found — and they are found constantly — Windows 11 gets a patch and Windows 10 does not.
  • Reliability and bug fixes, so problems compound over time rather than getting resolved.
  • Technical support from Microsoft, including for Microsoft 365 apps running on Windows 10. Office will keep functioning, but you’re on your own when something breaks.

An unpatched OS is the single softest target in most networks. Attackers don’t need to be clever; they just scan for known vulnerabilities that will never be fixed. Within months of an OS going end of life, exploit kits start treating it as low-hanging fruit.

The real risks of running an unsupported OS

The exposure here goes well beyond “you might get a virus”. For an Australian business, four distinct problems stack on top of each other.

Cyber security

Every month after October 2025 widens the gap between the threats in the wild and the defences on your endpoints. A single unpatched workstation can be the foothold an attacker uses to move laterally, harvest credentials and deploy ransomware across your whole environment. Endpoint detection helps, but it’s compensating for a structural weakness, not fixing it.

Compliance and the Essential Eight

The Australian Cyber Security Centre (ACSC) Essential Eight lists patch operating systems as one of its eight core mitigation strategies. The mitigation explicitly requires using an operating system that is still receiving vendor support. Run Windows 10 past end of life and you fail that control outright — you cannot reach even Maturity Level One. If you’re a government supplier, tendering for work, or contractually bound to Essential Eight alignment, an unsupported OS is a straight non-compliance. Our 90-day Essential Eight guide walks through how the patching controls are actually assessed.

Cyber insurance

Insurers have tightened their proposal forms considerably. Most now ask directly whether you run supported, patched operating systems and apply security updates within defined timeframes. Running an end-of-life OS can breach a policy condition, and if a claim arises from a vulnerability on an unsupported machine, you’re handing the insurer a clean reason to reduce or decline the payout. We cover this trap in detail in our cyber insurance guide for Australian SMEs. The premium you’ve paid for years may be worth far less than you think.

Privacy obligations

If a breach traced to an unsupported system exposes personal information, the Office of the Australian Information Commissioner (OAIC) Notifiable Data Breaches scheme can require you to notify affected individuals and the regulator. “We knew the OS was unsupported and kept using it” is not a position you want to defend to the OAIC, your customers, or your board.

Extended Security Updates — a stopgap, not a strategy

Microsoft offers Extended Security Updates (ESU) to keep critical and important security patches flowing after end of life. It is a deliberate bridge, not a destination, and it’s priced to make sure you treat it that way.

For consumers, Microsoft made a one-year ESU option available, including a free route for individuals who enable certain settings. That consumer path is genuinely a stopgap for a home PC — it is not a business strategy.

For business and enterprise, ESU is sold per device and the price escalates every year — Microsoft’s commercial ESU programme roughly doubles the per-device cost in year two and doubles again in year three. The model is intentional: it buys you breathing room while making procrastination progressively more painful. Pay for three years of ESU across a fleet and you’ll usually have spent more than it would have cost to simply replace or upgrade the machines.

Use ESU when you have a genuine, time-boxed reason — a legacy application that won’t run on Windows 11 yet, or a hardware refresh you can’t physically complete before the deadline. Do not use it as a way to avoid making a decision. Budget for ESU as a one-year bridge with a hard exit date, not a recurring line item.

Is your fleet ready for Windows 11?

Windows 11 is the obvious destination, but it has stricter hardware requirements than Windows 10, and that’s where most businesses get caught. A machine that runs Windows 10 perfectly well may be ineligible for an in-place upgrade.

The two requirements that trip people up most:

  • TPM 2.0 — a Trusted Platform Module security chip. Many machines from the mid-2010s either lack it or have it disabled in the firmware. Sometimes it’s present and just needs enabling in the BIOS; sometimes it isn’t there at all.
  • CPU compatibility — Microsoft only supports a defined list of processors, broadly Intel 8th generation and newer, and equivalent AMD Ryzen chips. Older CPUs are unsupported even if everything else checks out.

You can’t eyeball this across a fleet. A proper readiness assessment inventories every device, checks TPM status, CPU model, RAM and storage, and sorts each machine into one of three buckets: upgrade in place, replace, or bridge with ESU. That inventory is the foundation of every decision that follows. If you don’t have a current picture of what’s actually on people’s desks, that’s step one — and it’s something our managed IT services team handles as standard.

Your four options compared

There’s no single right answer for a whole business. Most Melbourne SMEs end up with a mix, machine by machine. Here’s how the four realistic paths stack up.

OptionBest forUpfront costWatch out for
Upgrade in placeMachines that already meet Windows 11 requirements (TPM 2.0, supported CPU)Low — labour onlyConfirm app compatibility; allow time per device
Replace hardwareOlder machines that fail the CPU or TPM checkHigh — new device per userLead times; staged budget; secure disposal of old units
Cloud PC / Windows 365Shift/hybrid workers, thin-client setups, fast scalingOngoing per-user subscriptionNeeds reliable internet; recurring cost vs one-off
ESU bridgeA small number of machines tied to legacy apps, time-boxedPer-device, escalating yearlyStopgap only; set a hard exit date

Cloud PC and Windows 365 deserve a closer look if you’re already invested in Microsoft 365. They run a full Windows 11 desktop from Microsoft’s cloud, streamed to whatever device the user has — which can extend the useful life of older hardware that’s no longer fit to run Windows 11 locally. It’s not right for everyone, but for the right workforce it sidesteps the hardware problem entirely. We can map this against your existing Microsoft 365 licensing so you’re not paying twice for the same capability.

A Melbourne scenario

A construction firm in Box Hill we work with came to us in early 2025 with about forty workstations, a mix of site-office desktops and project-manager laptops. A readiness scan put roughly half on supported hardware that could upgrade in place, a quarter on machines too old to meet the CPU requirement, and the rest as borderline. Two estimating PCs were locked to an older take-off application the vendor hadn’t yet certified for Windows 11.

The plan wrote itself once we had the data: upgrade the compliant half over a few weekends, replace the oldest quarter in two budgeted waves across two quarters, and put just those two estimating PCs on a one-year ESU bridge with a firm cut-off once the software vendor shipped its update. No big-bang spend, no scramble, and every machine accounted for. The difference between that and a panicked December rush was simply starting with an inventory.

Building the migration plan and budget

A workable migration plan is mostly about sequencing and money, not heroics. The pattern we use across Melbourne metro businesses:

  1. Inventory everything. Every device, its Windows 11 eligibility, and the apps it depends on.
  2. Triage into the three buckets — upgrade, replace, bridge — and flag any legacy-app blockers early.
  3. Stage the spend. Spread hardware replacement across two or three budget periods so it doesn’t land as one brutal capital hit.
  4. Prioritise by risk. Machines handling sensitive data or facing the internet move first; back-office spares can wait.
  5. Set hard dates for any ESU-bridged devices so the stopgap doesn’t quietly become permanent.

This is the kind of forward planning a virtual CIO engagement is built for — turning a looming deadline into a costed, scheduled programme your board can actually sign off. TechAssist has been doing exactly this for Melbourne SMEs since 2014, and our thirteen Australian-based engineers handle the rollout end to end rather than leaving you a spreadsheet and good luck.

Why “we’ll deal with it later” is now overdue

The deadline has passed. Every Windows 10 machine on your network today is unsupported, unpatched against new threats, and counting against your Essential Eight posture, your insurance position and your privacy obligations. None of that is alarmist — it’s just where the calendar sits as of June 2026.

The fix is straightforward once you’ve got an inventory and a plan, and it’s far cheaper to do deliberately over a quarter or two than as an emergency. The businesses that started early are already done. The ones still running Windows 10 are carrying risk every day they wait.

Frequently asked questions

Can I still use Windows 10 after October 2025?

Technically yes — the machines keep working. But they no longer receive security updates, so each one becomes a growing vulnerability. For a business, continuing on Windows 10 without ESU means accepting cyber, compliance and insurance risk that compounds month by month.

How much does business ESU cost?

Microsoft prices commercial ESU per device, and the cost escalates each year — roughly doubling in year two and again in year three. Over three years it typically exceeds the cost of upgrading or replacing the machine, which is by design. Treat ESU as a one-year bridge, not an ongoing plan.

How do I know if my computers can run Windows 11?

The common blockers are TPM 2.0 and CPU compatibility — broadly Intel 8th generation or newer and equivalent AMD chips. A fleet-wide readiness assessment checks every device automatically and sorts them into upgrade, replace or bridge. Guessing device-by-device isn’t reliable at scale.

Is Windows 365 a good alternative to buying new PCs?

For shift, hybrid or thin-client workforces it can be, because it streams a full Windows 11 desktop from the cloud and extends the life of older hardware. It’s a recurring per-user cost rather than a one-off purchase, so it suits some teams and not others. It’s worth modelling against your existing Microsoft 365 licensing.

Get a Windows 11 readiness assessment

If you’re still running Windows 10 anywhere in your business, the first move is an honest inventory: what you have, what can upgrade, what needs replacing, and what genuinely needs a short ESU bridge. Get in touch and we’ll scope it for you, then turn it into a staged, budgeted plan — so this gets sorted properly rather than hanging over you into another quarter.

NDIS IT support means keeping participant records, claiming systems and a distributed support workforce running securely — to the standard the NDIS Quality and Safeguards Commission and the NDIS Practice Standards now expect. Get it wrong and you risk a reportable breach, a failed audit, or support workers locked out of care plans.

Disability service providers sit on some of the most sensitive personal data in the country and run it across phones, tablets and vehicles spread over the whole of Melbourne. That combination — concentrated risk and a mobile workforce — is what makes the IT demanding. Here’s what providers actually need, and where most are exposed.

Registered, unregistered, and the range of services

“NDIS provider” covers a wide spread of organisations, and the IT requirements shift depending on where you sit. A registered provider has been audited against the NDIS Practice Standards and carries explicit obligations around governance, incident management and the handling of participant information. An unregistered provider working with plan-managed or self-managed participants has fewer audit obligations but holds the same sensitive data and the same duty under the Privacy Act — so “we’re not registered” is no reason to run loose IT.

The service types pull in different directions too. A support coordination business is mostly office and laptop work: managing plans, liaising with participants, writing reports. Supported Independent Living (SIL) and community-access services run more like a 24/7 operation across multiple houses, with workers on shift, rosters that change daily, and behaviour-support information needed at the point of care. The software looks similar from outside; the network, device and access design underneath is genuinely different.

The compliance layer: the Commission and the Practice Standards

The NDIS Quality and Safeguards Commission regulates registered providers, and a meaningful slice of its expectations land on IT. The NDIS Practice Standards include governance and operational management requirements, and the Privacy and Information Management requirements expect providers to keep participant information confidential, accurate and secure, and to control who can access it. That is an identity and data-security problem as much as a policy one.

Two points catch providers out. Accountability stays with you — “we outsourced it to an IT company” is not an answer the Commission accepts. And you have to be able to show it: if a verification or certification audit asks how participant records are protected and who can see them, you need documented access controls, an offboarding process, and evidence your backups work. Most providers can describe their intentions; far fewer can produce the evidence.

PRODA and the NDIS portals

Almost every NDIS provider lives in the government portals, and access is an identity issue with real consequences. PRODA (Provider Digital Access) is the Commonwealth identity gateway that gets staff into the myplace provider portal, the NDIS Commission systems, and the claiming and payment functions. Each PRODA account is tied to an individual, secured with two-factor sign-in, and linked to your organisation.

The risk sits in lifecycle management. When a payments officer leaves and their PRODA access isn’t revoked, you have an orphaned door into participant payment data. We treat PRODA and portal access with the same identity discipline as everything else: documented who-has-what, removed the same day someone leaves, and never shared. Shared logins remain the most common control failure we find in this sector.

Participant management and claiming software

The system at the centre of an NDIS provider’s day is its participant management platform — handling records, plans, shift notes, invoicing and the claim file that goes to the agency. That usually means Lumary, ShiftCare, Brevity, SupportAbility or Carelink, often with finance and payroll alongside.

