Business IT 101
Business IT 101 is your go-to resource for learning the fundamentals of technology every small and mid-sized business needs. From understanding IT support basics and cybersecurity essentials to preventing downtime and protecting your data, these guides are designed to help business owners make smarter technology decisions.
Every growing small business goes through IT struggles eventually. If you don’t have the right people and infrastructure in place, your software and hardware could be a bottleneck for business productivity. For many small businesses, this means it’s time to search for professionals to evaluate what you have now and determine what you need to scale for the future. It takes a lot of time and money to change infrastructure, so you need professionals who can architect a design that not only provides current support but also gives you the ability to scale as your business grows. If you search for IT support, you’ll find several managed service providers (MSPs) offering all types of bundles, plans, and subscriptions. Small businesses unfamiliar with the IT landscape can soon be overwhelmed by options. We put together 10 questions you should ask an MSP before you sign a contract. Some questions might be obvious (e.g., “What services do you offer?” or “How much is the cost?”), so we put together questions that you might not have already thought of. 1. What is Your Service Level Agreement? A Service Level Agreement (SLA) is a promise to respond and remediate issues within a set amount of time. Usually, a response is set based on the type of issue, and issues are categorized by severity. For example, an outage of critical infrastructure might be a tier 1 and have an SLA of 15 minutes response time with a small window for remediation, promising to get your business productive in the least amount of time. A lower-priority issue might have a longer response time, with several days for the MSP to remediate. 2. Do You Support Patch Maintenance Patch maintenance keeps all your software and firmware (software for your hardware) up to date. Outdated infrastructure leaves you open to known vulnerabilities, and it can be a source of serious data breaches. For example, the infamous Equifax data breach, where private information for 148 million Americans was stolen, stemmed from outdated software. Servers were breached after a known vulnerability remained unpatched for only a couple of months after the vulnerability was made public. You need software updated, especially if it’s a patch for a security vulnerability. 3. Do You Follow Compliance Regulations? If you have a business under compliance regulations (e.g., HIPAA, FINRA, CCPA, SOX, PCI-DSS), it’s critical that you hire an MSP with a firm grasp of requirements. Infrastructure must be configured and deployed in certain ways to avoid hefty fines. Your MSP will guide you in the right direction. For example, healthcare data must be stored in encrypted form even on mobile devices, so you need an MSP that can configure your hardware to ensure that you follow HIPAA compliance. 4. What Hours is Tech Support Available? You might think that you won’t need support during closed business hours, but what if your website suffers an outage in the middle of the night? What happens if a server fails, and that server is necessary for productivity in the morning? You need a help desk line to call. Ask an MSP what kind of off-hours support they offer, including holidays and weekends. 5. What Kind of Incident Response Do You Offer? Incident response is the process of detection, containment, and eradication of a threat. The faster your incident response, the less damage a threat can do to your data. Incident response is a crucial step in dealing with a data breach, so make sure you have an MSP educated and experienced in protecting your data. They might also offer a collection of evidence if you need to report the incident to law enforcement. 6. Do You Offer Disaster Recovery? Disaster recovery is a step in incident response. It’s the last step after a threat is eradicated from your network. After a threat is eradicated, you need a professional to restore your data and infrastructure to operational status. MSPs will create a disaster recovery plan and help restore data after an incident. You want an MSP that can ensure the lowest amount of downtime with as little data loss as possible so that you can return to productivity. Disaster recovery services often include backup, so ask the vendor what types of backups they perform to safeguard your data. 7. Do You Offer Security Awareness Training to Staff? Phishing and social engineering are primary attack vectors for cyber-criminals. They’re incredibly effective on unaware employees. Not every MSP offers security awareness training, but you should ask if they do and take advantage of the offer. Cybersecurity training is one way to lower human error and email-based data breaches, including ransomware. 8. Does Your Service Include Monitoring and Detection? How do you know your network is compromised if you don’t have monitoring in place? Some compliance regulations require you to have monitoring installed. An MSP should have monitoring included with their cybersecurity to reduce the amount of time a threat can persist in your business environment. Monitoring might also include the detection of failed hardware or hardware that might not be configured properly. Ask an MSP what type of monitoring is included with your coverage. 9. Am I Tied to Any Vendor with Your Infrastructure Deployment? It’s possible that an MSP might set up a cloud-based environment for you. You should know if you’re being tied to any particular vendor. Most corporations are tied to a vendor, but should you take over support for the cloud environment, you need to know if it’s AWS, Azure, Google Cloud or another vendor. If you want to change vendors, it could be difficult to switch especially if you’re integrated with proprietary cloud applications. Ask the vendor which cloud provider will be set up so that you are familiar with their applications. Also, a cloud vendor has their own SLAs that you can review. 10. Does Service Include Onsite Management? Most IT-specific service can be done remotely, but some MSPs offer onsite service too. If you have local hardware, an MSP might offer onsite
