Free Resource

10 Questions to Ask Before Hiring an IT Provider

The 10 questions that actually separate competent IT providers from ones that will cost you more in the long run. Plus red flags and green flags so you can decide with confidence.

Why this list exists

Most businesses choose an IT provider the same way they choose any other vendor β€” get a few proposals, look at price, pick the lowest. That works fine for commodities. It works poorly for IT, because cheap IT often results in dramatic indirect costs (downtime, breaches, data loss) that dwarf the savings.

This list is the 10 questions that actually separate competent IT providers from ones that will cost you more in the long run. It's designed for business owners who don't have a technical background but need to evaluate technical providers.

The 10 questions

1. What's your average response time for critical issues?

Should be under 30 minutes during business hours, under 60 minutes after hours. Anyone quoting "4 hours" or "next business day" for critical issues is not actually managed IT β€” they're break-fix in disguise.

2. Are your help desk people in the US?

Not because non-US help desk people are bad, but because regulated industries (healthcare, financial, government-adjacent) have data residency requirements. Even outside regulated industries, US-based help desk usually has better familiarity with US software and business workflows.

3. Do you require a long-term contract?

If yes, walk away. Good IT providers retain clients through performance, not contracts. Month-to-month with 30 days notice is the industry standard. Multi-year contracts are usually a sign the provider expects to underperform.

4. What's included in your monthly fee vs. what's billed separately?

The classic gotcha: low monthly fee, high per-ticket charges. Get a written list of what's included (helpdesk, monitoring, backup, security stack, vCIO, etc.) vs. what's billed separately (projects, hardware procurement, after-hours emergencies).

5. Can you provide 3 references from clients similar to my business?

Not testimonials β€” references. Actual people you can call to ask about response time, technical competence, billing transparency, and overall experience. Any provider unwilling to provide references is hiding something.

6. What's your incident response plan if we get ransomware?

They should be able to walk through it specifically β€” isolation procedure, evidence preservation, communication plan, recovery timeline, ransom-payment position. If their answer is "we'll figure it out," walk away.

7. Do you have CISSP, CISA, or other security certifications on staff?

CISSP is the most rigorous cybersecurity certification β€” 5+ years of experience required, comprehensive exam. CISA is for audit/compliance. For any business in a regulated industry, security expertise on the provider side matters.

8. How do you handle compliance (HIPAA, CMMC, FINRA, etc.)?

If you're in a regulated industry: they should be able to explain the specific framework, deliver the documentation, and have prior experience with audits. Generic "we follow best practices" isn't enough.

9. What's your backup strategy and how do you verify it works?

"Cloud backup" alone isn't a strategy. They should describe: local backup + cloud replication + immutable offline copy, with quarterly recovery testing. Anything less means they haven't actually tested recovery.

10. Will I work with the same engineers consistently, or rotate through a pool?",

Better providers have you working with a small, consistent team that learns your environment. Worse providers route every ticket to whoever's available, requiring you to re-explain context every time.

Red flags that should make you walk away

  • "Unlimited" managed IT for a suspiciously low price. $79/user/month for everything? Math doesn't work. They're either losing money (won't be in business long), under-delivering, or hiding costs that will appear later.
  • Refusal to provide references. Or providing only references from clients you can't actually contact.
  • Long-term contracts as a requirement. 3-year contracts with significant cancellation penalties = they expect you to want to leave.
  • No written list of what's included. "We handle everything" sounds great until your first emergency reveals significant exclusions.
  • Owner unwilling to meet with you. Boutique IT providers should have owner-level engagement available; large providers typically don't.
  • Significantly cheaper than 2-3 competitors. The IT services market is reasonably efficient. A provider significantly below market either has hidden costs or is cutting corners.

Green flags that suggest a good fit

  • Transparent pricing in writing before you ask.
  • Owner-level engagement available for important decisions.
  • Willingness to put incident response plans, SLA targets, and inclusions in writing.
  • Specific industry expertise (not just "we work with everyone").
  • Evidence of long-term client relationships (5+ year clients in their testimonials).
  • Certifications on staff (CISSP, Microsoft, Cisco, etc.) and willingness to share names of who has them.
  • Local presence β€” actually able to show up on-site when needed.

Frequently asked questions

Is local always better than a big national MSP?

Not always. Larger MSPs sometimes have specialty expertise smaller local providers lack. But for most small businesses, local is better because response time, relationship continuity, and willingness to engage at the owner level all matter more than scale of operation.

Should I get multiple quotes before choosing an IT provider?

Yes β€” but evaluate the proposals on the answers to these questions, not on price alone. Three providers with answers to all 10 questions is better than five providers you compared on monthly fee.

What's the cheapest reasonable price for managed IT?

For a 10-person business in Louisiana: realistically $1,200-$2,500/month. Anyone significantly below that range is either hiding costs, under-delivering, or losing money on the engagement. Anyone significantly above needs to justify the premium with specific expertise or scope.

How long does it take to switch IT providers?

Typically 2-4 weeks for the onboarding process β€” parallel operation while the new provider deploys monitoring, security stack, and gains familiarity with the environment, then a weekend cutover for production-critical systems. Most clients experience zero business-hour downtime during a properly-managed transition.

Got questions about your specific situation?

Schedule a free 15-minute discovery call. We'll walk through your specific environment, answer questions about what's covered in this guide, and tell you what (if anything) actually needs to change. No sales pitch.

Schedule a Free Discovery Call →

Related resources