Whether these run in the cloud or on a server in the comms room, the IT job is the same: they must be available, fast, backed up, and reachable wherever support happens. We treat them as the priority for monitoring, patching and uptime.

A SIL provider in Dandenong we work with runs records, rostering and claiming on one cloud platform. The risk was never the software — it was everything underneath: a single shared login, a flat network where one compromised PC could reach everything, unmanaged personal phones, and backups nobody had tested. None of that is the vendor’s responsibility. It’s the MSP’s, and it’s where the real exposure sits.

Protecting highly sensitive participant data

NDIS providers hold a concentration of sensitive information that makes them a deliberate target: disability and health records, behaviour-support plans, medication details, NDIS numbers, bank and plan-management details, guardianship and next-of-kin information, and often data about minors. Under the Privacy Act and the Australian Privacy Principles, much of this is “sensitive information” attracting the highest protection, and a breach likely to cause serious harm is reportable to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.

Attackers know care providers often run lean IT and a workforce that’s easy to phish, and the data is high-value — the cyber insurance market has noticed too, with premiums and required controls reflecting the risk.

The defensive baseline we hold NDIS clients to is the Australian Cyber Security Centre’s (ACSC) Essential Eight: application control, fast patching of applications and operating systems, Microsoft Office macro settings, user application hardening, restricted administrative privileges, multi-factor authentication, and regular tested backups. Most breaches we’re called in after would have been stopped or contained by getting it genuinely in place rather than half-done. If you want the staged version, we’ve written up how to reach Essential Eight maturity in 90 days.

A mobile workforce: devices, rostering and remote access

Rostering and field devices

SIL and community-access providers run on rosters that change constantly, and support workers need to see shifts, log visit notes and read care plans on a phone or tablet wherever they are. Those devices carry participant data out into the world, so they have to be managed centrally. If a tablet is lost between a shift in Footscray and the next in Sunshine, you need to remotely wipe it within minutes — not discover it’s been sitting unencrypted in a glovebox. Mobile device management through Microsoft Intune, enforced encryption, and conditional access tied to a managed device are what make field devices defensible.

Secure remote access for support workers

Workers reaching rosters and care plans from homes, group residences and their cars need access that’s both easy and locked down — not VPNs into a flat network, but identity-based access where each worker signs in as themselves, MFA is enforced, and what they reach is scoped to their role. A support worker should see their participants and shifts, not the organisation’s whole record set. We run conditional access in Microsoft 365 and build around least privilege, so one compromised account can’t expose every participant.

Identity for a high-turnover workforce

Disability services have significant staff churn — casuals, agency workers, people moving between providers. Every starter needs the right access on day one and every leaver needs it gone the same day, including PRODA. Orphaned accounts are how breaches happen months after someone’s left. We run it properly: standardised onboarding and offboarding, role-based access, and MFA everywhere.

Backups and incident readiness

A tested, isolated backup is the difference between a ransomware incident being a bad week and an existential event for a provider that can’t access medication or behaviour-support records. We cover this in our guide to backup and disaster recovery for Melbourne businesses, and it applies double when records relate to vulnerable people. Incident readiness goes further: logging, a rehearsed response plan, and the ability to retrieve records quickly when the Commission, an insurer or a family asks.

What good NDIS IT support actually covers

AreaWhat it looks like done properly
Participant systemsLumary, ShiftCare, Brevity, SupportAbility or Carelink monitored, patched and prioritised for uptime; backups tested
Portal accessPRODA and myplace access tied to individuals, no shared logins, removed same-day on departure
Data protectionEssential Eight aligned, MFA everywhere, tested isolated backups, OAIC breach readiness
Mobile workforceIntune-managed phones and tablets, enforced encryption, remote wipe for lost field devices
Remote accessIdentity-based, least-privilege, conditional access on Microsoft 365 — no flat-network VPNs
Compliance evidenceDocumented access controls and offboarding ready for Practice Standards audits

TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk touching participant data. We price per user on a fixed monthly basis with no hourly billing for in-scope work, which matters in a sector budgeting against plan-funded revenue. Our cybersecurity services and broader managed IT services carry this regulated, always-on workload, and our 24/7 network operations centre in Tecoma means support doesn’t stop when a SIL house needs help overnight.

Frequently asked questions

Do the NDIS Practice Standards require specific IT controls?

They don’t prescribe particular products, but the Privacy and Information Management and governance requirements mean providers must be able to show participant information is kept secure, accurate and access-controlled. In practice that points straight at Essential Eight controls, MFA, managed identity and tested backups — and the accountability stays with the registered provider, not the IT vendor.

We’re an unregistered provider — do these IT requirements still apply?

The audit obligations differ, but the data doesn’t. You hold the same sensitive participant information and the same duty under the Privacy Act, and a breach likely to cause serious harm is still reportable to the OAIC. Running lean IT because you’re unregistered is a risk, not a saving.

How should we handle PRODA access when a staff member leaves?

Revoke it the same day, alongside their email, portal and system access, as part of a standard offboarding process. PRODA accounts are tied to individuals and must never be shared. Orphaned access is a live door into participant payment data and a common audit finding.

Where to start

If you’re unsure whether your IT would stand up to a Practice Standards audit or a breach, the honest first step is an assessment: where participant data lives, how access and PRODA are controlled, whether your backups actually restore, and where the Essential Eight gaps are. Most providers we assess have two or three serious exposures they didn’t know about — usually shared logins, unmanaged devices, or untested backups. Get in touch with TechAssist and we’ll give you a straight read on what to fix first.

Registered Training Organisations live or die on their data. RTO IT support means keeping your Student Management System, AVETMISS reporting, USI checks and online delivery running and secure — because if your records are wrong or breached, ASQA and your students both notice fast.

We work with vocational training providers across Melbourne, and the pattern is consistent: the compliance burden is enormous, the margins are thin, and the IT is usually held together by one overworked admin and a pile of spreadsheets. This post covers what actually matters for an RTO’s IT — the systems, the obligations, and where things break.

Why RTOs are a different beast to most SMEs

A 30-person consultancy in Hawthorn loses email for a morning and it’s annoying. An RTO loses its Student Management System during a reporting deadline and it’s a regulatory problem. The difference is that almost everything an RTO does — enrolments, results, certificates, funding claims — is data that ASQA, NCVER and state training authorities can audit, and that students are legally entitled to.

That changes how you have to think about IT. It’s not just “keep the laptops working”. It’s records integrity, retention, access control and uptime around fixed reporting windows. Get those wrong and you risk funding clawbacks, audit non-compliance, or a notifiable data breach. Our professional services IT support grew out of exactly this kind of compliance-heavy work, and RTOs sit right in that bracket.

The Student Management System is the heart of everything

Your Student Management System (SMS) is where the real risk lives. Whether you run aXcelerate, VETtrak, Wisenet or JobReady, this is the single system that holds enrolments, competencies, results, certificates and the data that feeds your AVETMISS exports. If it’s down, you can’t enrol. If it’s corrupted, you can’t report. If it’s breached, you’ve got a privacy incident.

Most of these are cloud-hosted (aXcelerate and Wisenet in particular), which removes some infrastructure headaches but introduces others. You’re now dependent on identity, internet reliability and integration plumbing instead of a local server. The IT job shifts from “patch the box in the cupboard” to “make sure the right people can get in, the wrong people can’t, and the integrations don’t silently fail”.

What we actually manage around an SMS

  • Access control — who can see and edit student records, and removing access the day a trainer leaves, not three months later.
  • Integrations — the SMS talking to your LMS, your USI checks, your CRM and your accounting system. These break quietly; nobody notices until a sync has been failing for a fortnight.
  • Browser and device health — cloud SMS platforms are only as reliable as the machines and connections your staff use to reach them.
  • Export integrity — making sure AVETMISS files generate cleanly and aren’t being mangled by stale data or duplicate records.

AVETMISS, NCVER and ASQA: the reporting you can’t get wrong

Every RTO has to report training activity in the AVETMISS format — the national standard for VET data, collected by the National Centre for Vocational Education Research (NCVER) and used by ASQA and state authorities. For most providers that means AVETMISS submissions through NCVER’s collection system, with strict validation rules and fixed annual deadlines.

IT’s role here is unglamorous but critical: the export only works if the underlying data is clean. We’ve seen AVETMISS submissions bounce repeatedly because of duplicate student records, mismatched USI data, or a half-finished migration that left two versions of the truth. None of that is a “training” problem — it’s a data hygiene and systems problem, which is squarely IT’s job.

Practical reality: your SMS does most of the AVETMISS heavy lifting, but it can only export what’s in it correctly. The work is keeping the inputs clean — consistent course codes, deduplicated learners, validated USIs — so the file passes NCVER validation the first time instead of eating a week of your compliance manager’s life.

USI integration — small system, big consequences

Every student needs a verified Unique Student Identifier (USI), and you can’t issue a nationally recognised qualification without one. Most SMS platforms integrate directly with the USI Registry to verify identifiers at enrolment. When that integration is configured correctly it’s invisible. When it isn’t, you get a backlog of unverified students and certificates you legally can’t issue.

The integration relies on credentials and certificates that expire. A training provider in Box Hill we work with had USI verification silently stop working for a fortnight because an integration certificate lapsed and nobody owned the renewal. The fix was trivial; the cause was that no one was watching it. That’s the gap managed IT closes — owning the boring renewals and monitoring so they don’t become a crisis.

LMS and online delivery: Moodle, Canvas and uptime that matters

If you deliver online or blended training, your Learning Management System (LMS) is student-facing infrastructure, and outages are immediately visible. Moodle (including hosted Moodle and MoodleCloud) and Canvas are the two we see most. The reliability question depends on how it’s hosted:

SetupWho owns uptimeWhat IT focuses on
Self-hosted Moodle (your server/VPS)YouPatching, backups, performance, security hardening
Hosted Moodle / MoodleCloudProvider + youConfiguration, integrations, user access, data export
Canvas (cloud)InstructureSSO, enrolment sync, access control, content backup

Self-hosted Moodle is where most of the avoidable pain lives. It’s cheap to stand up and expensive to neglect — an unpatched Moodle is a genuine security liability, and a slow one during assessment week generates a flood of student complaints. If you run your own Moodle, it needs the same patching and monitoring discipline as any production server. Our managed IT services cover that so it isn’t left to whoever set it up two years ago.

Protecting student PII and the Privacy Act

RTOs hold a lot of sensitive personal information: full names, dates of birth, USIs, government identity documents used for verification, language and disability data, sometimes payment details. Under the Privacy Act 1988 and the Australian Privacy Principles, you’re responsible for protecting it, and a serious breach is notifiable to the Office of the Australian Information Commissioner (OAIC) and to affected students.

The threats are ordinary, not exotic. Phishing that harvests a trainer’s Microsoft 365 password. A shared admin login that never gets rotated. Student records emailed around as unprotected spreadsheets. The controls that stop most of this are well established and align with the Australian Cyber Security Centre’s (ACSC) Essential Eight:

  • Multi-factor authentication on every account that touches student data — non-negotiable, and the single highest-value control.
  • Conditional access so logins from unexpected locations or unmanaged devices are challenged or blocked. We cover the detail in conditional access policies for Microsoft 365.
  • Least-privilege roles in the SMS and LMS so a marketing coordinator can’t export the entire learner database.
  • Email security and phishing defence, because that’s still how most breaches start.

If you want a structured path through this, our cybersecurity services are built around the Essential Eight and the kind of identity controls that genuinely reduce breach risk for an RTO.

The Standards for RTOs 2025

The revised Standards for RTOs took effect from 1 July 2025, replacing the 2015 standards. The headline change is a shift toward outcomes and quality, with clearer expectations around governance, the integrity of records and the experience of learners. They don’t prescribe a particular IT stack, but several obligations land directly on your systems.

