Skip to content

Operations

New plans, a security floor, and the end of pay-by-the-hour.

Why we hold every client to a security floor, what's in our four new plans, and why we ended pay-by-the-hour managed IT. The May 2025 changes, explained.

6 min read
Jump to section
  1. 01Why we’re tightening, and why now
  2. 02The minimum every client must meet
  3. 03The four new plans
  4. 04What we’re retiring
  5. 05If you’re already a managed client on contract
  6. 06If you’re a managed client out of contract
  7. 07What’s new in the lineup
  8. 08What we’d like you to do

We’ve made some big calls about how we work with clients from here on. Three of them, all related: every client now meets a security floor, we’re collapsing the old plan lineup into four clean tiers, and we’re ending pay-by-the-hour work for managed clients. None of these are unilateral. Our team will walk every client through what it means for their account. But here’s the picture, in one place.

Why we’re tightening, and why now

Twenty years in, we’ve watched the threat picture shift from “click on the wrong link” to state-backed campaigns that target Australian SMBs every week. The Australian Signals Directorate’s Annual Cyber Threat Report 2023-24 puts the average cost of a single cybercrime incident on an Australian small business at AUD 49,615, rising to AUD 63,602 for medium business. IBM’s 2024 Cost of a Data Breach Report puts the global average breach at USD 4.26 million.

We’ve been adding controls in layers as the picture has worsened. DNS filtering. Endpoint detection and response. Identity threat detection. Application control. Password managers. Cybersecurity awareness training. The stack is mature.

The problem isn’t the stack. It’s that we let too many clients pick and choose. À la carte security gives the client a number on an invoice, but it doesn’t give them protection. We’ve watched clients tell their insurer they have controls because we offered them, then discover at claim time that they declined the parts that actually mattered. That’s on us. We should have insisted.

So we’re insisting.

There’s an operational reason too. Running legacy and modern plans side by side splits our focus across four different client groups, and we can’t deliver consistent service that way. Simplifying the lineup is partly about you, partly about us. Both of us benefit when our team isn’t context-switching between four operational models.

The minimum every client must meet

To remain a CCP client, you need to be working toward (or already meeting) the items below. We’ll help you get there. Until you do, anything we could have prevented with these controls falls outside our agreement and we won’t carry the liability.

  • Regular security and operational reviews with your account lead.
  • Phish-resistant multi-factor authentication on every account that touches business data. Not SMS. Authenticator apps or hardware keys.
  • Application control on every endpoint. Only what you need to run runs.
  • Vulnerability management with regular review and remediation.
  • Cybersecurity awareness training for every staff member, refreshed annually.
  • A password manager with single sign-on wired into your day-to-day apps.
  • CCP included in onboarding and offboarding of every staff member, every time.
  • Regular staff and device audits so the directory matches reality.
  • A maintained incident response plan that someone has actually rehearsed.
  • Critical business data backed up, off-site, tested for restore.
  • MFA enforced through every software vendor you use, not just Microsoft 365.

This is the same baseline our Client Security Baseline Obligation covers in our agreements. It’s not novel. It’s what your insurer, your auditor, and your regulator all expect of you. We’re done pretending that’s optional.

The four new plans

We’re collapsing the old lineup into four tiers. The simplest way to think about them: pick the column that matches your size and your risk.

Managed IT. The new floor. Inclusive fixed-price helpdesk, monitoring, patching, managed cyber security, Microsoft 365 management, and our regular security and tech reviews. Suits an organisation under 25 staff that doesn’t handle sensitive or personally identifiable information.

+ Compliance. Everything in Managed IT, plus the controls high-risk and high-staff businesses need: vulnerability scanning, application control, our Technology Success Program, centralised logging, and identity threat detection. The right plan if you’re over 25 staff, in a regulated industry, or handling client data that would hurt to lose.

+ Services. Everything in Managed IT, plus the IT services many SMBs juggle across multiple vendors: cloud phone systems, internet services, email signature management, printer management. The right plan if you’re under 25 staff, low-risk, and tired of buying IT in pieces.

Complete. Managed IT, plus + Compliance, plus + Services. Everything in one bill, one accountable team.