If you run a small business, you know that staying lean with expenses leaves you with more capital for marketing and growth. IT support and cybersecurity are two areas where many SMBs trim as much “unnecessary” fat as possible, but it often comes at the expense of cybersecurity and business continuity. With 93% of small businesses’ cyber-incidents resulting in a data breach, it’s clear that having experienced and competent IT support is crucial for SMBs, especially when costs to remediate incidents can put them out of business. Risks of Letting Family Manage IT It’s tempting to cut costs by hiring family or friends to support a small business. You could cut costs this way and give an up-and-coming IT person their first job. When you have only a few PCs to support, you might also think the job is easy and doesn’t require the help of a professional. For simple support, your family might be a good resource. Trouble comes when infrastructure is configured with vulnerabilities, or they don’t perform necessary maintenance to stop vulnerabilities. A common theme in cybersecurity is “you don’t know what you don’t know,” and this issue becomes apparent only after a cyber-incident. Let’s take an example. Suppose that you decide to use Amazon Web Services (AWS) for cloud storage. Cloud storage at AWS is known as S3 or S3 buckets, which are similar to the directories you see on your PC. A common issue with S3 buckets is that they are often misconfigured to allow public access to data. The issue is so common that anyone can simply download an S3 scanner to find vulnerable buckets. When an inexperienced person misconfigures an S3 bucket, all your data is exposed to the open internet. You wouldn’t be alone. As recently as December 2024, two large cybercriminal groups, ShinyHunters and Nemesis, stole over 2TB of data, including source code, credentials, and secrets from misconfigured S3 buckets. It should be noted that the recently stolen data could be used in future attacks that these businesses won’t even see coming unless they take mitigating measures immediately. As you can see from this example, the simple act of having family or friends manage your IT could snowball into a larger issue where your small business is managing cyber-attacks targeted at your vulnerabilities. The savings on IT support can turn into six or seven-figure costs in remediation, litigation, and reputation loss. Some other risks you might not realize without a professional: Why Professional IT Support is Now Essential for SMBs Poor cybersecurity isn’t the only risk of DIY IT. Scalability and deploying tools that you can use now and in the future are also important. Let’s say, for example, that you want to deploy a server for file storage. You need a solution that not only supports the speed and space you will use currently, but also a solution that scales. Deploying too many resources is a waste of your IT budget, but too few can be a bottleneck in your productivity. Compliance is another issue. An inexperienced IT person would not know how to design infrastructure to follow compliant requirements. As an example, a small doctor’s office might not need many computers configured, but HIPAA has specific requirements for the way the internal office handles data and the network environment. You must keep office guest Wi-Fi separated from the internal network, employees must never connect to guest Wi-Fi from work computers, and strong encryption must be configured on the Wi-Fi router. Requests for data should be logged, and any protected health information (PHI) must be stored in encrypted form. Just like the consequences of a data breach can be long-term costs, having an inexperienced IT person set up a network without taking compliance and scalability into account can be an expensive mistake. The cost of HIPAA violations varies widely from $141 to $2 million per violation. More serious consequences include criminal penalties. Professional IT support is more important than ever, as any mistakes come with a high price tag. Ensuring infrastructure is configured correctly, deploying infrastructure that scales with your growing business, staying compliant, and managing infrastructure after it’s deployed are some common ways managed service providers can help. To properly manage resources, you need someone with the experience of a professional and people who have seen different issues for quick resolution when you need help. Here are a few other ways IT professionals can help: Managed IT vs DIY: What’s the Real Cost? DIY IT support is arguably the most cost-effective, but the real costs come from mismanagement of your infrastructure. Every company has a unique environment, so you can use our managed IT services calculator to estimate your costs. Costs depend on the number of users, computers, servers, compliance concerns, offices, and the services that you want. IBM reports that the average global cost of a data breach is $4.4 million, so the true costs are in failed IT support. Using managed service providers might seem like an unnecessary expense, but it can benefit you in the long run. Should your organization see massive growth, professionals at an MSP can still support expansion to new offices, hundreds of new employees, and computers, and an increase in data. Do you think your IT is in good shape? Take our free three-minute IT readiness quiz to find out. FAQs