Specifically, the standards reinforce that you must keep accurate, secure and accessible records of training and assessment, manage learner information responsibly, and be able to produce evidence on request during an ASQA audit. In practice that means: records that are backed up and retrievable, access that’s controlled and logged, and an SMS you can actually report from. If your IT can’t demonstrate those things, you’ve got a compliance exposure regardless of how good your training is.

Backup and records retention

Records retention is one of the most concrete IT obligations an RTO has. You’re required to retain certain student and assessment records for set periods — AVETMISS and learner records for years, and assessment evidence under your standards obligations — and you must be able to produce them years after a student has left.

That’s a retention problem as much as a backup problem. A 30-day backup cycle protects you from accidental deletion last week; it does nothing for a record you need to produce from four years ago. RTOs need a deliberate retention strategy: where long-term records live, how they’re protected, and how they’re retrieved on demand. We design backup with both recovery and retention in mind — see our approach to data backup and recovery.

The other half is recovery speed. If your SMS or self-hosted LMS goes down mid-semester, how long until students and trainers are working again? That’s the RTO and RPO question — how much data you can afford to lose and how long you can be down — which we unpack in RTO vs RPO explained. (Yes, “RTO” means two different things in this world; the recovery one matters here too.)

Identity and access for trainers and students

RTOs have unusually messy identity needs. Trainers come and go, often part-time or contract. Students arrive in cohorts and leave in cohorts. Both groups need access to different systems, and both create risk when access isn’t cleaned up.

The pattern we put in place for training providers is simple to describe and a discipline to maintain:

  1. Single sign-on through Microsoft 365 where the SMS and LMS support it, so there’s one identity to manage and revoke, not five.
  2. Joiner-mover-leaver processes so a trainer who finishes a contract loses access that day across every system — SMS, LMS, email, shared drives.
  3. Separate student and staff identity boundaries so a student LMS account can never reach administrative or AVETMISS data.
  4. MFA everywhere on staff accounts, with sensible enrolment for students on systems that hold their PII.

Getting Microsoft 365 configured properly underpins most of this. If your tenancy is the typical “set up once, never reviewed” arrangement, our Microsoft 365 support is usually the first thing we tighten.

Reliable delivery infrastructure

None of the above matters if the basics aren’t reliable. A training room in Dandenong full of students who can’t reach the LMS because the internet dropped is a real cost — wasted trainer time, frustrated learners, and complaints that find their way into your quality data.

Reliable delivery infrastructure for an RTO means business-grade internet with sensible failover, classroom Wi-Fi that actually copes with a full cohort connecting at once, and devices that are patched and managed rather than a random fleet of whatever was on sale. It’s not glamorous, but it’s what keeps delivery running. As a Melbourne MSP founded in 2014 with 13 Australian-employed engineers and same-business-day on-site across the metro, this is the part we do quietly in the background so you never have to think about it.

Frequently asked questions

Does our Student Management System provider handle our IT?

No. aXcelerate, VETtrak, Wisenet and JobReady support their own platform — the software, hosting and platform-level issues. They don’t manage your Microsoft 365, your identity and access, your LMS, your devices, your network, or the integrations between systems. Those are your responsibility and are where most RTO IT problems actually occur.

How long do we have to keep student records?

Retention periods vary by record type and funding arrangement — AVETMISS and learner records run to years, and assessment evidence is governed by your standards obligations. The safe position is a deliberate, documented retention strategy with long-term records backed up and retrievable, rather than relying on a short backup window. Check current ASQA and NCVER guidance for the specific periods that apply to you.

Is MFA really mandatory for an RTO?

It’s not written into the Standards for RTOs as a named requirement, but it’s the single most effective control against the account compromise that causes most breaches of student PII. Given your Privacy Act obligations and the sensitivity of the data you hold, treating MFA as mandatory across all staff accounts is the only defensible position.

What happens to our data if we switch SMS providers?

This is where a clean migration matters. Done badly, you end up with duplicate records, broken USI links and AVETMISS exports that fail validation. Done well, your data is mapped, deduplicated and validated before cutover. We treat SMS migrations as a data integrity project, not a copy-paste exercise.

Where TechAssist fits

RTOs need an IT partner who understands that the compliance and the technology are the same conversation. We support training providers and other compliance-heavy organisations across Melbourne with fixed per-user pricing, sub-15-minute response on critical issues, and engineers who actually understand AVETMISS reporting, USI integration and the privacy obligations that come with holding student data.

If your SMS, LMS or Microsoft 365 setup is held together with goodwill and you’d rather it was held together with proper monitoring, backups and access control, get in touch. We’ll start with an honest look at where your real risks are — usually identity, retention and the integrations nobody’s watching — and tell you straight what needs fixing first.

Creative and marketing agencies live or die on whether the work renders, the files open and the deadline holds. Good creative agency IT support keeps Adobe and Figma licensed and fast, large media files moving across shared storage, colour-accurate Macs healthy, and client IP locked down — without the friction designers hate.

Design studios, branding consultancies, digital shops and video production houses run differently from a law firm or an accountant. They run heavy applications, push enormous files around, mix Mac and Windows on one network, and bring in freelancers for a fortnight at a time. The IT that suits a 20-seat professional services office quietly fails an agency.

The software an agency actually runs

The core stack is predictable: Adobe Creative Cloud across Photoshop, Illustrator, InDesign, Premiere Pro and After Effects; Figma for UI and product design; and a long tail of tools depending on the discipline — DaVinci Resolve or Final Cut for video, Cinema 4D or Blender for 3D, and Canva for quick social work.

Creative Cloud licences should be managed through the Adobe Admin Console with named-user licensing, not a shared password that floats around Slack. That gives you per-seat assignment, the ability to reclaim a licence the day a contractor leaves, and a clear view of what you are paying for. Figma seats work the same way through an organisation plan. We routinely find agencies paying for five Creative Cloud licences when three are dormant, or sharing one login across four machines in breach of the agreement — tidy licensing is both a cost saving and a compliance fix.

Large files and shared storage

This is where most agency IT pain lives. A single 4K video project can run to hundreds of gigabytes, and a branding job carries layered PSDs, vector artwork, fonts and exports. Designers will not tolerate slow file opens, and they will route around any system that makes them wait — usually onto a personal drive or a consumer Dropbox, which is exactly where client IP goes to get lost.

There are two sensible patterns, and most studios run a blend of both.

On-premises NAS for heavy media

For video and high-resolution design work, a NAS (network-attached storage) on a 10-gigabit local network is hard to beat. Editing 4K footage directly off shared storage over 10GbE means no copying projects to local disks and no confusion about which cut is current. A Synology or QNAP unit with SSD cache and redundant disks gives a production team fast shared scratch space cloud cannot match for raw throughput. The catch: a NAS is not a backup — it needs its own off-site backup, which studios forget until a RAID rebuild fails.

Cloud storage for collaboration and lighter assets

For documents, smaller design files, brand asset libraries and anything freelancers need from home, cloud storage — SharePoint and OneDrive under Microsoft 365, or Dropbox/Google Drive — handles remote access, client sharing links and version history without you running infrastructure. The trick is deciding deliberately what lives where: active heavy media on the NAS, collaboration and finished deliverables in the cloud, nothing important on a designer’s desktop.

Mixed Mac and Windows fleets

Creative agencies are one of the few business types where Macs dominate, and colour accuracy is the reason — designers want calibrated displays, and many output workflows assume macOS colour management. But the back office — accounts, project management, the occasional Windows-only client tool — often runs Windows. So you end up with a genuinely mixed fleet, and IT that only knows one platform leaves half the office unsupported.

Managing this properly means device management that covers both — Microsoft Intune or a dedicated Apple MDM like Jamf or Mosyle for the Macs — so every machine gets enforced encryption, screen-lock, patching and remote wipe if it is lost. Colour-accurate Macs need their displays calibrated and that calibration maintained; a monitor that has drifted is a reprint or a re-edit waiting to happen. A mixed fleet is fine. An unmanaged mixed fleet is a security gap with a creative director’s logo on it.

Project tools and SaaS sprawl

Agencies run on project and collaboration tools — Asana, Monday.com, Notion, Trello, Slack, plus a marketing layer of Mailchimp, HubSpot, Hootsuite or Later, Google Analytics, ad accounts and a dozen client logins. This is SaaS sprawl, and it is a real risk, not a nuisance — every one of those tools holds client data or controls a client’s marketing presence, and every one is a separate account that can be phished, shared carelessly or left active after someone leaves.

The fix is not to ban tools — creatives will revolt — but to bring them under control:

  • Wherever a platform supports single sign-on, wire it to your Microsoft 365 or Google identity so access is centrally controlled and revoked in one place.
  • Enforce multi-factor authentication on every account that touches client data or client marketing platforms, especially ad accounts and social logins where a takeover can spend real money.
  • Keep a simple register of which SaaS tools the agency uses, who owns each, and who has access — so when someone leaves you have a checklist, not a guessing game.
  • Use a password manager so the genuinely shared logins that cannot do SSO are stored properly, not in a spreadsheet called passwords_final_v2.

Client data, IP and access control

An agency holds other companies’ most sensitive material: unreleased products, campaign strategy, brand assets, customer lists handed over for an email build. Clients increasingly ask about your security posture before they sign, and a serious breach can lose you the account and land you a notifiable data breach assessment under the Privacy Act if personal information is involved. The Office of the Australian Information Commissioner (OAIC) runs that scheme, and “we’re a small studio” is not a defence.

The controls that matter are not exotic. The Australian Cyber Security Centre (ACSC) Essential Eight is a sensible baseline — multi-factor authentication, patching, application control and backups cover most of the real-world risk. On top of that, structure access so each client’s material is segregated and people see only the projects they work on, rather than one shared drive where every freelancer can browse every client. We cover the broader picture in our cybersecurity services, and a layered approach to access in the zero trust security model.

Freelancers and contractors

This is the access-control problem unique to agencies. A studio might bring in three freelance designers for a campaign, give them access to client files, and then never revoke it. Months later those accounts still exist, still hold client IP, and nobody remembers they are there. The discipline is straightforward: time-boxed accounts, access only to the specific project, MFA enforced even on contractors, and an offboarding step that disables access the day the engagement ends. Conditional access policies in Microsoft 365 let you enforce this without making the freelancer’s fortnight a misery.

Backing up creative assets

“It’s on the NAS” and “it’s in Dropbox” are not backup positions. A RAID array protects against a single disk failing; it does nothing against ransomware, an accidental delete, or a sync error that propagates a mistake to every copy. For an agency, the asset library is the business — lose the master files and you cannot reproduce a deliverable.

A sound backup position covers three layers: the NAS or shared storage backed up off-site, Microsoft 365 backed up with a dedicated tool because Microsoft’s retention is not a backup, and a rule that nothing important lives only on a designer’s local drive. Know your recovery targets too — how long you could keep working if storage went down, and how much work you could afford to lose. Our data backup and recovery service handles that, and this guide to RTO and RPO explains how to set the targets.

A Melbourne example

A branding and digital agency in Cremorne we work with — around 18 staff plus a rotating bench of freelancers — came to us with the classic agency mess. Creative Cloud logins were shared, big video projects copied between laptops because the old file server crawled, freelancers still had Dropbox access months after their projects wrapped, and the “backup” was a single external drive someone took home on Fridays.

We put in a 10GbE NAS so editors work directly off shared storage, moved licensing onto the Adobe Admin Console with named seats, brought every Mac and Windows machine under managed device management, wired their key SaaS tools to Microsoft 365 single sign-on with MFA, and set up project-segregated access with a freelancer offboarding checklist. The NAS now backs up off-site nightly and the Microsoft 365 tenant separately. The studio runs faster and can finally answer a client’s security questionnaire honestly.

Frequently asked questions

Can you support a Mac-heavy agency, or are you a Windows shop?

Both. Creative agencies are typically Mac-led for design and Windows for the back office, and we manage mixed fleets routinely — enforced encryption, patching, MFA and device management across macOS and Windows alike, with the Macs handled through proper Apple management.

Is a NAS or cloud storage better for large media files?

