$150–$250
per device per month for managed IT services (MSP) covering monitoring, patching, helpdesk, and security: compared to $150–$300/hr for break-fix IT
60%
of small businesses that experience a significant data breach close within 6 months: most because they lacked basic IT security infrastructure
3 models
for small business IT support: break-fix (pay per incident), managed services (flat monthly), or internal hire: each appropriate at different company sizes
How Small Businesses Should Think About IT Support
IT support for small businesses falls into two broad failure modes. The first is over-engineering: paying for managed services contracts and enterprise-grade infrastructure that a 5-person business does not need. The second, and far more common, is under-investing: treating IT as something to call only when something breaks, running outdated systems, skipping backups, and having no security posture until the first incident forces the issue. The second failure mode is significantly more costly.
The right IT support model for a small business depends on three factors: how dependent the business is on technology to deliver its product or service, how sensitive the data is that the business handles, and how much internal technical capability exists among the team. A 6-person professional services firm handling client financial data needs a different IT posture than a 10-person retail shop with a basic POS system and shared Wi-Fi.
Warning: “We have not had any problems” is not evidence that your IT posture is adequateMost small businesses do not discover IT security failures until they have already occurred. Ransomware sits dormant for days before activating. Data breaches go undetected for months. Weak passwords get credential-stuffed without visible symptoms. The absence of a visible incident is not evidence of adequate protection: it is evidence that nothing bad has happened yet. Basic IT hygiene (documented backups, endpoint protection, multi-factor authentication, patch management) prevents the failures that have not occurred yet rather than cleaning up the ones that have.
IT Support Models for Small Business: When to Use Each
| Model | How it works | Best for | Cost signal | Main risk |
|---|---|---|---|---|
| Break-fix | Call a tech when something breaks. Pay hourly | 1–3 employees. Low tech dependency. Very limited budget | $100–$300/hr on demand | No proactive monitoring. Reactive only. Unpredictable cost |
| Managed Services Provider (MSP) | Flat monthly fee covers monitoring, patching, helpdesk, security | 4–50 employees. Moderate to high tech dependency | $100–$250/device/mo | Variable quality by MSP. Some upsell pressure |
| Virtual CIO (vCIO) | Part-time fractional IT director sets strategy. MSP or break-fix handles execution | 10–50 employees. Complex IT needs without budget for full-time IT director | $1,500–$5,000/mo retainer | Execution depends on underlying MSP quality |
| Internal IT hire | Full-time employee manages all IT | 50+ employees OR businesses with proprietary software/complex infrastructure | $55,000–$95,000/yr salary | Single point of failure. Limited specialization breadth |
| Co-managed IT | Internal IT person + MSP for overflow and specialization | 20–100 employees. IT hire in place but needs backup and specialized support | MSP fee + internal salary | Coordination overhead. Responsibility overlap if roles unclear |
“IT is the only business function where the consequences of underinvestment are entirely invisible until they are catastrophic. You never see the breach that didn’t happen because backups were running. You see every breach that happens because they were not.”
Setting Up Small Business IT Support: 5 Steps
- Inventory every device and system that touches business data before doing anything else. Before choosing an IT support model or provider, document what you have: every computer, laptop, tablet, phone, server, and cloud service that stores or processes business data. This inventory is the scope of what needs to be supported and secured. Most small businesses have never done this and discover, mid-inventory, that they have unsecured devices, forgotten cloud accounts, and systems that no longer have active vendor support. The inventory is the first output of any IT audit and the foundation for any support engagement.
- Implement the four non-negotiable security baselines before anything else. Regardless of your IT support model, four security baselines must be in place: (1) Multi-factor authentication (MFA) on every email account, cloud service, and system, MFA alone blocks over 99% of credential-based attacks. (2) Automated, tested, offsite backups of all critical business data, backups that have not been tested are not backups. (3) Current antivirus/endpoint protection on every device that accesses business data. (4) A documented patch management process: all operating systems and software updated on a regular schedule. These four items cost less than $50/month per employee and prevent the overwhelming majority of small business IT failures.
- Select an IT support model based on your current employee count and data sensitivity. Use the model comparison table above to select the right tier for your current business. The most common mistake is staying on break-fix too long: waiting until the first major incident before moving to managed services. The trigger for moving to an MSP is typically the point where IT failures start costing more than the MSP contract would cost. For a business dependent on email, cloud tools, and customer data (almost all service businesses), that threshold is typically around 5 employees.
- If using an MSP, define the scope contract explicitly before signing. MSP contracts vary widely in what they cover. Before signing, get explicit answers on: which devices and systems are included in the flat fee versus billed separately, what the helpdesk response time SLA is, whether cybersecurity (endpoint protection, email filtering, MFA management) is included or an add-on, what happens in a major incident (ransomware, data breach): is remediation included or billed hourly, and what the contract exit process looks like. Surprises in MSP contracts almost always appear in these categories. Get them in writing before signing.
- Test your backups quarterly and document the recovery procedure. Backups are only valuable if they work when needed. Schedule a quarterly backup test: actually restore a recent backup to a test device or environment and verify that the data is complete and usable. Document the recovery procedure: who has access to the backup system, how long a full recovery takes, what the sequence of steps is. This documentation becomes critical during an incident when the people who know the procedure informally may be the same people who are panicking about the incident. The quarterly test and documented recovery procedure transform backups from a checkbox into a genuine business continuity mechanism.
Tip: Evaluate MSP candidates on their security posture as much as their technical skillsWhen interviewing MSP candidates, ask three security-specific questions: What is your process for managing patches across client devices? How do you handle a suspected security incident, what are the first three steps? Can you show me an example incident report from a past client engagement (anonymized)? These questions reveal whether the MSP treats security as a core service or as an afterthought. An MSP with no documented incident response process or no regular patch management cadence will not protect your business, regardless of how responsive their helpdesk is.
Looking to automate more of your business operations beyond IT?
