What "Fully Managed IT" Should Actually Include for a 10-Person Firm

When you manage a 10-person office, evaluating a managed IT proposal is rarely in your job description. But the agreement you sign determines whether a ransomware attack costs two hours of downtime or two weeks — and whether a departing employee's access is revoked on their last day or sits open for months afterward. Most proposals look thorough on the surface. The gaps appear after something goes wrong.

A complete managed IT engagement for a firm your size covers help desk support with defined response windows, automated patching, endpoint detection and response, identity and access management, tested data backups, continuous security monitoring, vendor coordination, and documented processes for staff changes — plus regular strategic reviews. If a proposal is silent on any of these areas, treat that silence as a gap.

Use the checklist below to pressure-test any proposal before you sign.

Help desk and response times

Your provider should specify how quickly a technician responds to different categories of issues — not simply that "support is available." A system that is completely down warrants a different response window than a forgotten password. Ask for those tiers in writing. Ask how after-hours calls are handled. Confirm that a dedicated team that knows your environment is fielding requests, not an anonymous rotating queue.

Patching and updates

Unpatched software is among the most common entry points for attacks. A complete engagement includes automated patching for operating systems, browsers, and third-party applications on a defined schedule, with documented exceptions. Ask specifically whether workstations are included. Many lower-cost proposals cover only servers.

Endpoint protection

Antivirus alone is not sufficient. Current best practice is endpoint detection and response (EDR) — software that monitors for behavioral indicators of an attack, not just known malware signatures. Your engagement should include EDR deployment, active monitoring, and documented steps for what happens when a threat is detected. Confirm that coverage extends to remote workers.

Identity management and multi-factor authentication

Compromised credentials are involved in a significant share of breaches across every regulated industry. Multi-factor authentication on every user account — email, cloud applications, remote access — is a baseline control, not an upgrade. Your provider should configure and enforce MFA, manage password policies, and conduct periodic access reviews. Where feasible, single sign-on reduces the number of credential sets your staff manages.

Backup and recovery

Ask three questions before accepting any backup arrangement: Where are backups stored? How often are they tested? What is the documented recovery time for different failure scenarios? An untested backup is not a backup — it is a file whose usability has never been confirmed. Backups should reside off-site or in a separate cloud environment, isolated from the systems being protected. Ask to see written test results.

Security monitoring

A 10-person firm is not too small to be targeted. Continuous monitoring of network traffic and log data — through a managed detection and response arrangement or equivalent — means threats are identified before they escalate rather than discovered after the fact. Ask what triggers an alert, who reviews it, and how quickly your firm is notified of a confirmed incident.

Vendor management

Your firm likely depends on a phone system, cloud storage, industry software, and several SaaS subscriptions. Managing renewals, support escalations, and license counts for those vendors takes time and creates risk when it falls through the cracks. A complete engagement includes vendor liaison work so you are not acting as the intermediary between your IT provider and every other technology vendor you rely on.

Onboarding and offboarding

Staff changes are where access control failures happen most often. Your provider should maintain documented checklists for both: onboarding a new employee (device setup, account provisioning, application access) and offboarding a departing one (immediate credential revocation, device retrieval, data transfer). Ask to review those checklists before signing anything.

Documentation

Your IT environment should be fully documented: network diagrams, software licenses, account inventories, vendor contacts, and recovery procedures. If your provider cannot produce current documentation at any point during the engagement, you are operationally dependent on institutional knowledge that could disappear when a technician changes roles. Documentation is not a courtesy — it is an asset your firm owns.

Strategic reviews

A managed IT relationship should include scheduled reviews — quarterly is a reasonable standard — where your provider presents what has changed, what risks remain, and how shifts in your business affect your technology posture. These meetings are where budget decisions, compliance updates, and growth-related changes get addressed proactively. If a provider does not include them, those decisions will happen reactively, usually in response to a problem.

How to use this checklist

Request written responses to each category above before signing any engagement. If a provider cannot clearly describe their approach to vendor management, offboarding, or documentation, those functions are not covered — regardless of what the proposal summary says. A 10-person firm cannot absorb the cost of discovering that gap after an incident or a compliance review.

Frequently asked questions

Is fully managed IT cost-effective for a firm with only 10 employees?

Yes. At that size, a single unplanned incident — ransomware, a compliance audit, or a key employee departure with active credentials — can cost far more than a year of managed IT fees. The economics favor prevention over reactive repair.

What is the difference between managed IT and break-fix support?

Break-fix providers respond after something fails and bill by the hour. A managed IT provider takes ongoing responsibility for the health and security of your environment, operating proactively rather than waiting for you to report a problem.

How do I verify my provider is performing the services in the contract?

Ask for monthly or quarterly reports showing patch completion rates, backup test results, and security alert summaries. If a provider cannot produce written evidence of work performed, those activities may not be happening consistently.

Should cybersecurity be bundled into my managed IT agreement or handled separately?

For a firm your size, bundled is almost always the better structure. Separating cybersecurity from day-to-day IT management creates coordination gaps — both functions need shared visibility into your environment to be effective.