For active 4K video and heavy design work, a NAS on a 10-gigabit local network gives throughput cloud cannot match, so editors work straight off shared storage. Cloud storage suits collaboration, remote freelancers and finished deliverables. Most agencies run both — and back up the NAS off-site, because it is not a backup.

How do we stop freelancers keeping access after a project ends?

Time-box their accounts, grant access only to the specific project, enforce MFA even on contractors, and make offboarding a checklist that disables access the day the engagement ends. Conditional access in Microsoft 365 makes this enforceable.

Getting it right without slowing the studio down

The goal is IT that disappears into the background so creatives can work — fast storage, licensed software, protected client assets, and access that tightens up without anyone noticing. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — not an offshore call centre — and same-business-day on-site across Melbourne metro. We support agencies on per-user fixed monthly pricing through our managed IT services. If your studio is held together by shared logins and a Friday-afternoon external drive, get in touch and we will tell you what to fix first.

Wholesale and distribution businesses live or die by dispatch. If your warehouse management system, scanners or EDI link to a major retailer go down, orders stop and trucks sit idle. Good wholesale IT support keeps your ERP and inventory running, your warehouse connected, and your retailer integrations flowing so stock keeps moving.

Wholesalers, importers and distributors all share a problem most generic IT providers miss: the office is the small part. The real operation is a warehouse full of stock, scanners, label printers, forklifts and people who need the system to respond in real time. When the network drops in the racking, pick-and-pack stops and the day’s dispatch is at risk. That is a different support job to keeping a few accountants’ laptops patched, and it needs a provider who understands both halves.

The systems that run a distribution business

Most wholesalers and distributors in Melbourne run their entire operation through one core platform — the ERP or inventory system — and everything else hangs off it. Get that wrong and nothing else matters.

The common platforms we see across importers and distributors are MYOB Advanced, NetSuite, Cin7 (and the former DEAR, now Cin7 Core), Unleashed, Pronto Xi and SAP Business One. Some are full cloud SaaS; others run on a server you still own, or a hybrid. The distinction matters for support. With cloud ERP, the vendor runs the application, but you still own the accounts, the integrations, the warehouse network and the backup of anything outside the platform. With an on-premises Pronto or SAP Business One install, you own the server, the database, the patching and the disaster recovery as well — and that is a meaningful ongoing responsibility, not a set-and-forget box in a comms cupboard.

Whichever platform you run, the IT job is the same shape: keep it available, keep the integrations authenticated and flowing, keep the data backed up, and keep the warehouse able to talk to it without dropouts.

Warehouse scanning, barcoding and handheld devices

Barcode scanning is the heartbeat of a distribution warehouse. Goods in, putaway, pick, pack, dispatch and stocktake all run on handheld scanners talking to the inventory system in real time. When that link is slow or drops, the whole floor slows with it, and pickers start writing things on paper — which is where errors creep in.

The hardware matters more than people expect. Consumer tablets and phones do not survive a warehouse. We specify ruggedised handhelds — Zebra and Honeywell are the usual choices — built to be dropped on concrete, used with gloves, and run a full shift on one charge. A cheap device that fails after six months in a cold store is no saving at all. Alongside the scanners sit label printers (Zebra thermal units for cartons and pallets), and those need their own attention: drivers, firmware, label stock and a network path that does not vanish when someone reboots a switch.

The common failure we are called in to fix is not the scanner itself. It is the wireless network underneath it.

Warehouse Wi-Fi that reaches the racking

Office Wi-Fi and warehouse Wi-Fi are different engineering problems. An office is plasterboard and open desks. A warehouse is steel racking ten metres high, packed with stock that absorbs and reflects signal, and the coverage you need is everywhere a picker walks — including the far corner and the loading dock.

Done properly, warehouse coverage means a heat-mapped design, access points mounted and aimed for the racking layout (not just bolted to the ceiling), and enough of them that a scanner never loses its association as someone walks an aisle. It means hardware rated for dust and temperature swings, cabling run to survive a forklift, and seamless roaming so a device hands off between access points without dropping the session mid-pick. Get this wrong and you get the classic symptom: scanners that work fine near the office and die at the back of the shed. We have re-done more than one warehouse where the original installer treated 4,000 square metres of racking like a large lounge room.

This is the same on-site, hands-on work that logistics and transport operators need, and it overlaps heavily with our IT support for logistics and transport clients who run depots and cross-docks.

EDI and retailer integrations

If you supply the major retailers — Woolworths, Coles, Bunnings, Metcash, the big chains — you almost certainly trade with them via EDI (Electronic Data Interchange). Purchase orders, advance shipping notices, invoices and remittances flow as structured electronic documents, and the retailers mandate it. Get onboarded or stay onboarded, or you do not supply them.

EDI is unforgiving. A mismatched document format, an expired certificate or a broken mapping between the retailer’s spec and your ERP, and orders silently fail to arrive or your ASNs get rejected — sometimes with chargebacks attached. The integration usually runs through a VAN or an EDI middleware provider that bridges the retailer and your inventory system, and keeping that link healthy is an ongoing IT responsibility, not a one-off project. When a retailer updates their EDI requirements (and they do), someone has to test and adjust the mapping before the deadline.

The same goes for the other integrations that hang off your ERP: your e-commerce store, payment gateways, freight and carrier systems, and accounting. Every one is a connection that can break, and when it does the symptom shows up downstream — orders not flowing, stock counts wrong, invoices not raised.

3PL and logistics integrations

Plenty of distributors no longer hold all their own stock. They use a third-party logistics (3PL) provider for warehousing and fulfilment, or run a hybrid where fast-movers stay in-house and the long tail sits with a 3PL. That means your ERP has to exchange order, stock and dispatch data with the 3PL’s warehouse system, usually via API or EDI, in near real time.

When that integration is solid, the customer never knows where the stock shipped from. When it breaks, you oversell stock you do not have, or orders sit unfulfilled in a queue nobody is watching. The IT job is making sure those data flows are monitored — so a failed sync raises an alert instead of being discovered three days later by an angry customer. The same discipline applies to carrier and freight integrations that book consignments and print labels straight from the order.

Uptime for dispatch

For a distributor, the cost of downtime is brutally concrete: every hour the system is down is orders not picked and trucks not loaded, and in this business a missed dispatch window often means the order ships tomorrow, not later today. That changes how you think about IT.

Uptime for dispatch is built from boring, deliberate engineering:

  • Redundant internet. A primary business connection plus an automatic 4G or 5G failover so a single NBN fault does not stop dispatch. For a cloud ERP, the internet link is your operation — treat it that way.
  • Resilient core network. Switches and access points that are monitored, with spares on hand and a same-day replacement path, because a dead switch in the warehouse stops the floor.
  • Power protection. UPS on the core network gear and any on-premises servers, so a brief outage does not take down dispatch or corrupt a database mid-write.
  • Fast response when it matters. When the warehouse is down, you need someone answering immediately, not a ticket in a queue. TechAssist holds a sub-15-minute response on P1 critical issues and provides same-business-day on-site across Melbourne metro, run from our 24/7 NOC in Tecoma.

Backup and disaster recovery

“It is in the cloud, so it is backed up” is the assumption that catches distributors out. Cloud ERP vendors protect their own infrastructure. They do not protect you from a staff member deleting the wrong records, a compromised account corrupting data, or a billing dispute that cuts your access. And if you run Pronto or SAP Business One on your own server, the backup is entirely your responsibility.

A sound position covers the ERP and inventory data, your Microsoft 365 (email, SharePoint and OneDrive — Microsoft’s retention is not a backup), and anything sitting on local servers or warehouse PCs. Just as important is knowing your recovery targets: how long you could keep dispatching if the system went down (RTO) and how much data you could afford to lose (RPO). For a distributor those numbers are short, and they should drive the backup design. Our backup and disaster recovery guide covers how to set them, and our data backup and recovery service is built around exactly this.

Cyber security for the supply chain

Wholesalers and distributors are squarely in the firing line for cyber attack, for two reasons. First, you sit in the middle of a supply chain — compromise a distributor and you get a path to its retailers and customers, which is precisely the kind of supply-chain attack defenders worry about. Second, the operational pressure to keep dispatching makes ransomware especially effective: lock up the ERP and the business will feel real pressure to pay because every hour down is money.

The baseline here is the Australian Cyber Security Centre (ACSC) Essential Eight — multi-factor authentication, patching of applications and operating systems, application control, and tested backups. None of it is exotic, and most distributors can implement the meaningful parts without an enterprise budget. Beyond the baseline, the supply-chain angle adds a few specifics: securing the EDI and integration accounts that connect you to retailers and 3PLs, hardening the email channel that purchase orders and remittances flow through, and being able to answer the security questionnaires that larger trading partners increasingly send before they will deal with you. We cover the practical detail in our cybersecurity services, and the manufacturing supply chain faces the same pressures — see our IT support for manufacturers for the overlap.

A Melbourne example

A homewares importer and distributor in Dandenong South we work with runs a 5,000 square metre warehouse on Cin7 Core, supplies two of the major retail chains via EDI, and uses a 3PL for overflow during peak. When they came to us, three things were hurting them. Scanners dropped constantly past the third aisle, so pickers had reverted to paper and stock accuracy had slid. Their EDI ASNs to one retailer kept getting rejected after a spec change nobody had actioned, and chargebacks were stacking up. And there was no real backup of their Microsoft 365 or any failover on the internet — a single NBN outage had already cost them an afternoon of dispatch.

We heat-mapped and rebuilt the warehouse wireless so coverage reached the racking and scanners roamed cleanly, standardised them on ruggedised Zebra handhelds, fixed and then monitored the EDI mapping so format changes get caught before the deadline, and put in redundant internet with 4G failover plus a proper Microsoft 365 backup. Dispatch stopped being a daily gamble.

Frequently asked questions

Do you support our specific ERP or inventory system?

We support the network, devices, integrations, backup and security around platforms like MYOB Advanced, NetSuite, Cin7, Unleashed, Pronto Xi and SAP Business One. The ERP vendor or your implementation partner handles the application’s internal configuration; we make sure it stays available, connected and recoverable, and we coordinate with the vendor when an issue sits on the boundary.

Why do our warehouse scanners keep dropping out?

Almost always the wireless network, not the scanner. Warehouse Wi-Fi needs a heat-mapped design with access points placed for the racking layout and seamless roaming, not office access points bolted to the ceiling. Steel racking and dense stock absorb signal, so coverage that works near the office fails at the back of the shed unless it is engineered for the space.

Can you help us stay compliant with retailer EDI requirements?

Yes. We keep your EDI link to retailers like Woolworths, Coles, Metcash and Bunnings healthy — managing the middleware or VAN connection, watching for rejected documents, and testing mapping changes when a retailer updates their spec, so orders and ASNs keep flowing and you avoid chargebacks.

What is the biggest cyber risk for a distributor?

Ransomware that locks your ERP, because the pressure to keep dispatching makes paying tempting, and supply-chain attacks that use you as a route to your retailers and customers. The Essential Eight baseline — MFA, patching, application control and tested backups — covers most of the exposure, with extra attention on the integration accounts that connect you to trading partners.

Getting it right

Distribution IT is not about gold-plating. It is about getting the warehouse network, the ERP integrations, the dispatch uptime, the backup and the supply-chain security done properly and kept that way. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — not offshore — and we support warehouses, importers and distributors across Melbourne metro on per-user fixed monthly pricing with no hourly billing for in-scope work. If your scanners are dropping out, your EDI keeps breaking, or dispatch is one NBN outage away from a bad day, get in touch and we will tell you plainly what to fix first.

A gym is one of the few small businesses that has to keep running while nobody is watching it. Gym IT support keeps the door access, cameras, member Wi-Fi and billing all working through the night and on weekends, so a 2am cardio session and a Sunday direct debit run both go ahead without anyone on site.

Fitness has shifted hard toward unattended hours. 24/7 access gyms, boutique pilates and yoga studios with keypad entry, and small group training spaces all run long stretches with no staff in the building. The systems cannot just work during business hours — they have to work, and be monitored, when the place is empty.

