Choosing the right managed IT provider (MSP) is one of the most important infrastructure decisions a small business makes. A good MSP keeps your systems running, your data secure, and your team productive. A bad one creates more problems than it solves. This guide covers when you actually need an MSP, what a good one should provide, the right questions to ask during evaluation, and the red flags that should send you looking elsewhere.
When Does a Small Business Need an MSP
Not every business needs managed IT services, but most reach a point where going without one becomes a liability. Here are the common signals.
You have 5 or more employees using computers and email daily, and IT issues are eating into time you should be spending on revenue-generating work. You don't have a full-time IT person on staff, and you don't need one yet, but you need consistent, reliable support when something breaks or a new employee starts.
You have compliance requirements. If your industry requires HIPAA, PCI, or cyber insurance compliance, you need documented security controls, regular assessments, and someone who can prove your IT environment meets the standard. A friend who "knows computers" cannot provide that.
You've experienced a security incident or data loss and want to make sure it doesn't happen again. Or your current IT support, whether it's a part-time contractor, a nephew, or the office manager who happens to be tech-savvy, can't keep up with the growing demands of your business.
If any of these sound familiar, it's time to evaluate MSPs seriously.
What a Good MSP Should Provide
When you're evaluating providers, look for these core capabilities. Any MSP worth considering should include all of these in their base offering.
Proactive monitoring. Your MSP should monitor all of your computers, servers, and network equipment 24/7 for problems before they cause downtime. This means automated alerts when a hard drive starts failing, when a computer stops checking in, or when a security policy isn't applied correctly. You should not be the one discovering problems.
Patch management. Operating system and application updates need to happen regularly and reliably. A good MSP automates this process so your machines stay current with security patches without disrupting your workday. Ask how they handle patch deployment and what happens when a patch causes an issue.
Endpoint protection. Every device in your environment needs managed antivirus and endpoint detection and response (EDR). The best MSPs layer additional protection on top of the baseline. For example, Huntress Managed EDR adds 24/7 human threat hunters and a security operations center on top of Microsoft Defender for Business, catching threats that automated tools miss.
Backup management. Your MSP should configure, monitor, and regularly test your backups. This includes cloud data. Microsoft 365 has limited built-in retention, so a separate backup solution like Dropsuite for your email, OneDrive, and SharePoint data is important. If your business has on-premises servers or data, local backup with a tool like Slide should also be part of the conversation.
Help desk. A responsive support team for day-to-day IT issues. Ask about average response times and get specific numbers: 15 minutes for critical issues, 1 hour for standard requests, same-day for low-priority items. Vague promises like "we respond quickly" tell you nothing.
Security management. This goes beyond antivirus. Your MSP should enforce multi-factor authentication across all accounts, manage email security, configure access controls using tools like Conditional Access in Microsoft Entra ID, and provide security awareness training so your employees know how to spot phishing attempts.
Strategic guidance. Your MSP should function as a technology advisor, not just a help desk. This means regular Technology Business Reviews where they assess your environment, identify risks, and recommend improvements prioritized by business impact. This strategic layer is often called a vCIO (virtual Chief Information Officer) function.
Vendor management. A good MSP coordinates with your internet provider, phone system vendor, and software vendors on your behalf. When your internet goes down, you shouldn't be the one on hold with the ISP.
Questions to Ask During Evaluation
These questions separate serious providers from those who are just selling a contract.
How many clients do you support, and what's the typical company size? You want an MSP experienced with businesses your size. An MSP that primarily manages 500-person enterprises may not be attentive to a 15-person company.
What is your average response time for support requests? Get specific numbers. If they can't answer this, they aren't tracking it, which is a problem.
What does your onboarding process look like? A good MSP audits your entire environment before taking over: network, devices, security posture, software, and licenses. They document everything and build a remediation plan before they start managing. An MSP that just installs their tools and calls it done is setting you up for surprises.
What security tools and practices are included in your base offering? You want to hear specifics: endpoint protection, MFA enforcement, email security, backup, security awareness training, and access controls. If security is an "add-on," that tells you it's not a priority.
