You’d hire an attorney to draft legal documents and a CPA to help with the books, so why wouldn’t you hire a managed service provider (MSP) to handle IT?

Well, lots of reasons, actually.

Outsourcing any part of the business comes with risk, but an information technology breakdown can bring operations to a screeching halt, costing the company money and harming its reputation. To avoid making expensive mistakes, small businesses must carefully consider their needs and weigh the risks of outsourcing IT services.

Some companies heavily leverage their IT organization to maximize operational efficiency, yet others see it as merely functional. These internal dynamics inform IT priorities and budgets.

And though it’s no surprise that a recent forecast by Gartner (available to clients) shows that overall IT spending by small businesses will increase significantly over the next several years, the question remains whether that money will be better spent on hiring internal IT staff or outsourcing IT services.

Hiring internal IT staff

At most small businesses, a single IT-focused employee might handle tasks such as software installation and device troubleshooting. But as the business grows, more specific IT needs require additional and more highly trained staff.

If money weren’t a consideration, a robust internal IT staff would be the ideal solution: a knowledgeable group of IT professionals who are solely dedicated to your business, know its struggles, and understand its strategic goals; a team that has skin in the game and is driven to bring the company’s vision to fruition.

But alas, money is always a factor, and hiring internal staff includes fixed costs such as salary, benefits, and taxes. And because small businesses have limited budgets, paying an IT Manager $119,000 a year isn’t always realistic.

Furthermore, IT trends and practices are in constant flux, and the skills desired evolve rapidly or change completely. This means that continually training internal IT staff is necessary to stay competitive.

Unfortunately, training IT staff presents a challenge unto itself as many organizations have difficulty finding the appropriate resources. In fact, according to a report by IT training company New Horizons, only 12 percent of companies surveyed felt that their IT training efforts were sufficient.

Outsourcing IT services

To cut costs and keep up with competitors, small businesses often turn to IT service providers.

Small businesses commonly outsource services such as:

  • Help desk
  • Security
  • Data center
  • Backup and disaster recovery
  • Network monitoring and maintenance

When considering outsourcing IT, small businesses have two basic options: hire a break-fix IT technician as problems arise or contract with an MSP on an ongoing basis.

tools iconThe break-fix solution

Functioning exactly as it sounds, break-fix is a strictly reactive solution to IT issues: When something breaks, a technician comes to fix it. This is useful if your business rarely experiences IT challenges or needs sudden IT support.

However, break-fix services are charged by the hour and costs can add up quickly. Additionally, you have to track the hours and services provided to verify accurate billing. While useful in a pinch, break-fix is more of a quick-fix than it is a comprehensive solution for your IT needs.

desktop iconManaged service providers

MSPs remotely manage your IT needs in the capacity that you desire with regular monthly or annual billing. They come in many forms, each offering their own array of services. Yet, considering that the number of software and IT service companies is estimated at around 100,000, finding the right provider can be daunting.

MSPs typically present themselves as a cost-effective alternative to in-house IT management for small businesses. In companies that already have internal IT staff, MSPs are sometimes used as second-layer coverage or to oversee special projects (e.g., software integration).

MSPs offer a wide spectrum of IT resources and the ability keep up with rapidly evolving technology. Furthermore, the ability to scale your business by leveraging an MSP’s network, rather than continually upgrading your own IT infrastructure, can be hugely advantageous.

Managed security service providers (MSSPs) are specialized versions of MSPs that offer an emphasis on security services such as firewall management and threat detection.

Before hiring an MSSP to perform security functions, small businesses should conduct a thorough risk assessment of their own network or have one performed by an independent firm. If you allow a service provider to define your needs, you’ll always require the extra-deluxe supreme package.

Proactively identifying vulnerabilities and knowing the threats that are most likely to put your business at risk will put you in a better position to make informed decisions when outsourcing IT security services.

Concerns when outsourcing IT

While countless concerns come into play when inviting outsiders into your IT organization, the following are some of the most important.

data security iconData security

A key concern when considering any type of IT outsourcing is data security. However, despite widespread attention, a recent study by the Ponemon Institute showed that 58 percent of small businesses do not know if their vendor security policies are sufficient to prevent a data breach.

With ever-increasing data security regulations, businesses must be prudent when providing network access to any third party. For example, the infamous 2013 Target data breach that exposed 40 million customer records was the result of credentials stolen not from an MSP, but from an HVAC contractor.

The retail giant handed over network access to a third-party that didn’t follow proper PCI data security standards regarding the implementation of two-factor authentication for remote network access. Target survived the debacle, whereas a small business might not be so fortunate.