What a gym actually runs on

Behind the front desk, a modern fitness business is a stack of connected platforms, and most of them touch member data or money. The core is the membership and booking platform — in Australia usually Mindbody, Glofox, Hapana, Gymmaster, or ABC Fitness (the Clubware lineage). These handle sign-ups, class bookings, memberships, attendance, and the all-important billing run. They are cloud platforms, so the vendor secures the application — but the accounts, the devices that log in, the network they sit on, and every integration hanging off them are your responsibility.

Around that platform sit the systems that make a 24/7 gym possible:

  • Door access control — keypads, fobs, QR or app-based entry, tied back to whether a member’s account is active and paid.
  • Payment and direct debitEzidebit or Debitsuccess running the recurring billing, plus a terminal at the desk for casual visits.
  • CCTV — cameras covering the floor, entry and car park, often the only “staff” present overnight.
  • Member Wi-Fi — for the app, music and member phones, which must stay separate from anything that handles billing.

When one of those falls over at 11pm, there is no one on site to notice. That is the whole problem to solve.

Unattended hours: the uptime problem

The defining requirement for a 24/7 gym is reliable uptime when the building is empty, and knowing about a fault before a member does. At an unattended gym at 1am, the door controller might lock paying members out, or — worse — fail open and let anyone in. CCTV might stop recording exactly when you most need footage. The overnight direct debit run might fail silently. None of these get caught until morning unless something is watching.

This is where remote monitoring earns its keep. The router, the access controller’s connection, the camera recorder and key endpoints are monitored continuously, so an outage raises an alert rather than being discovered. For sites that cannot tolerate a dropout, a 4G or 5G failover keeps the door system and cameras online when the NBN has a wobble. TechAssist runs a 24/7 NOC in Tecoma, so out-of-hours alerts from a fitness site go to engineers, not a voicemail.

Door access control and integration

Access control makes or breaks an unattended gym, and the detail that matters most is how it talks to your membership platform. The ideal is integration: when a member’s payment fails or their membership lapses in Mindbody, Glofox or Gymmaster, their fob or app access is suspended automatically, and restored when they rejoin. Done well, this removes a pile of manual admin and stops lapsed members wandering in at 3am. Done badly — or not at all — staff are exporting lists and manually disabling fobs, which never keeps up.

The integration is rarely plug-and-play. It needs the sync monitored so it does not quietly stop, and a sensible fail-state decided in advance: if the link goes down, does the door default to locked or last-known-good? Make those decisions deliberately, not during an incident. The same applies to staff and contractor access — cleaners and trainers who rotate through need their own credentials, revoked the day they leave.

Payments, direct debit and PCI basics

Membership gyms live on recurring billing, which means cardholder data is part of the business whether you think about it or not. Anyone who stores, processes or transmits card data is subject to the Payment Card Industry Data Security Standard (PCI DSS). Using a dedicated direct debit provider like Ezidebit or Debitsuccess is what shrinks that burden: they hold and process the card and bank-account details, keeping that data out of your systems. Your job is to not undo that protection. The practical basics:

  • Never store card numbers yourself — not in a spreadsheet, an email, or a note on the member’s profile. Let the payment provider hold them.
  • Use the integrated payment flow the booking platform and gateway provide, so card data is tokenised and never lands on your PC or network.
  • Keep the payment terminal and billing PC on a separate network from the member Wi-Fi.
  • Lock down the accounts that can access billing with MFA and individual logins.

For a small studio this is genuinely light-touch — a self-assessment questionnaire rather than a full audit. We cover the detail in our guide to PCI DSS compliance for Australian business.

Member Wi-Fi vs back office

One of the most common — and most easily fixed — mistakes we see in gyms is a single flat network where the member Wi-Fi, front-desk PC, payment terminal, CCTV and door controller all share the same space. The member Wi-Fi is, by design, open to hundreds of strangers’ phones. If a compromised device on that network can see the billing PC or camera recorder, you have handed an attacker a path straight to member data and footage.

The fix is network segmentation: a separate guest VLAN for member and visitor Wi-Fi that reaches the internet and nothing else, an isolated segment for payments and back-office systems, and CCTV and access control on their own segment too. It is a standard piece of managed IT work — a one-off configuration that pays for itself the first time someone’s infected phone connects to your Wi-Fi.

Protecting member personal and payment data

A gym holds a surprising amount of personal information: names, addresses, dates of birth, emergency contacts, health and injury notes, photos, and the bank or card details behind every membership. Under the Privacy Act 1988, a business turning over more than $3 million must comply with the Australian Privacy Principles, and health-related information attracts higher protection. If member data is exposed in a way likely to cause serious harm, the Notifiable Data Breaches scheme requires you to assess it and, where the threshold is met, notify the Office of the Australian Information Commissioner (OAIC) and the affected members.

None of this needs an enterprise budget. The Australian Cyber Security Centre (ACSC) Essential Eight is a sensible baseline, and the meaningful parts for a gym are the cheap ones: multi-factor authentication on every account that touches the membership platform or email, patching, and a real backup. Our cybersecurity services cover the practical version.

Multi-site fitness businesses

Plenty of Melbourne fitness brands run several sites — a few boutique studios, or a 24/7 chain across the suburbs. Multi-site changes the IT job from “fix this gym” to “run a consistent, monitored estate”: every site built to the same standard, centralised visibility so access control, cameras and connectivity at each location report into one place, and identity managed centrally so a staff member’s access works at the right sites and is revoked everywhere at once when they leave. It is the difference between a brand that scales cleanly and one where every new location reinvents its own problems.

A Melbourne example

A boutique pilates and reformer studio in Hawthorn we work with runs 24/7 keypad access off-peak and staffed classes by day, on Glofox with Ezidebit handling the direct debits. They came to us after two near-misses in a month. First, their overnight access control locked paying members out for a weekend because the Glofox sync had quietly stopped and nobody knew. Then a member’s phone on the studio Wi-Fi turned out to be infected — and that Wi-Fi shared a flat network with the reception PC.

We rebuilt it properly: segmented the network so member Wi-Fi, payments and the cameras each sit on their own VLAN; put the Glofox sync under monitoring so a broken link raises an alert instead of locking members out; added 4G failover so the door and cameras stay up overnight; and enforced MFA on the Glofox and email accounts. Out-of-hours faults are now caught by our Tecoma NOC rather than by a member at the keypad.

Frequently asked questions

Do I need PCI compliance if I use Ezidebit or Debitsuccess?

Yes, but it is much lighter than people fear. The provider holds and processes the card and bank details, which keeps that data out of your systems and shrinks your obligations to a self-assessment questionnaire. As long as you never store card numbers yourself and use the integrated payment flow, PCI DSS for a small gym comes down to good basic hygiene.

How do I make sure my 24/7 gym keeps running when no one is there?

Continuous remote monitoring of the internet connection, the door controller, the cameras and the key systems, so a fault raises an alert that gets actioned rather than discovered the next morning. For sites that cannot tolerate any dropout, a 4G or 5G failover keeps door access and CCTV online if the main connection fails.

Can my door access integrate with my membership platform?

Usually, yes. Access systems can integrate with platforms like Mindbody, Glofox and Gymmaster so a lapsed or unpaid membership automatically suspends fob or app access, and rejoining restores it. The integration needs monitoring so the sync does not quietly fail, and a sensible fail-state — locked or last-known-good — decided in advance.

Getting it right without overspending

A fitness business does not need a big security budget — it needs the unattended-hours basics done properly and kept that way: monitored connectivity with failover, access control that talks to your billing platform, a segmented network, payment data left with the provider who handles it, and member information protected to the standard the Privacy Act expects. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma, on per-user fixed monthly pricing. If your gym is running on a consumer router and a flat network, get in touch and we will tell you plainly what to fix first.

Community pharmacies run on systems that have to be available the moment a customer hands over a script, store sensitive health data the Privacy Act takes seriously, and connect to half a dozen government and supplier networks at once. Good pharmacy IT support keeps the dispensary, the retail front and the claiming all running together, securely.

If you own or manage a retail pharmacy, your IT is not a back-office convenience. A dispensing terminal that freezes, a SafeScript lookup that times out, or a server that goes down on a Saturday morning translates directly into a queue of patients you cannot serve and prescriptions you cannot legally fill. This is operational, clinical and regulatory all at once, and most generic “computer guys” do not understand the stack.

What actually runs in a community pharmacy

A typical suburban pharmacy is running more integrated software than most small businesses twice its size. The dispensing system is the heart of it. Depending on the banner group and the pharmacist’s history, that is usually one of:

  • FRED Dispense or the newer cloud-capable FRED NXT
  • Z Software (ZDispense)
  • Minfos
  • Aquarius
  • Simple Retail or another integrated retail POS platform

That dispensing system does not sit on its own. It has to talk to electronic prescription services, the real-time prescription monitoring database, My Health Record, your wholesaler ordering, your retail point of sale, your label printers and your dose-administration-aid packing. When the underlying network, server or workstation has problems, all of that wobbles at once. The pharmacist usually notices first, at the worst possible moment.

A pharmacy in Box Hill we work with runs FRED NXT in the dispensary and an integrated retail POS at the front counter, with a single on-premise server tying them together and a secondary internet service on standby. That setup is normal now, not gold-plated. The dependencies are real, so the infrastructure underneath them has to be treated as critical, not as something you replace when it finally dies.

Electronic prescriptions, SafeScript and My Health Record

Three external systems sit close to the centre of day-to-day dispensing, and all three depend on a stable internet connection and correctly configured workstations.

Electronic prescriptions (eRx and the token / Active Script List)

Paper scripts have largely given way to electronic prescriptions delivered through the eRx Script Exchange (and, where still in play, MediSecure). A patient presents an SMS or email token, or you pull their Active Script List, and the script flows straight into the dispensing software. When the connection to the prescription exchange drops, dispensing slows to a crawl and staff fall back to manual workarounds that introduce errors. Reliable connectivity and a tested failover path are not optional here.

Real-time prescription monitoring (SafeScript Victoria)

In Victoria, SafeScript is mandatory for supplying monitored medicines. Pharmacists are required to check it, and a slow or broken connection to SafeScript is not just an inconvenience, it sits in the middle of a legal obligation. The integration runs through the dispensing software and a browser, so DNS, certificates and browser configuration all matter. We have seen “it’s just the internet” turn out to be an expired certificate or a security setting blocking the lookup.

My Health Record

Uploading dispense records to My Health Record relies on your NASH PKI certificate, correct HPI-O configuration and a healthy connection to the Healthcare Identifiers service. Certificates expire. When they do, uploads silently fail and nobody notices until there is a problem. Part of competent pharmacy IT is tracking those expiry dates and renewing them before they bite.

Claiming through the Pharmacy Programs Administrator

Beyond dispensing revenue, pharmacies claim for programs administered by the Pharmacy Programs Administrator (PPA) through its portal — MedsCheck, Dose Administration Aids, staged supply, and the various professional programs that come and go. Claiming depends on accurate records out of your dispensing and patient management systems, and on PRODA access for the staff who lodge claims.

The IT angle is unglamorous but real: PRODA accounts tied to individuals who have since left, multi-factor authentication that nobody can reset, and software that has not been updated to the current program rules. When claiming breaks at month-end, it is real money sitting unclaimed. Keeping access, identity and software current is part of the job.

Protecting health and payment data under the Privacy Act

This is where pharmacies are exposed in a way most retailers are not. You hold two categories of data that attract serious obligations: health information and payment card data.

Health information is sensitive information under the Privacy Act 1988, and the usual small-business turnover exemption does not apply to it. A pharmacy that turns over well under the $3 million threshold is still an APP entity because it provides a health service and holds health records. In plain terms: there is no turnover threshold that lets a pharmacy off the hook. You are covered by the Australian Privacy Principles and the Notifiable Data Breaches scheme regardless of size, and the Office of the Australian Information Commissioner (OAIC) is the regulator if something goes wrong.

