Frequently Asked Questions about Managed IT Services in NZ

We proactively monitor and manage your systems 24/7 - patching, health checks, security monitoring, and early-warning alerts are all happening in the background. Break-fix IT means you only get help after something has already gone wrong. Managed IT means fewer surprises, less downtime, and a whole lot less stress.

Our focus is professional services firms - particularly healthcare practices, law firms, and insurance and financial services businesses. These sectors share similar IT needs: reliable systems, strong data security, privacy compliance obligations, and the reputational stakes that come with handling sensitive client information. Our engineers have backgrounds in healthcare environments, which shapes how we approach reliability and security. See our healthcare IT support page →

Services typically begin around $700/month for a 5-person team, but pricing is always tailored. We take the time to understand how your business runs and what systems you use before quoting - so you're not paying for things you don't need.

All day-to-day support with no sneaky extras. Onboarding is included. We create a strategic IT roadmap tailored to your business. Larger infrastructure projects are quoted separately - we'll always be upfront about those.

Our standard managed services agreements run for three years. If you need to exit before the term is complete, we ask for 90 days' written notice. We believe the quality of our service should be the reason you stay - not punitive lock-in clauses.

We focus on professional services - engineers, project managers, lawyers, insurance and mortgage brokers. These businesses have predictable, people-driven IT needs that we understand well. Outside our speciality, we refer to trusted partners rather than pretend we're the right fit.

Yes. Full systems reviews are available (not free), but if you choose to come onboard with us, we'll credit 50% of the review cost back to you. It's a good way to see what you're actually working with before making any changes.

Our remote monitoring tools handle both platforms - patching, health checks, and early-warning alerts run across Mac and Windows devices. If something starts acting dodgy, we'll usually know before you do.

Yes. MDM (Mobile Device Management) can be configured to your requirements - we'll agree on the policies, then roll them out across all devices so your fleet stays consistent and secure.

Technically yes, but we recommend Managed Apple IDs tied to a business account. If a staff member leaves or loses a device, personal Apple IDs can create access and security headaches. Managed IDs avoid that.

Not a problem. We apply extra security rules for overseas team members and can arrange local on-site partners if needed. Your setup stays consistent regardless of where your people are based.

We try to resolve issues remotely first - it's faster and doesn't require scheduling. When remote isn't sufficient, we come to you. The Security Plus package includes unlimited on-site visits.

We take cyber security seriously and go well beyond what most providers offer. Multiple protective layers stop threats early. We also have clear documented procedures and two recovery layers built in for when things go wrong - because no system is bulletproof.

We use a five-layer approach: Preventative (email filtering, DNS protection, security awareness training), Detection (next-gen EDR monitored 24/7), Identity (real-time login monitoring), Recovery (3 copies, 2 mediums, 1 offsite), and Response (a documented incident plan). Every layer is actively managed - not just switched on and forgotten.

We check backup status daily and run a manual restore test every month - it's part of our standard process. You're not relying on hope that a backup will work; we verify it regularly so you know it will.

Yes - every 3 weeks, staff receive a short training module plus the occasional phishing test. It's designed to be light-touch and helpful, not punishing. It's also usually a requirement for cyber insurance.

For clients on a managed services contract, critical issues are guaranteed within one hour. For security incidents, we do not ask you to log a ticket and wait. We have worked alongside cyber insurance providers, forensic investigation teams, and legal counsel during live incidents. If the worst happens, you are not navigating it alone. On-call cover outside business hours is available for practices that need it.

Yes, with an important distinction. Clinical software platforms like Medtech, Best Practice, and Gensolve have their own support teams and SLAs. ITstuffed is not the software vendor, and we won't pretend to be experts inside those systems. What we do is act as your IT partner in those conversations. Clinics with support agreements get faster resolution when their IT provider can communicate directly with the software vendor on their behalf, translating the technical environment, providing context about the clinic's setup, and making sure the right information gets to the right people quickly. Most practices find that issues get resolved significantly faster when we're in the room, so to speak, than when a practice manager is trying to bridge two technical conversations alone. Think of it as translating between two different languages: yours and theirs. We make sure nothing gets lost.