There comes a time for every small business when you become the target of hackers. Most hacking campaigns are a collaboration of cyber-criminals across continents, so they know about vulnerabilities, human nature, and the statistically higher chance that your small business doesn’t have the resources to stop advanced threats. At some point in your business operations, a cyber-criminal will exploit a vulnerability. This vulnerability could be human error, improperly configured cybersecurity infrastructure, bugs in your system, outdated software, or a simple email with a malicious attachment. Whatever the cause, the time it takes you to discover and contain a threat is critical to your business. IBM’s 2025 Cost of a Data Breach report says that the average global cost of a data breach is $4.4 million. These costs include litigation, incident response, changes to cybersecurity infrastructure, loss of reputation, and reparations. It should be noted that litigation could last for years, making it a stressful time for small business owners. Target’s infamous data breach happened in 2013, and a settlement wasn’t reached until 2017. Ideally, you have a disaster recovery plan in place when you experience an incident. An “incident” is anything from malware to an employee disclosing their network credentials. It could involve physical or virtual breaches. The first step in incident response is discovery, which hopefully you have a good monitoring solution to find threats fast. Without monitoring, it could take months before you realize you have a threat on your environment, and it could do irreparable damage to your data integrity and customer privacy. The steps we provide here are a good starting point for small business owners who realize they have a threat on their environment. If you have a disaster recovery plan, you should reference it and follow it, usually starting with notifications for a hierarchy of stakeholders and decision makers. If you don’t have help yet for an incident, here are some steps you can take to limit damage to your small business data. Isolate the Computer or Device from the Environment Have you ever accidentally downloaded a malicious executable, and antivirus software stops you and puts it in a special folder? In essence, your antivirus software is isolating the malware to protect your computer and the environment. You need to do the same with any threat. This step can be difficult if you don’t know how to isolate it, so the best immediate strategy is to disconnect the computer from Wi-Fi, the network, and the internet. Disconnect the Ethernet cable and turn off Wi-Fi. This will stop the threat from spreading to other machines. Unfortunately, it’s possible that the threat has already spread, but the sooner you disconnect the affected device, the better. For example, ransomware will scan the network for important files and encrypt them with an irreversible cipher. If this happens to you, you’ll need to restore data with a backup, which is a good example of the importance of backups in your standard IT procedures. As a last resort, you might need to remove the entire environment from the internet. This step is like using a sledgehammer for a nail, but it might be necessary in an emergency. You’ll stop most malware from “phoning home” to communicate with a hacker-controlled server, but you destroy your productivity if employees need the internet. If you have the training, you could isolate the network segment affected and leave the others to continue productivity. Do this step only if you have no choice and can’t stop the threat on a single device. To summarize: Disable Affected Accounts In many data breaches, an attacker obtains sensitive credentials from employees. Attackers use numerous methods to get these credentials, including malicious emails (e.g., phishing), social engineering, or obtaining passwords from other hacked accounts. If your employees use the same passwords for your network as they do on third-party sites, your network could be vulnerable. Cyber-criminals use legitimate network credentials to install malware or steal data from corporate resources. After you isolate the threat, you might find that a specific user account is compromised. First, disable the account. This will give you time to gather information on the severity of the data breach. Don’t delete the account. It could interfere with collection of evidence, which you will need for law enforcement. If the account is tied to sensitive information like accounting, make sure you change passwords on these platforms but only with a machine that you know isn’t compromised. Any trojans or keyloggers would obtain access to new passwords, so change passwords on a machine you know is clean. To summarize: Determine the Source of the Breach Now that the threat is contained and can’t spread using network user accounts, you must determine the source of the data breach. This is important to avoid having the same issue happen over again. You also need it to determine if you fully eradicate it. For example, if you restore data after a ransomware attack but the ransomware persists on the network, you will just suffer from the same incident. Verizon reports that 60% of data breaches stem from human error. Employees are often your weakest cybersecurity link, so education is important. You must find out if human error was involved or your cybersecurity infrastructure failed. This step might take the help of a professional cybersecurity consultant, but most human error based incidents can be linked to an account. During your research, you should also log all customer accounts affected by the breach. To comply with certain regulatory standards, you might be required to notify users of their data being disclosed to a third party. For example, if user credit card data was disclosed in the breach, you might be required to send an email to these customers. To summarize: Restore Data from Backups Hopefully, at this point in your incident response, you have backups to restore data. The faster you get to this point, the less money you lose in downtime. Your backups should also have enough data in