That means a stolen laptop, a ransomware hit that exposes patient records, or a misconfigured backup sitting in a public cloud bucket can each be a notifiable breach. The practical controls are not exotic: encrypted devices, properly segmented networks so the public-facing retail Wi-Fi cannot reach the dispensary server, tight access control, multi-factor authentication on email and remote access, and patched systems. Most of this maps cleanly onto the Essential Eight, which is the framework we use as the baseline for healthcare clients. If you want the wider clinical-records picture, our guide to healthcare IT support, the OAIC and My Health Record goes deeper on the obligations.

On the payment side, taking card payments brings PCI DSS obligations through your bank and payment provider. Integrated EFTPOS and properly maintained terminals do most of the heavy lifting, but the surrounding network still has to be kept clean.

Where the retail POS and the dispensary have to meet

The thing that makes pharmacy IT distinct from a standard shopfront is that the retail and clinical sides are genuinely fused. A customer collecting a prescription often buys front-of-shop items in the same transaction. Stock, pricing, promotions, loyalty and scheduled-medicine handling all flow between the POS and the dispensing system.

When that integration is healthy, the counter is fast and the pharmacist is not retyping anything. When it is not — mismatched product files, a POS that has lost its link to the dispensing database, a pricing update that did not sync — staff start working around the system, and that is where errors and lost margin creep in. Getting this right is a mix of vendor coordination and solid local infrastructure, and it is exactly the kind of thing a generic break-fix provider tends to shrug at.

Uptime, backups and ransomware resilience

A pharmacy cannot trade when its core systems are down. That makes three things non-negotiable: reliable uptime, recoverable backups, and a genuine plan for ransomware.

Uptime

Uptime is about removing single points of failure. A pharmacy that depends on one ageing server, one internet connection and one power outlet is one bad morning away from closing the dispensary. Sensible measures — a properly specified and monitored server, a UPS, a secondary internet service that fails over automatically, and proactive monitoring that flags a failing disk before it dies — keep the doors open. Our managed IT services are built around catching these problems before they become outages, with same-business-day on-site cover across Melbourne metro when something does need hands on it.

Backups

Your dispensing database is the record of every supply you have made. It has to be backed up, the backups have to be tested, and at least one copy has to be off-site and out of reach of anything that compromises the main system. An untested backup is a hope, not a plan. We work to clear recovery objectives so you know how much data you could lose and how long you would be down — the detail is in our piece on RTO versus RPO.

Ransomware resilience

Healthcare is a favourite target for ransomware crews precisely because the data is sensitive and the pressure to pay is high. Resilience means layered defences — email security to stop the phishing that usually starts it, endpoint protection, network segmentation, multi-factor authentication everywhere, and immutable off-site backups so that even if the main systems are encrypted, you can rebuild. Our cybersecurity services and 24/7 NOC at Tecoma are geared to exactly this: catch the intrusion early, contain it, and have a recovery path that does not involve paying criminals.

What good pharmacy IT support looks like in practice

The difference between a provider who understands pharmacies and one who does not shows up in the small things: knowing that a SafeScript timeout might be a certificate, not the NBN; knowing that a failed My Health Record upload usually traces back to NASH PKI; understanding that the dispensing vendor and the IT provider have to coordinate rather than blame each other.

NeedGeneric IT providerPharmacy-aware IT support
Dispensing software issues“Call the vendor”Coordinates with FRED, Minfos, Z, etc. and fixes the infrastructure side
SafeScript / eRx outagesChecks the internet, stops thereChecks certificates, DNS, browser config and failover
Privacy / data breachUnaware health data has no turnover thresholdBuilds to OAIC and Essential Eight from day one
UptimeReactive, fixes it after it breaksMonitored, with failover and same-day on-site
Backups“There’s a backup running”Tested, off-site, immutable, with known recovery objectives

TechAssist is a Melbourne-based MSP founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk — and a sub-15-minute response on critical issues. For a pharmacy, that response time is the difference between a brief hiccup and a closed dispensary. We work with healthcare clients across the metro on per-user fixed monthly pricing, so a busy month does not turn into a surprise IT bill.

Frequently asked questions

Does the Privacy Act apply to a small pharmacy?

Yes. Because a pharmacy provides a health service and holds health records, it is an APP entity under the Privacy Act regardless of turnover. The small-business exemption that applies to many businesses under $3 million does not cover the handling of health information, so the Australian Privacy Principles and the Notifiable Data Breaches scheme apply to you.

Can you support FRED, Minfos, Z Software and Aquarius?

We support the infrastructure, network, workstations, servers and security those systems run on, and we coordinate directly with the dispensing vendor for application-level issues. Most “the dispensing system is slow” calls turn out to be infrastructure or connectivity problems, which is squarely our remit.

What happens to dispensing if our internet goes down?

Electronic prescriptions, SafeScript and My Health Record all need connectivity, so an outage hits dispensing hard. We design pharmacies with a secondary internet service that fails over automatically, so a single ISP fault does not stop you trading. It is one of the first things we check on a new pharmacy site.

How quickly can you get someone on-site?

We offer same-business-day on-site support across Melbourne metro, backed by a sub-15-minute response on critical issues from our Tecoma NOC and CBD office. For a pharmacy with a down dispensary, getting hands on it the same day matters.

Talk to a Melbourne MSP that knows pharmacies

If your current provider treats your dispensary like an ordinary office network, you are carrying more risk than you should — clinically, financially and under the Privacy Act. We build pharmacy IT around the systems you actually run, the regulators you actually answer to, and the uptime your patients depend on. Get in touch and we will walk through your dispensing, claiming, security and backup setup, and tell you straight where the gaps are.

Good veterinary IT support keeps a clinic running when a dog is crashing on the table and the imaging suite, the lab interface and the practice management system all have to work at once. For Melbourne vets, that means fast, redundant infrastructure built around ezyVet or RxWorks, DICOM storage that doesn’t choke, and backups you can actually restore.

Veterinary practices are deceptively IT-heavy. A two-vet clinic in Box Hill runs more clinical systems than most law firms twice its size: practice management, digital radiography, in-house pathology analysers, a payment terminal, a pet-insurance claims workflow and a reminder engine pinging clients about C5 vaccinations. When any one of those stalls, the waiting room backs up and revenue stops. This post walks through what proper IT support for a vet clinic looks like and where most setups fall over.

Practice management software is the spine — treat it that way

Everything in a clinic hangs off the practice management system (PMS). In Australian small-animal practice you’ll typically see ezyVet, RxWorks, VisionVPM, Provet Cloud or ASAP. They split roughly into two camps, and that split decides your whole infrastructure design.

  • Cloud-hosted (ezyVet, Provet Cloud): the application lives in the vendor’s data centre and you reach it through a browser. Your local burden shifts to internet reliability, DNS and endpoint health.
  • Server- or workstation-based (RxWorks, VisionVPM, ASAP): the database sits on a box in your back room or comms cupboard. That server’s health, patching and backups become your single biggest risk.

The mistake we see most often is treating the PMS like ordinary office software. A vet’s database is open and being written to from the moment the first consult starts until the last record is saved at night. If that server has a failing disk, an out-of-date SQL instance or a backup that hasn’t completed in three weeks, the clinic is one bad morning away from losing patient history, drug records and accounts receivable. Knowing which PMS you run, how it stores data and what the vendor is and isn’t responsible for is the first job of any competent managed IT services provider.

Cloud PMS doesn’t mean “not your problem”

Clinics on ezyVet sometimes assume the cloud vendor handles everything. The vendor handles their servers. They do not handle your internet dropping out mid-consult, your Wi-Fi blackspot in the second consult room, or a phishing email that hands over the login to your entire patient database. The boundary matters, and someone needs to own your side of it.

Imaging, DICOM and the large-file problem

Digital radiography is where vet IT gets genuinely demanding. A single digital X-ray series is large, and CT or ultrasound studies are larger again. These come off the modality as DICOM files and need to land somewhere fast, stay accessible for review, and remain retrievable years later for re-presentations and medico-legal reasons.

Two things tend to break:

  1. Network throughput. If your imaging workstation pushes studies across a tired 1Gb switch shared with everything else, the radiographer waits while the image loads. Gigabit cabling to the imaging room, a decent switch and proper segregation of imaging traffic fixes this. Wireless is the wrong place to move DICOM studies — keep the modality and review station on wired connections.
  2. Storage that fills silently. Imaging archives grow relentlessly and don’t shrink. A clinic that bought a server with 2TB three years ago is often surprised to find imaging has quietly eaten it. Storage planning has to account for years of accumulation, not the first six months.

Most Melbourne clinics we work with keep DICOM on local fast storage for immediate access, with a second copy replicated off-site so a dead drive or a flooded comms cupboard doesn’t erase a patient’s imaging history. That overlaps heavily with how we approach data backup and recovery generally — imaging is just backup with bigger files and longer retention.

In-house lab integrations

In-house pathology — IDEXX or Heska haematology and biochemistry analysers, in particular — is one of the most rewarding integrations to get right and one of the most fiddly. When it works, the vet orders a panel in the PMS, runs the sample, and results flow straight back onto the patient record. When it doesn’t, someone is hand-typing results off a printout, which wastes clinical time and introduces transcription errors.

These integrations usually run over a small piece of middleware or a direct network link between the analyser and the PMS. The failure points are dull but real: a changed IP address after a router swap, a Windows update that resets a service, a firewall rule that quietly blocks the analyser. Whoever supports the clinic needs to understand that the analyser is a networked device with its own quirks, not just “the machine in the lab”. Getting it documented — IP, port, service, vendor contact — means a five-minute fix instead of a half-day outage.

Appointments, reminders, payments and insurance claims

The front-of-house systems are what clients actually see, so when they break the clinic looks unprofessional even if the clinical side is fine.

Appointment and reminder systems

Online booking and automated reminders (SMS and email for vaccinations, parasite prevention, dental checks and post-op follow-ups) are usually built into the PMS or bolted on through an integration. The IT job here is keeping the integration authenticated and the messages actually sending — expired API tokens and misconfigured email authentication (SPF, DKIM, DMARC) are the usual reason reminders silently stop going out. A clinic often doesn’t notice for weeks, by which point recall revenue has already been lost.

Payments and pet-insurance claims

Payment terminals need a stable network path and shouldn’t share a flat network with clinical systems — card data and patient records living on the same undivided LAN is poor practice. Pet-insurance claims, increasingly lodged through GapOnly or direct insurer portals, depend on the front desk having reliable connectivity and the PMS integration working. None of it is glamorous, but a frozen terminal at checkout on a Saturday morning is exactly the kind of thing that makes a client never come back.

Protecting client data and payment information

Vet clinics hold more sensitive data than they realise: client names, addresses, phone numbers, payment details and, increasingly, linked finance arrangements. Under the Privacy Act, a business turning over more than $3 million a year is covered by the Australian Privacy Principles, and many established multi-vet practices and animal hospitals sit above that line. Even below it, a clinic taking payment card data has obligations, and a breach of client financial information is a reputational disaster regardless of turnover.

The Office of the Australian Information Commissioner (OAIC) runs the Notifiable Data Breaches scheme. If a clinic suffers a breach likely to cause serious harm — say a ransomware crew exfiltrates the client database — it may be legally required to notify affected clients and the OAIC. The practical defence is the same set of controls we’d put in front of any SME holding sensitive data: multi-factor authentication on the PMS and email, current patching, properly configured backups, network segmentation between clinical, payment and guest Wi-Fi, and staff who can recognise a phishing email. We build these along the Australian Cyber Security Centre’s Essential Eight model, which is the most sensible baseline for a small clinic that can’t justify an enterprise security team. Our broader approach to cybersecurity services applies the same controls without drowning a five-person practice in process.

Reliable Wi-Fi across every consult room

A vet on a tablet updating a record at the patient’s side, an imaging cart roaming between rooms, the front desk, the kennels out the back — they all need coverage, and a single consumer router by the reception desk won’t deliver it. Concrete walls, stainless steel cages and the metal-heavy fit-out of a treatment area all eat Wi-Fi signal.