ACC expects contracted providers to meet reasonable standards around the privacy and security of client information. A breach that is mishandled - or where basic security controls were clearly absent - can trigger a review of your provider status. The NZ Privacy Act also requires mandatory notification to the Privacy Commissioner when a breach is likely to cause serious harm, and that notification becomes part of a public record. The best protection for your ACC contract is being able to demonstrate that appropriate controls were in place and that any incident was handled properly. That is exactly what ITstuffed helps you put in place and document.

MFA is an important control, but it is not a complete solution on its own. Attackers now use a technique called session token harvesting: a staff member receives a convincing phishing email, clicks a link, and enters their credentials on a fake login page. That page captures their live session token in real time, bypassing MFA entirely. We have worked with a Christchurch healthcare practice where this happened - they had MFA in place and still experienced a breach that spread across multiple accounts and triggered a Privacy Commissioner notification. Effective protection requires layered security: email filtering to stop the phishing email, DNS filtering to block the malicious site even if clicked, endpoint detection to catch unusual behaviour, and identity threat monitoring to flag anomalous logins. MFA is one layer. It should not be the only one. See our full cybersecurity approach →

Under the Privacy Act 2020, organisations holding personal information - including health information - must take reasonable steps to protect it from unauthorised access or disclosure. Healthcare information is treated as particularly sensitive. If a breach occurs that has caused, or is likely to cause, serious harm, you must notify both the affected individuals and the Privacy Commissioner. Failing to notify when required is itself a breach of the Act. Beyond the legal minimum, good practice means knowing what data you hold, where it lives, who can access it, and what your response plan looks like if something goes wrong. If you are unsure whether your current setup meets these obligations, an IT Fit Check is a good starting point. Book a free IT Fit Check →

Yes. We work with independent healthcare practices across Christchurch and wider NZ - including GP clinics, physiotherapy and allied health practices, specialist medical, and mental health and counselling providers. We focus on independent practices with 5 to 50 staff. We do not work with hospital groups or large health networks. If you are unsure whether your practice fits, the IT Fit Check call is the right place to find out. Learn more about our healthcare IT support →

Yes. If you've already got something in place (like NordPass), we'll review and improve it. Bitwarden is included with our service - it's secure, easy to use, and fully managed by us. Strong, unique passwords for every account without the headache.

ITDR stands for Identity Threat Detection and Response. It monitors login activity across your accounts in real time - flagging anomalous behaviour like a login from an unexpected country, a session active in two locations simultaneously, or access patterns that don't match normal use. For healthcare practices and professional services firms handling sensitive client data, ITDR is now a core control rather than an optional extra. It is the layer that catches an attacker who has already obtained valid credentials - through phishing, credential stuffing, or MFA bypass - before they can do damage. It is included in our Advanced and Security Plus packages.

We handle the whole process. All we need from you is an intro to your current provider. Everything else - documentation, tool deployment, configuration - is managed by us. Simple, stress-free, and fully managed.

We start with a kickoff call to cover your setup and priorities. Then we handle the background work - tool deployment, configuration, documentation. Once ready, we send your staff a device onboarding link to get set up in minutes. For local clients, we can do this in person.

About two weeks to get the basics in place; another couple of weeks for AI filters and monitoring baselines to settle in. No downtime is expected during the process.

No. Staff may need roughly 15 minutes to get their device set up. Beyond that, operations remain uninterrupted - your team can keep working throughout.

We have formal SLAs in place for all managed services clients. Every request is logged and triaged on receipt. Response times are guaranteed by priority: Critical (systems down, active incident) 1 hour; High (significant impact) 2 hours; Normal (single user, workaround available) 4 hours; Low (minor issues, general queries) 8 hours. Most urgent calls are picked up within 15 minutes. Critical issues are flagged immediately and handled first.

We provide four report types: Email and Device Security Reports, Backup Health Reports, Phishing & Training Stats, and Support Ticket Logs. These can be delivered monthly or reviewed together at quarterly check-ins.

Yes - we flag patterns and risks proactively, often before you've noticed anything. Every quarterly review includes a forward-looking roadmap so your technology planning isn't reactive.

Planning is everything. Your business goals become our shared goals - we look for automation opportunities, budget-friendly improvements, and long-term IT strategy that actually supports growth. We're not just a helpdesk.