How to Choose a Managed IT Provider for Small Business

For small business owners, choosing a managed IT provider is one of the most consequential decisions you'll make — and one of the hardest to evaluate. IT is the one area where most business owners don't have the expertise to assess whether a provider is genuinely good or just confident. The terminology is opaque, the service descriptions sound identical across providers, and it's difficult to benchmark what "good" looks like until something goes wrong.

This guide cuts through the jargon. Here's what managed IT should actually include for an SME, how to evaluate providers on criteria that matter, what the pricing landscape looks like, and the questions that separate good providers from glossy websites.

What Managed IT Should Include at Minimum

For an SME with 10–30 users, a managed IT provider should deliver, at minimum:

• Helpdesk support for day-to-day issues — a phone number or ticketing system your staff can contact when something isn't working, with defined response time commitments
• Proactive monitoring of your devices, network, and cloud services — automated systems that detect and alert on issues before they cause downtime
• Patch management — ensuring operating system and application security updates are applied systematically across all devices, not when someone happens to click "update"
• Endpoint protection — enterprise-grade antivirus, anti-malware, and threat detection on every device, centrally managed and monitored
• Backup management — daily backups of critical data with regular restoration testing (untested backups are not backups)
• User administration — onboarding new employees onto your systems, offboarding departed employees (critically, revoking access promptly), and managing access permissions

These are the basics. They should be included in any managed IT plan, not sold as add-ons.

What Good Providers Add Beyond the Basics

Above the baseline, look for providers who offer:

Cybersecurity aligned to the Essential Eight. The Australian Cyber Security Centre's Essential Eight framework is the recommended cybersecurity baseline for all Australian organisations. It covers eight specific mitigation strategies — application control, patching applications, configuring Microsoft Office macros, user application hardening, restricting admin privileges, patching operating systems, multi-factor authentication, and regular backups. A good MSP should be able to tell you your current maturity level against each of these eight controls and have a plan to improve them.

Strategic technology planning. Sometimes called virtual CIO (vCIO) services, this means the provider helps you plan your technology roadmap — not just keep today's systems running, but advise on what you should be investing in, what you should be retiring, and how technology can support your business growth over the next 12–24 months.

Vendor management. Your MSP should deal with your software and hardware vendors on your behalf — liaising with Microsoft, Telstra, your internet provider, your accounting software vendor, and your printer company so you don't have to. This alone can save hours of frustration per month.

Regular reporting. Monthly or quarterly reports on system health, security posture, helpdesk metrics, and recommendations. If you're paying for managed IT and you're not receiving regular reports, you're trusting but not verifying.

Pricing Structures Explained

Per user per month ($80–200): The standard model for SME managed IT. Covers the user regardless of how many devices they use. Predictable, scales with headcount. Most providers offer tiered plans — a basic tier at $80–120 covering essentials, a standard tier at $120–160 adding cybersecurity and strategic advisory, and a premium tier at $160–200+ for comprehensive coverage including after-hours support.

Per device per month ($30–80): Covers each device rather than each user. Can be cheaper for businesses where each person uses only one device, but more expensive when people use laptops plus monitors plus mobile devices plus shared equipment. Servers are usually priced separately and significantly higher ($200–500/month per server).

Break-fix / ad hoc ($100–200 per hour): Pay only when something breaks. No monthly commitment, no proactive monitoring, no cybersecurity management. This is not managed IT — it's reactive IT support. It's the cheapest option when everything works and the most expensive option when something doesn't. There's no incentive for the provider to prevent problems because problems generate revenue.

For most SMEs, per-user-per-month pricing at the standard tier ($120–160) represents the best balance of coverage and cost.

Questions That Separate Good Providers from Glossy Websites

1. What's your average response time for critical issues? (Good answer: under 30 minutes. Red flag: "as soon as possible.")
2. How do you handle after-hours emergencies? (Good answer: defined process with on-call team. Red flag: "leave a message and we'll get back to you.")
3. What cybersecurity framework do you align to? (Good answer: "Essential Eight" or "NIST" with specifics. Red flag: "we take security seriously" without specifics.)
4. How often do you test our backups? (Good answer: monthly, with documented results. Red flag: "the backup runs every night" — running is not the same as working.)
5. What happens if we have a data breach — what's your incident response process? (Good answer: documented runbook with specific steps. Red flag: "we'd investigate.")
6. Can you provide references from businesses our size in our industry?
7. What's the minimum contract term, and what's the exit process? (Avoid providers who lock you in for more than 12 months without clear exit provisions.)
8. What metrics do you track and report on? (Good answer: specific KPIs — ticket resolution time, system uptime, patch compliance rate. Red flag: "we can send you reports if you want.")

The Integration Advantage

Here's something most standalone IT providers won't tell you: your IT security is inseparable from your financial and people data. Your accounting software contains banking details, client financials, and revenue data. Your payroll system holds employee tax file numbers, bank accounts, and salary information. Your HR records may include medical information, background checks, and sensitive personal details.

When your IT provider operates in isolation — when they don't know what financial data you're storing, which payroll system you're using, or where your employee records live — they can't design security controls around your actual data landscape. They're protecting your hardware and network in a vacuum, without understanding what they're really protecting.

An integrated back-office provider — one that manages your finance, people, AND technology — designs security around your actual risk profile. Your cyber controls are informed by your data landscape. User access management reflects real employee roles. Backup strategies prioritise your most critical business data. The result is more effective security at lower cost.

Onboarding and offboarding process. Ask specifically how the provider handles new employee technology setup and departed employee access revocation. Good providers have a documented onboarding checklist that provisions email, software access, device deployment, and security configuration within a defined timeframe (ideally same day or next business day). More critically, they have an offboarding process that revokes all access within hours of departure notification — because a departed employee with active credentials represents a significant security and data risk that grows with every hour of delay.