He was managing IT himself. By the time we arrived, the gaps were significant.

The Situation

A Christchurch insurance brokerage had grown steadily since launch. The owner was sharp, client-focused, and had built the business largely on the strength of his relationships. But as the team grew past five staff and kept hiring, something wasn't keeping up: IT.

The owner had been handling technology himself since day one. It had worked when the firm was small. By the time ITstuffed came in, it wasn't working anymore. He was spending time on IT problems that should never have reached him. New staff were being onboarded inconsistently. And underneath it all, the security foundations simply weren't there.

When we conducted a full audit, the picture was sobering. Equipment had been purchased without a clear strategy - some of it unsuitable, some of it duplicated. Licences were mismatched to actual needs, with money wasted on the wrong products. Security controls were minimal. The firm was holding sensitive client financial data with protections that didn't reflect the obligation that comes with it.

Nobody had done anything wrong deliberately. This is what DIY IT looks like when a business outgrows it.

What ITstuffed Did

We started with a full audit - documenting what was actually in place, what was missing, and what needed to change. From there, we built a staged remediation plan that addressed the most critical gaps first without disrupting the firm's day-to-day operation.

The multi-layered security approach we implement for every client - email filtering, endpoint detection and response, DNS filtering, identity threat monitoring, staff awareness training, password management, and privileged access controls - was rolled out progressively as the firm's foundation was brought up to standard.

Licensing was rationalised. The right equipment was identified. Onboarding processes were standardised so new staff could be brought on consistently, without the owner having to be involved.

What The Audit Found

• Equipment without a clear strategy. Some of it unsuitable for business use, some duplicated - purchased reactively rather than planned.
• Licences mismatched to actual needs. Money was being spent on the wrong products. A licence rationalisation identified savings immediately.
• Minimal security controls. The firm was holding sensitive client financial data with protections that didn't reflect the legal and ethical obligations that come with it.
• Inconsistent staff onboarding. New staff were being set up manually, without a repeatable process - creating gaps in access controls and device management.

This is one of the most common patterns we see in growing businesses. The owner builds the firm - and IT quietly falls behind. By the time there are ten staff, the foundation that worked for two is no longer fit for purpose.

Where They Are Now

The brokerage is an active ITstuffed client. The core security controls are in place and operating. We are now working with the owner toward SMB1001 Gold certification - a recognised cyber security standard that ITstuffed holds itself, and that we can guide clients through.

For an insurance broker, that certification matters beyond internal housekeeping. It is documented, third-party-verified proof of a security posture - the kind of thing a corporate client or referral partner can be shown. In a sector where trust is the product, being able to demonstrate that your own house is in order is a genuine competitive advantage.

The owner now focuses on clients. IT is no longer something that lands on his desk.