If your "server" is a simple NAS (network attached storage) that is only accessible through your own clients, and those clients are running FOSS software that is secure in its own right, then the server is secure. The only way it can be accessed is through the clients, and if the clients can't be pwnd then neither can the server.
Your IT guy won't be receptive. Odds are he won't have any idea what I'm talking about, and even if he did he probably wouldn't have any idea how to implement it. It's a completely different way of operating, for both him and for you. To begin with, all your desktops would no longer be running Windows or Office.