The fix is business-grade access points placed for actual coverage rather than convenience, on separate networks for clinical use, payments and a guest/client SSID. A clinic in Footscray we worked with had constant dropouts on tablets in the back treatment area; the cause was a single overloaded access point trying to cover a building it was never going to reach. Two properly positioned access points and a clean network design ended the complaints. This is the sort of thing that’s hard to fix remotely and is why on-site technical support matters for clinics — someone has to physically walk the building with a signal meter.

After-hours and emergency uptime

A daytime-only general practice and a 24-hour animal hospital are completely different IT problems. An emergency and critical-care hospital cannot have its PMS down at 2am when a critical patient comes through the door — there’s no “we’ll sort it tomorrow”. That demands redundant internet (a primary connection plus a 4G/5G failover), a server or cloud setup designed so a single failure doesn’t stop clinical work, and IT support that answers the phone at 2am rather than a ticket queue opening at nine.

TechAssist is a Melbourne-based MSP with a 24/7 Network Operations Centre in Tecoma in the eastern suburbs, which is the part of our service that matters most to a clinic running overnight. We target a sub-15-minute response on critical (P1) issues and same-business-day on-site across Melbourne metro, and all 13 of our engineers are Australian-employed rather than offshore — so an after-hours emergency reaches someone who knows your clinic, not an overseas script reader. For a clinic running overnight, that responsiveness is the difference between a brief blip and a night spent on paper.

Backups you have actually tested

Backups are where vet IT most often turns out to be quietly broken. The pattern is familiar: a backup was configured years ago, nobody checks it, and the day the server dies everyone discovers it stopped completing months earlier. A backup that has never been test-restored is a guess, not a safeguard.

For a clinic, a sound backup posture means a local copy for fast restores, an off-site or cloud copy that survives fire, theft or ransomware, and immutable backups that an attacker can’t encrypt or delete. It also means knowing your RTO and RPO — how quickly you need to be back up, and how much data you can afford to lose — because those numbers drive the whole design. We test-restore client backups rather than assuming they work, and that single discipline catches more disasters than any firewall.

What this looks like as a managed service

Pulling it together, here’s how the major risks map to what a clinic actually needs from IT support.

Clinic systemMain riskWhat good support provides
Practice management (ezyVet, RxWorks, VisionVPM, Provet Cloud, ASAP)Database loss, server failure, vendor-boundary confusionPatched, monitored infrastructure; tested backups; clear ownership of your side
Digital imaging / DICOMSlow loads, storage filling, lost imaging historyWired gigabit to imaging, capacity planning, off-site replication
In-house lab analysersBroken integration after a change or updateDocumented network config, fast reconnection, vendor coordination
Reminders, payments, insurance claimsSilent failures, frozen terminals, lost recall revenueMonitored integrations, segmented payment network, stable connectivity
Client and payment dataBreach, ransomware, OAIC notificationMFA, Essential Eight controls, segmentation, staff awareness
Wi-Fi and after-hours uptimeBlackspots, single points of failure, 2am outagesBusiness-grade APs, redundant internet, 24/7 response

The clinics that have the least IT drama are the ones that treat it as core infrastructure — funded, monitored and supported properly — rather than something to deal with when it breaks. Per-user fixed monthly pricing, the model we use, makes that predictable: support for the whole clinic for a known monthly figure, with no hourly bill arriving every time a vet calls about a frozen screen.

Frequently asked questions

Do you support both cloud and server-based veterinary practice management systems?

Yes. Cloud platforms like ezyVet and Provet Cloud need solid internet, DNS and endpoint security on your side. Server-based systems like RxWorks, VisionVPM and ASAP need patching, monitoring and tested backups on the server itself. We support both, and the design differs accordingly.

How do you handle the large file sizes from digital X-ray and CT?

DICOM imaging lives on fast local storage on a wired gigabit connection for immediate review, with a second copy replicated off-site for retention and disaster recovery. We plan storage for years of accumulation, because imaging archives only ever grow.

Can poor Wi-Fi in our consult rooms actually be fixed?

Usually, yes — and it almost always needs someone on-site. Consumer routers can’t cover a clinic with concrete walls and metal fit-outs. Business-grade access points placed for real coverage, on segmented networks, resolve nearly every blackspot complaint we’re called about.

What happens if our system goes down after hours?

Our 24/7 NOC in Tecoma means an after-hours emergency reaches an Australian engineer, not a ticket queue. For 24-hour animal hospitals we also design redundancy — failover internet and resilient server or cloud setups — so a single failure doesn’t stop clinical work overnight.

Talk to us about your clinic

If your clinic is in Melbourne and your PMS, imaging or Wi-Fi has been more trouble than it should be, we can help. We work with healthcare and professional-services clients across Melbourne metro and understand the specific demands of a veterinary fit-out. Get in touch and we’ll walk through where your current setup stands and what it would take to make it boringly reliable.

Good hospitality IT support keeps the till open and the kitchen printing through a Friday-night rush. For cafes, restaurants, pubs and function venues, it means POS that doesn’t freeze mid-service, EFTPOS that always settles, guest Wi-Fi that doesn’t drop, and internet that survives a fibre cut. When something breaks at 7pm on a Saturday, you need someone who answers.

Hospitality is unforgiving about IT in a way most industries aren’t. A law firm can limp along for an hour with a slow network. A 90-seat restaurant in full service cannot. If the POS goes down, orders stop flowing to the kitchen, dockets stop printing, and you’re suddenly running a paper-and-shouting operation while a queue builds at the door. The cost of downtime isn’t theoretical — it’s measured in walked customers, comped meals and a stressed floor team. This is why hospitality venues need IT support built around uptime during the exact hours when generic business-hours support has gone home.

The hospitality tech stack, and where it breaks

Most venues run more systems than they realise. A typical Melbourne restaurant or pub is juggling a POS, an EFTPOS network, kitchen printers or screens, a booking platform, two or three delivery integrations, a guest Wi-Fi network, CCTV, and the back-office laptop that runs payroll and ordering. Each one is a potential failure point, and most of them talk to each other.

Point of sale

POS is the heart of the venue. In Melbourne hospitality you’ll see Lightspeed (which absorbed Kounta), Square in smaller cafes, and Impos or Bepoz in larger pubs and multi-venue groups. Cloud-based platforms like Lightspeed and Square are resilient in that your data lives off-site, but they’re only as good as the internet connection and the local hardware. Server-based systems like older Impos installs keep running if the internet drops, but the on-premise server becomes a single point of failure you have to back up and patch.

The practical IT job here is keeping POS terminals patched, the local network clean, and the relationship with the POS vendor’s own support clear — because when something breaks, you need to know fast whether it’s the software, the hardware, the network or the integration. A venue without that clarity loses an hour on hold to the wrong vendor.

Online ordering and delivery integrations

Delivery is where a lot of venues quietly bleed time. Deliveroo exited Australia in 2022, but UberEats, DoorDash and Menulog are everywhere, and at-table ordering tools like me&u are now common in pubs and casual diners. Each platform either feeds orders into a separate tablet on the pass or integrates directly into the POS. The tablet-per-platform approach is a mess — staff miss orders, screens get knocked off Wi-Fi, and nobody owns the chargers. A proper POS integration pulls those orders into one queue, but the integration itself needs monitoring, because when an API changes or a token expires, orders silently stop arriving and you don’t notice until a customer rings asking where their food is.

Booking and reservations

Restaurants and function venues lean on booking systems — SevenRooms, OpenTable, and the very common Aussie option Now Book It. These live in the cloud, so the IT exposure is mostly about reliable internet, the iPad or terminal on the host stand, and making sure the booking platform’s data syncs cleanly with the POS where that integration exists. For function venues taking deposits, there’s also a payment-security angle: card details captured for a booking need to be handled through PCI-compliant channels, not scrawled on a notepad behind the bar.

Kitchen printers and KDS

The link between POS and kitchen is the part that fails most visibly. Thermal dockets printing on a Bluetooth or network printer at the pass, or a Kitchen Display System (KDS) on a screen, depend on the local network holding together. Cheap unmanaged switches, printers on dodgy Wi-Fi, and IP addresses that change overnight are the usual culprits when dockets stop appearing. Putting kitchen printers and KDS screens on cabled connections with fixed addresses, on a network segment that isn’t competing with guest Wi-Fi, removes most of these incidents before they happen.

Wi-Fi: staff and guests are not the same network

This is the single most common thing we fix in venues. Everything — POS terminals, EFTPOS, kitchen printers, the booking iPad, the office PC, and a hundred guest phones — gets dumped onto one flat Wi-Fi network with a password stuck to the wall. Then someone streams video in the beer garden, the POS terminal starts dropping its connection, and the EFTPOS times out mid-transaction.

The fix is network segmentation. Operational devices (POS, EFTPOS, printers, CCTV) go on a private, secured VLAN that guests can never touch. Guest Wi-Fi runs on a separate network with its own bandwidth limits, so a busy Saturday crowd can’t starve the till. Staff devices sit on a third segment. Done properly, a guest’s phone can never see your POS, which also matters for security — a flat network means a compromised guest device is one hop from your payment terminals. We cover the broader principle in our write-up on the zero trust security model, and the logic applies just as much to a pub as a corporate office.

Internet and the 4G/5G failover that saves your service

Here’s the scenario we plan every hospitality network around. A cafe in Richmond we work with had its NBN connection cut by a contractor digging up the footpath two doors down — at 12:30 on a Saturday, mid-lunch rush. With a single connection, that’s the venue dead in the water for however long it takes the carrier to dispatch a truck, which on a weekend can mean Monday.

The answer is automatic failover. A router with a 4G/5G SIM that detects the primary connection dropping and switches over within seconds, keeping cloud POS, EFTPOS and online orders running while the main line is repaired. Most card terminals and cloud POS tolerate a brief blip on failover; guests barely notice. For a venue doing thousands of dollars an hour at peak, the cost of a failover SIM and the data plan behind it is trivial against one lost lunch service. We build this into every hospitality network as standard, because in hospitality a single internet connection is not a connection — it’s a liability waiting for the worst possible moment.

EFTPOS, surcharging and getting paid

Payments are where venues are most exposed to both downtime and compliance. EFTPOS terminals — whether standalone bank terminals or integrated into the POS — need a stable network and a clear failover path. An integrated terminal that loses its link to the POS can leave staff unable to take card payments at all, so we always make sure there’s a fallback (a standalone terminal or a mobile option) for when the integration misbehaves.

On surcharging, the rules matter. Card surcharges in Australia are regulated by the Reserve Bank of Australia, and a business may only pass on its actual cost of acceptance — you can’t surcharge more than it genuinely costs you to accept that card type. The ACCC enforces this and has acted against businesses charging excessive surcharges. If your POS is configured with a flat surcharge that exceeds your real merchant cost, that’s a compliance problem, not just an IT one. We can’t set your surcharge rate — that’s between you and your acquirer — but we can make sure the POS is configured to apply whatever rate you’ve agreed correctly and consistently across every terminal.

CCTV, security and keeping the data safe

Most venues run CCTV for staff and customer safety, stock control and incident evidence. The IT considerations are straightforward but often ignored: cameras on the operational network (never guest Wi-Fi), recordings retained long enough to be useful but managed so storage doesn’t silently fill up, and remote access locked down. A surprising number of venue CCTV systems are reachable from the internet with default passwords — which is how they end up on public camera-streaming sites. Cameras pointing at the till and the cash office also capture footage that, combined with any customer data, brings privacy obligations into play.

On that note, venues handling customer data — booking details, loyalty sign-ups, function deposits, marketing lists — sit under the Privacy Act, and businesses turning over more than $3 million a year must comply with the Australian Privacy Principles. The Office of the Australian Information Commissioner (OAIC) is the regulator. Card data specifically falls under PCI DSS regardless of turnover. None of this is exotic for a venue, but it does mean your POS, booking and CCTV systems need to be patched, access-controlled and backed up — which is the same hygiene that keeps them reliable. Our cybersecurity services cover this end-to-end, aligned to the Essential Eight.

