The Questions Every Business Should Ask Before Switching IT Providers (But Most Don’t)

Shopping for managed IT services can feel a lot like buying a car—you know you need one, you have a rough budget in mind, and yet somehow you still leave the lot wondering if you made the right call. The problem isn’t that business leaders aren’t smart. It’s that most have never bought IT services before, and nobody gives you a rulebook.

So, we’ve put together a list of questions that should be considered when you’re evaluating IT services.

Why Do I Have to Pay for an Assessment—and What Am I Even Getting?

Q: Some IT providers charge for an assessment. Others give it away free. What’s the deal?

A: The short answer—you get what you pay for. A free “assessment” is often just a sales call with a laptop. A paid assessment is a structured review of your environment, your risks, and your gaps, with a documented output you can actually use. What should you expect from a real assessment? A clear picture of where you stand, what’s vulnerable, and what it would take to fix it. The value isn’t for the IT provider—it’s for you, so you can make an informed decision regardless of who you hire next.

What Does This Actually Cost—and Why Is Security Always Extra?

Q: How much do managed IT services cost, and why do I keep seeing a separate line item for security?

A: Managed IT pricing typically covers helpdesk, monitoring, and device management. Cybersecurity tools—endpoint protection, email filtering, security awareness training, backup—are usually priced separately because they’re specialized and the licensing costs are real. The better question to ask isn’t “why is security extra?” but “what’s the actual cost of not having it?” Business email compromise, phishing, invoice fraud—these aren’t theoretical. They’re happening to businesses your size right now.

Q: How do I even set an IT budget? Am I spending enough?

A: Most small-to-mid-sized businesses underinvest in IT until something breaks. A useful benchmark: work with your provider (or prospective provider) to build a budget based on your headcount, your industry’s compliance requirements, and your risk tolerance—not just last year’s spend.

We Have an Internal IT Person—How Does This Even Work?

Q: What is Co-managed IT, and who does what?

A: Co-managed IT is a partnership between your internal IT staff and an external provider. Your internal person handles what they’re best at—relationships, institutional knowledge, day-to-day requests. The MSP fills in the gaps: advanced security, after-hours coverage, projects, and strategic guidance. It’s not a takeover—it’s backup.

Q: How do we make our internal IT person comfortable with this change?

A: It’s important to lead with what’s in it for them. They stop being the lone firefighter. They get access to a full team, better tools, and they can focus on higher-value work. Most internal IT people, once they understand co-managed IT, become its biggest advocates.

We’re Stuck in a Contract. What Are Our Options? 

Q: I didn’t realize my MSP contract auto-renewed. What do I do now?

A: This is more common than you’d think. Start by actually reading the contract—look for renewal terms, notice periods, and termination clauses. Some contracts allow exit for cause (documented failure to perform). Others require notice 60–90 days before renewal. If you’re unsure, get a second set of eyes on it before you make any moves.

Q: Do I have to tell my current IT provider I’m shopping around?

A: No—and you’re not alone in wanting to keep it quiet. Many businesses want a confidential assessment without tipping off their current provider or internal IT team. A reputable MSP will respect that. If you do decide to move forward, there’s a right way to give notice and manage the transition so your operations don’t skip a beat.

Do We Actually Need All This Cybersecurity Stuff?

Q: We’re a 50-person professional services firm. Are we really a target?

A: Yes. In fact, professional services firms—law, accounting, finance, engineering—are prime targets precisely because you hold sensitive client data and are often less defended than large enterprises. Attackers know this. 

Q: Why do I need security awareness training?

A: Training matters because most breaches start with a human clicking the wrong link. Mistakes like this can give cybercriminals the keys to your technology or data. Everyone in your organization needs to understand the threats they may face and what they can do to defend against them.

Q: Why back up Microsoft 365 if it’s already in the cloud

A: Microsoft protects their infrastructure, not your data. If someone deletes files or an account gets compromised, you’re in a tight spot to try to recover. Partnering with an IT services team that provides and runs regular backup checks gives you a powerful safety net.