Full feature matrix and per-plan detail on the plans page.

What we’re retiring

Hourly ad-hoc, retainer, and helpdesk-access plans are ending.

There’s a structural reason. We can’t enforce security recommendations, action urgent fixes, or respond to incidents in time if we have to wait for a billable-work approval before we can act. The pay-by-the-hour model puts every defensive action on a stopwatch the client controls. That’s incompatible with how cybersecurity actually works in 2025.

Best-effort, non-committed, liability-exempt ad-hoc support will continue to exist. Anyone engaging with us on ad-hoc only won’t be able to buy individual licences, services, or products from us either: no Microsoft licences, no phone services, no internet, nothing. SLAs are best-effort only.

If you’re an existing customer and switch to one of the new managed plans by the end of 2025, we have introductory pricing and lower minimums for you.

If you’re already a managed client on contract

We’ll honour your existing agreement until renewal. If the new equivalent plan would cost the same or less, we’ll migrate you across automatically within six months. If it would cost more, your plan stays as-is until renewal, and you have the option to upgrade to a new plan early without re-signing.

If you’re a managed client out of contract

Your account manager or tech lead is going to call you. We’ll walk through which new plan fits, what changes, and what it costs. Once we’ve notified you, you have 90 days, or until the end of December 2025 (whichever comes first), to decide. If no decision comes in, your current plan keeps running at a 20% premium on legacy rates from that point. By the end of financial year on 30 June 2026, you need to be on a new plan, or with another provider. We’ll always give you no less than 30 days’ notice before any change to your account takes effect.

What’s new in the lineup

A few capabilities are now baked into the relevant plans (Managed IT or + Compliance, depending on the item) instead of being optional add-ons.

Security and tech reviews. A standing meeting with your team’s lead technician. Security reporting, licence and usage review, cost optimisation, risk mitigation. Not a sales call.

Identity threat detection and response. Previously available only to managed clients on bigger plans, now standard. We monitor activity in Microsoft 365 and other platforms for anything that suggests an account has been taken over, and we respond before it spreads.

Microsoft 365 Intune management. We design, build, and run your Intune deployment. Consistent device configuration, automatic enrolment for new computers, no more half-day setups when someone joins.

Cloud printer management. No print servers. Print from anywhere, work from anywhere. Built for hybrid teams, cloud-only deployments, and the offshore staff a lot of our clients now rely on.

Application control. Computers run what they need to run, and nothing else. Cuts your exposure to malware that arrives by download, email attachment, or a compromised supplier.

Vulnerability scanning and remediation. We scan your assets against the NVD and CVE databases, tracking 230,000+ known vulnerabilities, and we fix the ones that matter to you.

Centralised logging. SIEM-grade collection from firewalls, servers and endpoints into one place. Useful for audit trails. More useful for spotting threat signals before they become incidents.

Technology Success Program. Regular meetings with a dedicated technology success manager, focused on compliance, growth, automation, and where technology can pay back its own cost.

What we’d like you to do

Read this. Our team will be in touch with what specifically applies to your account. If you’d rather move sooner, ring the helpdesk and we’ll start the conversation. The four new plans, side by side, live on our plans page.

We’ve spent twenty years getting to know our clients. We’re not interested in losing any of them through this transition. There’s a path forward for everyone we want to keep working with.

Tags planssecurity-baselinepolicypay-by-the-hour
Share LinkedIn Email

More on Operations

All news

Operations

AI makes the work faster. It might also make us worse at it.

A new study on AI-assisted coding: juniors finish two minutes faster and score 17 points lower on understanding. The trade behind AI productivity claims.

Read

Operations

When your vendor goes silent: lessons from reviving an open-source platform

What reviving an abandoned open-source telecom platform taught me about community, vendor lock-in, and what to do when the supplier you depend on stops talking.

Read

Operations

The Pascua ruling: why offshore IT contractors just became a legal liability

The Fair Work Commission's Pascua ruling extended Australian employment protections to a Filipino remote worker. What it means for any business relying on offshore IT contractors.

Read
See if we're a fit