How do you handle after-hours and emergency support? Know what happens when something critical breaks at 7 PM on a Friday. Is there an after-hours team, or does it wait until Monday?
What does your reporting look like? You should receive regular reports on your IT health, including device status, security posture, open issues, and completed work. A dashboard like the Athencia One Portal gives you real-time visibility into your environment rather than waiting for a monthly PDF.
Can you provide references from clients in my industry or of a similar size? References are table stakes. If they can't provide them, that's a concern.
What happens if we want to leave? Understand data portability, transition support, and contract terms before you sign. You should always own your Microsoft 365 tenant, your domain, and your admin credentials. The MSP should have delegated access, not ownership.
What is NOT included in your monthly fee? This is where hidden costs live. Project work, after-hours support, hardware procurement, software licensing, and onboarding fees can add up quickly if they're not included.
Pricing: What to Expect
Most MSPs charge per user per month. Some charge per device, but per-user pricing is more common and generally simpler to budget for.
The typical range for fully managed IT services for a small business is $100 to $250 per user per month. What's included at each price point varies significantly.
Look for providers who publish their pricing. Athencia, for example, charges $45 to $55 per user per month for Athencia One (IT visibility, monitoring, and baseline security) and $159 to $199 per user per month for Athencia One Complete (fully managed IT with advanced security, 1Password, and Microsoft 365 Business Premium licensing included). Transparent pricing lets you budget accurately and compare providers on equal terms.
Watch out for hidden costs. Some providers quote a low per-user fee but charge extra for everything: project work, after-hours support, hardware markup, even software licensing that should be included. The cheapest option is rarely the best. You get what you pay for in managed IT, and the cost of a security incident or extended downtime dwarfs the monthly savings from choosing a bargain provider.
Red Flags to Watch For
No onboarding process. An MSP that doesn't audit your environment before starting can't protect what they don't understand. If they skip the assessment, they're guessing.
Reactive only, not proactive. If they only fix things when they break, you're paying for a help desk, not managed services. Proactive monitoring, patching, and security management are what separate an MSP from a break-fix shop.
No documentation. A good MSP documents your network, accounts, licenses, and configurations. If they don't, you're locked in. When you try to leave, you won't know what you have.
Long-term contracts with no exit clause. Avoid 3 to 5 year contracts with steep early termination fees. A 1-year agreement with 30 to 60 day notice is reasonable. An MSP that needs a long contract to keep clients has a retention problem.
No security focus. If they don't mention MFA, endpoint protection, backup, or security awareness training as part of their standard offering, they're behind. Security is not an add-on; it's foundational.
Slow response times. If it takes hours to get a response during business hours while you're evaluating them, it won't get better after you sign.
They own your domain or admin accounts. You should always own and control your domain registration, your Microsoft 365 tenant, and your admin credentials. The MSP should have delegated admin access. If they insist on owning your accounts, walk away. This creates a dependency that makes it extremely difficult and expensive to switch providers.
What to Expect During Onboarding
Once you've chosen an MSP, the onboarding process typically takes 2 to 4 weeks for a small business. Here's what a thorough onboarding looks like.
First, the MSP conducts a full audit of your current IT environment: network layout, device inventory, security posture, software licensing, and user accounts. They document everything, including network diagrams, device serial numbers, account credentials stored in a secure password manager like 1Password, and a list of every tool and license you're paying for.
Next, they install their monitoring and management agents on all devices. If your business uses Microsoft 365 Business Premium with Intune, device management policies, security configurations, and compliance baselines can be deployed across your entire fleet from a central console.
They configure backup, security tools, and automated patching. They migrate you from your previous provider if applicable, and they introduce your team to the help desk and support process so everyone knows how to get help.
Finally, they deliver a roadmap of recommended improvements prioritized by risk and impact. This is your first look at the strategic value your MSP should be providing on an ongoing basis.
Need Help?
Choosing the right MSP is a big decision, and it's worth getting right the first time. If you're evaluating providers and want a straightforward conversation about what your business needs, contact Athencia. No pressure, no pitch, just practical advice.
