They were promised a level of service they never received. The gaps we found told the full story.

The Situation

A Christchurch professional services firm with 30 staff had been with one of New Zealand's largest IT providers for some time. On paper, the arrangement looked solid. In practice, it wasn't delivering.

Support was slow. Issues sat in queues. When staff did get through, they were often dealing with someone unfamiliar with their setup. The personal attention that had been promised during the sales process had never materialised.

When ITstuffed came in, we started - as we always do - with a full audit. What we found was concerning. There was no multi-factor authentication across the organisation. There was no security awareness training. The firewall was outdated. Documentation from the previous provider was inaccurate in ways that took time to unpick - we had to work carefully to establish what was actually true about the firm's environment, rather than relying on records that didn't reflect reality.

For a firm handling sensitive client information, the gap between what should have been in place and what actually was is not something that can be left to chance.

What ITstuffed Did

We rebuilt the foundation properly. MFA was deployed across the organisation. Security awareness training was rolled out - giving staff the practical knowledge to recognise threats rather than simply being told to be careful. The firewall was replaced. Documentation was rebuilt from scratch to accurately reflect the actual environment.

From there, we applied ITstuffed's standard multi-layered security approach: email filtering, endpoint detection and response, DNS filtering, identity threat detection and response, password management, and privileged access controls. Each layer addressed a specific attack surface. Together, they closed the gaps that had been invisible under the previous arrangement.

Throughout the process, we worked around the firm's operations. Their team kept working. There was no disruption.

What We Found

• No MFA across the organisation. Staff accounts had no multi-factor authentication, leaving credentials as the only barrier to access.
• No security awareness training. Staff had no structured training to recognise phishing or social engineering attempts.
• Outdated firewall. The network perimeter protection was out of date and no longer fit for purpose.
• Documentation that didn't reflect reality. Records from the previous provider were inaccurate - we had to rebuild an accurate picture of the environment from scratch.

We see this pattern regularly with firms coming off large national providers. The gap between what was promised and what was delivered isn't always visible until someone looks carefully. That's what the onboarding audit is for.

Where They Are Now

The firm is an active ITstuffed client. The core security controls are in place and operating correctly. We are now working with them on the next layer: written policies, specific governance work tailored to their environment, and the longer-term IT roadmap that a firm of their size and ambition deserves.

This is the work that most IT providers never get around to. It is also the work that makes the difference between a firm that has IT, and a firm that has IT working for it.