Seasonal peaks and the uptime that matters most

Hospitality demand is spiky. A function venue in Fitzroy might be quiet on a wet Tuesday and slammed across a December of Christmas parties. A beachside pub lives or dies on a few summer weekends. The IT needs to be most reliable exactly when the venue is busiest — which is also when generic IT support is least available.

This is the core reason hospitality venues outgrow a “mate who’s good with computers”. When the POS dies during a 200-cover function, you need a response measured in minutes, after hours, from someone who already knows your setup. TechAssist runs a 24/7 NOC from Tecoma in Melbourne’s east, with a sub-15-minute response on critical issues and same-business-day on-site across the metro. Our 13 engineers are all Australian-employed — no offshore queue, no waiting for an overseas shift to wake up. That coverage is the difference between a five-minute blip and a ruined Saturday.

What managed IT support looks like for a venue

Pulling it together, here’s how the pieces map to what a venue actually needs.

SystemWhat can breakWhat good support does
POS (Lightspeed, Square, Impos, Bepoz)Terminal freezes, server failure, lost ordersPatching, monitoring, vendor coordination, hardware spares
Delivery (UberEats, me&u, DoorDash)Orders silently stop arrivingIntegration monitoring, single-queue setup
Bookings (SevenRooms, OpenTable, Now Book It)iPad offline, sync failures, deposit data exposedReliable network, PCI-safe payment handling
Kitchen printers / KDSDockets stop printing mid-serviceCabled connections, fixed addresses, segmented network
InternetSingle line cut kills the venue4G/5G automatic failover
EFTPOSCan’t take card paymentsStable network, fallback terminal, correct surcharge config
Wi-FiGuests starve the POS, flat network riskSegmented guest / operational / staff networks

The thread running through all of it is that hospitality IT is operational infrastructure, not office IT. It has to be designed for the busiest hour, supported during nights and weekends, and built so that no single failure takes the whole venue down. Our managed IT services wrap monitoring, support and security into a per-user fixed monthly fee, so a small venue isn’t gambling on hourly callout costs every time something goes wrong.

Frequently asked questions

Do you support our existing POS, or do we have to switch?

We support what you’ve got. The POS vendor — Lightspeed, Square, Impos, Bepoz — owns the application itself, but we manage the terminals, network, integrations and everything around it, and we coordinate with the POS vendor’s support when an issue sits with them. There’s no need to rip out a working system.

What happens if our internet goes down during service?

With 4G/5G failover in place, your router switches to a mobile connection within seconds, keeping cloud POS, EFTPOS and online orders running while the main line is repaired. Without failover, a single cut line stops the venue — which is exactly why we build automatic failover into every hospitality network as standard.

Can you help with EFTPOS surcharging compliance?

We make sure your POS applies the surcharge rate you’ve agreed with your acquirer correctly and consistently. The actual rate is between you, your bank and the Reserve Bank’s rules — a surcharge can only recover your genuine cost of acceptance — but we keep the configuration clean so you’re not accidentally over-charging across different terminals.

How fast can you respond if something breaks on a Saturday night?

Our 24/7 NOC in Tecoma covers after-hours and weekends, with a sub-15-minute response target on critical issues and same-business-day on-site across Melbourne metro. For a venue, that response window during peak trade is the whole point.

Get hospitality IT that survives a Friday-night rush

If you run a cafe, restaurant, pub or function venue anywhere across Melbourne and you’re tired of POS that freezes, Wi-Fi that drops and support that clocks off at 5pm, we should talk. TechAssist has supported Melbourne SMEs since 2014, and hospitality is one of the most demanding environments we work in. Get in touch and we’ll start with an honest look at your current setup — the network, the POS, the failover gaps — and tell you straight what needs fixing.

Retail IT lives or dies on whether you can take a payment. Good retail IT support keeps your point-of-sale and EFTPOS running through the Saturday rush, separates customer Wi-Fi from the till, syncs stock across stores and your online shop, and meets the card-handling rules — so a busy day stays a good one.

A shop that cannot process a card for an hour is losing sales and queueing customers out the door. The systems are not complex, but they have to be reliable at exactly the moment they are under most load — which is where most retail IT goes wrong.

The systems a retailer actually runs

Most Melbourne retailers run a cloud point-of-sale platform on a tablet or fixed terminal, not a server in the stockroom. The common ones we see are Square, Lightspeed Retail (which absorbed Vend) and Shopify POS. Each pairs with an EFTPOS terminal, a cash drawer, a receipt printer and a barcode scanner, and most talk to an ecommerce store and an accounting package behind the scenes. Because these are SaaS products, the vendor runs the application and the card-processing rails — but you still own the devices, the network, the staff accounts, the Wi-Fi, the internet connection and the integrations between systems. That is the half where outages and security incidents actually happen, and the half a good MSP looks after.

EFTPOS integration is where the pain hides

The single most common retail support call is “the card machine won’t talk to the till”. Integrated EFTPOS — where the terminal pulls the sale amount straight from the POS so staff do not rekey it — is faster and removes mistakes, but it adds a dependency: the POS, the payment terminal and the bank’s gateway all have to agree, and a firmware update, an expired pairing or a flaky link can break that chain. Tyro, Smartpay, the banks’ integrated terminals and Square’s own readers each behave differently, so knowing how to re-pair a setup quickly is the difference between a thirty-second fix and a closed register.

Inventory, stock and ecommerce sync

The moment a retailer sells both in-store and online, stock accuracy becomes an IT problem dressed up as a retail one. If the POS and the online store do not share a single source of truth for inventory, you oversell — taking an online order for the last item a walk-in just bought, then apologising and refunding. That failure traces straight back to a sync setting. Lightspeed Retail and Shopify both handle this natively when configured properly: one product catalogue, one stock count, updated as sales happen across every channel, and Square does the same within its ecosystem. The work is in getting the integration right — matching SKUs, mapping variants, deciding which system is authoritative, and handling edge cases like layby, click-and-collect and supplier returns. When two staff end up keeping rival spreadsheets, that is not a software limit; it is a setup that was never finished.

Customer Wi-Fi and back-of-house separation

Offering customers Wi-Fi is fine. Putting them on the same network as your point-of-sale is not — and that is the most common, most serious mistake we find in retail. Your till, EFTPOS terminals, back-office PC and stock devices belong on a trusted internal network, while customers and anything else untrusted sit on a separate guest network that can reach the internet and nothing else. They share the same physical connection but are logically walled off, usually with a VLAN and a guest SSID. A customer’s malware-infected phone should never be able to see your payment devices, and done properly this also stops a guest slowing card processing during peak trade.

This separation is not just good practice — it is effectively required by the card-handling rules. If your shop runs one flat network with the Wi-Fi password on a chalkboard, that is the first thing to fix, and our cybersecurity services treat segmentation as a baseline for any business that takes cards.

PCI DSS basics for card handling

Any business that accepts card payments has to comply with the Payment Card Industry Data Security Standard (PCI DSS). For most small retailers the scope is modest: using a reputable cloud POS and an integrated terminal means you never store card numbers yourself, which keeps you in the simplest compliance tier — usually a self-assessment questionnaire from your bank once a year.

“Modest” does not mean “ignore it”. The basics that apply to nearly every retailer: do not store full card numbers anywhere; keep customer Wi-Fi separated from payment devices; use unique staff logins rather than a shared one; patch POS devices and terminals; and change default passwords. None of that is exotic — it is the same hygiene the Australian Cyber Security Centre (ACSC) Essential Eight is built on. If a payment provider sends you a self-assessment questionnaire and you do not know where to start, that is a normal thing for an MSP to handle.

Uptime at trade and peak-season readiness

Retail has a brutal version of the uptime problem: your busiest weeks are Christmas, Boxing Day, end-of-financial-year and any major sale, and that is exactly when an outage costs the most. A POS failure at 11am on a quiet Tuesday is a nuisance; the same failure at 1pm on the Saturday before Christmas is real lost revenue and a queue of unhappy customers. Peak-season readiness is mostly unglamorous preparation done in advance:

  • Test failover before you need it. Confirm the 4G/5G backup actually carries card processing when the fixed line drops — do not discover it does not on Boxing Day.
  • Check device health. Tablets, terminals and printers patched and charged, with spare hardware on hand for the busy period.
  • Have a number that answers. TechAssist runs a sub-15-minute response on P1/critical issues and a 24/7 NOC in Tecoma, so a register down at peak trade gets attention immediately.

Reliable internet with failover

Every system above depends on a working internet connection — cloud POS, integrated EFTPOS, stock sync and CCTV all stop being useful the moment it drops. The sensible setup is a business-grade primary connection plus automatic failover to a 4G or 5G service, so a wobble on the fixed line never stops the till. A failover that switches in seconds, prioritises payment traffic and alerts your provider turns a trading-stopping outage into something most customers never notice. Our Melbourne IT support covers connectivity and failover as part of a managed arrangement.

CCTV and physical security

Modern IP CCTV runs over your network and often stores footage in the cloud, so it needs bandwidth, it needs securing, and it should not share the network with your payment devices — the same segmentation logic applies. CCTV is also a notorious soft target: cheap recorders with default passwords and an open internet port are routinely hijacked, so cameras belong on their own segment, patched and protected with proper credentials. Footage of customers and staff is personal information, so retention and access matter too.

Multi-site management

One shop is mostly about reliability at trade. Several shops add coordination: consistent stock across locations, central reporting, the same security baseline everywhere, and fixing a problem in one store without driving there. Lightspeed and Shopify both do multi-location inventory and consolidated reporting well; the IT side is making every site identical and remotely manageable — the same network and device standards, central management of POS devices and Microsoft 365 accounts, and monitoring that flags an offline terminal before the staff there ring you. Our managed IT services are built around standardising and monitoring sites like this, so the stores do not drift into their own slightly broken configurations.

A Melbourne example

A homewares retailer in Camberwell we work with runs two shopfronts and a Shopify store. When they came to us each shop had a flat network — customers, till and EFTPOS terminal all on one Wi-Fi — stock was tracked separately so they regularly oversold during sales, and their single consumer connection had no backup. We standardised both stores: a business-grade connection with 4G failover, a guest Wi-Fi separated from the payment network by VLAN, one stock position synced across both stores and the online shop, integrated EFTPOS staff could re-pair themselves, a handled PCI self-assessment, and CCTV on its own segment with the default passwords gone. The following December they traded through the peak without a single payment outage, and the overselling stopped.

Frequently asked questions

Do I need PCI DSS compliance if I use Square or Lightspeed?

Yes, but the burden is small. Using a reputable cloud POS with an integrated terminal means you never store card numbers yourself, which keeps you in the simplest tier — usually a once-a-year self-assessment questionnaire — provided you cover the basics: customer Wi-Fi separated from payment devices, unique staff logins, patched devices and no default passwords.

What happens to my POS if the internet goes down?

Most cloud POS platforms keep selling briefly offline and sync when the connection returns, but integrated card processing usually needs to be online. The right answer is automatic failover to 4G or 5G so the outage barely registers, plus a standalone EFTPOS terminal as a manual fallback.

Can one IT provider manage all my stores?

Yes, and for a multi-store retailer that is the point. A managed arrangement standardises the network, devices and security baseline across every site and monitors them centrally, so a problem in one suburb is visible, and often fixable, without anyone driving there.

Getting retail IT right

None of this is complicated, but it has to be reliable when it counts: a POS and EFTPOS that work through the rush, customer Wi-Fi kept well away from the till, stock that matches across every channel, internet with real failover, and card handling that satisfies PCI without becoming a project. TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers and same-business-day on-site across Melbourne metro on per-user fixed monthly pricing. If your shop is running on a flat network and a single connection that drops at the worst moment, get in touch and we will tell you plainly what to fix before the next sale.

Ready to Make IT Your
Competitive Advantage?

Book a free consultation with our team. No pressure, no jargon — just a clear-eyed look at where you stand and what's possible.