top of page

The Good, the Bad, and the Ugly Managed Service Provider

We recently spoke with WMCRC Advisory Group Member Helen Barge, Managing Director of Risk Evolves on how important it is to work with the right suppliers and partners. In our latest blog, we look at what makes a good service provider and how businesses can ensure they're receiving the service they pay for.

Let’s be honest, running a small business isn’t always a bed of roses. Whether it be a lack of staff, a delay in receiving goods, late payment from customers and clients, not to mention the disruption caused by covid and the departure from the EU, there is always plenty to keep the small business owner occupied.

We all look to ensure that we have the right partners around us to support us; people and companies that we can rely upon for good advice and service. It could be an outsourced payroll service, an external HR Partner, or legal or accountancy services – there is no end to the list of organisations that want to help you continue to be successful.

One such group is the MSP – the Managed Service Provider, the external IT Partner. According to the 2022 government survey on cybercrime, 57% of small businesses and 36% of micro businesses will use an MSP.

The challenge though in a world of ever-shifting technology and terminology, is how to find the right one. Should you continue to support your own IT? Or ask your neighbours' 17-year-old son who does IT at college to help? Buy a service from a third party, and if so which one?

Unlike outsourcing your cleaning it’s hard to know the good, from the bad, and to be frank, the downright ugly ones. If your cleaner doesn’t do a good job you know – the bins remain full, the desk is dusty, and the kitchen still has the remnants of yesterday’s lunch. But it’s much harder with the IT provider. And worse still, unlike with other professional services organisations, there is little to no guidance available to support you in finding one.

Over the last 12 months, I have been privileged to work with three other members of the West Mids CRC to tackle this position. Myself, Andy Tasker (Zenzero), Tim Pinnell (NQA) and Ian Vickers (MetCloud) had grown tired of meeting new clients for whom their previous or incumbent IT Provider was failing to deliver good service to their customer. In at least one case, the IT provider was jeopardising the security and stability of their client's business.

We were clear on our objective. How could we help our peer business owners assess a potential partner without being subjected to a response to a tender that was littered with TLA’s (three-letter acronyms) that the recipient would have little chance of understanding? We wanted something that went beyond the technology, the sale of hardware and software, and looked at what businesses really needed. We wanted to arm decision-makers with some guidance on the type of answer that they should hear. We wanted to highlight a minimum acceptable standard of service which we believe this, as yet, the unregulated industry should be delivering.

We spent a lot of time reviewing the bad. The IT providers who failed to meet the basics. The providers whose service would not meet the minimum criteria outlined by the National Cyber Security Centre as part of the Cyber Essentials scheme. Worryingly, the same government cyber security survey quoted above, identified that for the majority of small businesses, cyber security was not deemed to be an important factor when selecting their IT partner. That said, almost one in three businesses (28%) cite a lack of information from suppliers as something that inhibits their ability to manage cybersecurity threats.

We looked at behaviour. A well-managed service provider should be delivering more than just a service. Like your outsourced HR / Payroll / Accountant / Legal team, they should be updating you on trends in the industry. They should be explaining to you how you can ensure that your business is resilient to a cyber attack, without you needing to pull out a cheque book every time they email you. They should be able to show you the status of what’s happening within your business. You expect to know which of your customers haven’t paid you, why shouldn’t you know which of your staff have failed to apply the latest software updates?

We wanted to reassure business owners. This is a complex area and there is no shame in not knowing all the answers. It is your right to ask for clarification. If the response is loaded with jargon, ask again. And again. And again. And if the IT provider still can’t explain, then they aren’t right for you. If you’re Accountant presented you with a set of accounts that didn’t make sense, you’d challenge. Do the same with the IT provider.

You should also know how they can help if the worst happens and you are a victim of a cyber attack. Do they back up your systems? How do you know if the backup will actually work? How do they prove it? And if something goes wrong, will they answer the phone when you call? Do they have the right skills in place? How many are on the team? What happens if someone leaves? A good partner will be able to reply confidently, to explain (and hopefully show) the processes that they have.

This led to us developing a questionnaire that comprises just 26 questions covering 8 key areas. It has been piloted on a small number of organisations, with the initial results being positive. The questionnaire will shortly be shared via the West Mids CRC to pilot with a wider group of organisations. More details will be made available soon.

In the meantime, take the opportunity to reflect on how your provider supports you. I’ve only been able to share a small selection of the areas that are covered in this questionnaire, but if anything resonates, then I would be interested in your feedback.

Finally, if you are a service provider reading this article, ask yourself – how do you perform against each of the sections mentioned above? If you’re one of the good guys, then ‘thank you - keep doing what you’re doing. However, if there are some gaps, then now is the time to address them. Don’t let your clients down.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page