Regulatory Compliance IconRegulatory compliance

If your business is in a heavily regulated field, such as health care, it is important to verify the extent of the provider’s experience in that industry and ability to be compliant. For example, if the MSP will be accessing data that includes your customers’ protected health information, they must do so in compliance with HIPAA.

This will require that you implement a business associate agreement (BAA) setting forth the conditions under which the MSP should handle protected data in accordance with regulations.

Unfortunately, you might not always know exactly how data will be used or processed by an MSP, which presents a conundrum. Fortunately, some MSSPs specialize in specific industries and are better prepared to assist with regulatory compliance.

It’s worth noting that MSPs and MSSPs commonly engage in their own outsourcing by utilizing a third-party network operations center (NOC), a third-party security operations center (SOC), or both. No doubt some of those NOCs and SOCs outsource layers of their own operations as well.

Any IT service provider under consideration should be up-to-date on all data privacy standards and regulatory issues, especially those relating to your industry. But no matter the assurances given, when data is duplicated or moved from one location to another, there is a dramatically higher chance that it will be compromised.

cyberattacks iconCyberattacks

Cyberattacks are becoming more sophisticated and numerous. Ransomware attacks, for example, increased by 415 percent in 2017, according to a report by IT security firm F-Secure. Adding to the problem, the number of network endpoints has exploded in recent years.

Widespread adoption of cloud technology, the mass proliferation of mobile devices, and more than 20 billion other things suddenly connected to the internet means that IT security can be a colossal effort. While many MSPs and MSSPs are up to the task, many likely are not.

Remember that being completely dependent on a third-party for security does a disservice to your company. All small businesses should defend against cybercriminals by establishing—and enforcing—an acceptable use policy for company internet and email use.

Other measures, such as regulating the use of employee-owned devices, imposing two-factor authentication, and providing periodic cybercrime awareness training, can also sharply reduce your company’s exposure to common cyberattacks.

service expectations iconService expectations

Small businesses often worry that MSPs will make promises that they can’t keep or spread themselves thin by taking on too many clients. These are legitimate concerns. If your small business signs on with a provider that is already servicing several midsize clients, are you going to receive attention equal to that of larger, and thus more profitable, clients?

For these reasons, it’s important to negotiate reasonable service level agreements (SLAs) to ensure that both parties have the same expectations and know the consequences of not meeting them. SLAs should also define the metrics that will be used to measure performance and how they will be reported.

pricing iconPricing

Prior to hiring an MSP, small businesses should thoroughly review pricing to fully understand billing methods and identify any extra charges that might be incurred. Pricing structures vary widely and might be tiered, package-based, per device, or per user.

Ideally, you will agree to a model that includes all of the services you need—and none that you don’t—at a fixed monthly rate.

Mitigating your risk

Small businesses can reduce their risk when outsourcing IT services by following these recommendations:

  • Ensure that all parties know what a successful engagement will look like
  • Review all SLAs in detail and ensure that they meet your needs
  • Ask for the number and size of clients the provider is working with
  • Request references and ask clients about responsiveness during off hours
  • Ask if any of the MSP’s operations are outsourced
  • Determine how the provider intends to maintain data security
  • Consider your regulated data and factors that will complicate compliance efforts

Ask tough questions about data security practices, incident response plans, coverage hours, and concerns specific to your industry. And while having the answers to these questions documented via email is good to have for your records, an impromptu phone conversation with a provider can give better insight into actual depth of knowledge about your particular needs and ensure that you’re not simply receiving boilerplate responses.

Ultimately, outsourcing strategic elements of your IT infrastructure is a bad idea if your company depends on innovation and the agile development of your online business. Additionally, if your business is in a heavily regulated field and a primary focus is on maintaining data security and regulatory compliance, you too should think twice before outsourcing IT. In these and many other situations, employing an internal IT staff might be well worth the cost.

Next steps

The search for IT help can be frustrating. Skilled IT employees are getting harder to find, and MSPs sometimes overpromise and underdeliver. But small businesses don’t always need more internal staff or an MSP.

Easy to learn software-as-a-service applications and cloud-based data storage options have alleviated much of the need many small businesses have had for outsourcing in the past.

It might make more sense for your business simply to invest in software that solves your most immediate concerns, such as engaging online customers or improving internal communication. Research and thorough consideration of your needs can ensure that you make an informed decision for your growing business, regardless of whether you choose to outsource IT services or keep it all in-house.

You can read more at the GetApp Lab, where insights for small businesses are always bubbling up.