Your IT guy said you’re covered, are you?
I'm going to step on some toes with this one. Not because I want to bash other IT providers — I don't. Most of them are decent people doing their best. But I have a conversation with small business owners on a regular basis that goes almost exactly the same way every time, and it's starting to keep me up at night.
It goes like this:
Me: "If you got hit with ransomware tomorrow morning at 9am, what's the plan?"
Them: "Oh, we're good. We have an IT guy."
Me: "Great. What's the recovery time? Where are the backups? Are they tested? Are they immutable — meaning ransomware can't encrypt them too? Who's monitoring your systems at 2am? Do you have an incident response plan written down?"
Them: long pause
Me: "Does your IT provider have answers to those questions?"
Them: "I mean... I assume so?"
That assumption is the most dangerous thing in your business right now. Not the hackers. Not the phishing emails. The assumption that because you're paying someone to handle your IT, everything is handled.
What "Managed IT" Usually Means
Here's what most small businesses are actually getting when they pay for managed IT services:
Somebody installed antivirus on your computers. They might update Windows when they remember to, or when you complain that the update popup is annoying. When something breaks, you call them and they fix it — sometimes that day, sometimes a few days later. They probably set up your email at some point. They might have sold you a firewall that's sitting in your closet doing whatever it does.
And that's it. That's what you're paying for. And for a lot of businesses, that was fine ten years ago.
It's not fine anymore.
The Gap Nobody Talks About
There's a gap between what most IT providers deliver and what your business actually needs — especially if you're in a regulated industry. And that gap is where disasters happen.
Let me be specific. When I say "covered," I'm not talking about whether your computer turns on in the morning. I'm talking about whether your business can survive a serious security incident. And "serious" doesn't mean theoretical. It means a phishing email that one of your staff clicks on a Tuesday afternoon.
Here's what "covered" actually looks like in 2026:
Endpoint Detection and Response. Not antivirus — actual EDR. Antivirus matches known threats against a list of signatures. It catches what it recognizes. An AI-powered EDR watches behavior. It catches things it's never seen before because it recognizes when something is acting wrong. It can roll back ransomware encryption. It can isolate a compromised device from your network in seconds. Your antivirus can't do any of that.
Ask your IT provider: "What endpoint protection are we running, and is it EDR or traditional antivirus?" If they say ESET, Norton, Webroot, or "Windows Defender" — you have antivirus. You don't have EDR. That's like having a smoke detector but no fire suppression system.
24/7 Security Monitoring. Not "we check on things during business hours." Not "our software sends alerts to a ticketing system." I mean human analysts watching your environment around the clock, actively hunting for threats, and isolating compromised devices at 2am before you wake up.
Ask your IT provider: "Who is watching our systems at 2am on a Saturday? A person, or a software alert that nobody sees until Monday?" If the answer is anything other than "a human security analyst," your business is unmonitored for roughly 75% of every week. Attackers know this. They don't work banker's hours.
Email Security. Email is the number one attack vector for small businesses. Over 90% of breaches start with a phishing email. And yet most small IT providers offer zero dedicated email security beyond whatever comes baked into your email platform.
Ask your IT provider: "What email security are we running beyond the standard spam filter? Do we have phishing protection? Attachment sandboxing? Business email compromise detection?" If they look at you blankly, your front door is wide open.
Audit Logging. If something happens — a breach, an audit, an insurance claim — you need to be able to show who accessed what, when, and from where. Not "we think we can find that." Not "let me check." Documented, searchable, compliance-ready logs.
Ask your IT provider: "If our cyber insurance company asked us to prove what happened during a security incident, could you produce audit logs?" Most can't. Because most small IT providers don't run a SIEM. Most of them don't even know what a SIEM is.
Multi-Factor Authentication. This is the single most effective control against credential theft. One compromised password without MFA means full access to everything — email, files, client data, financial systems. One compromised password with MFA means nothing, because the attacker doesn't have the second factor.
Ask your IT provider: "Is MFA enforced on every account, every system, and every admin portal?" Not "available." Not "we turned it on for some people." Enforced. Everywhere. If it's not, your business is one phishing email away from a full compromise.
Backup and Disaster Recovery. Not "we back up to a USB drive" or "we back up to a NAS in the closet." I mean encrypted, immutable, air-gapped backups with a defined recovery time and recovery point objective. Backups that are tested. Backups that ransomware cannot touch. Backups that can get you back up and running in minutes, not days.
Ask your IT provider: "If ransomware encrypted everything right now, how long until we're back up? And are you sure the backups aren't encrypted too?" If they hesitate, you have a backup problem. And a backup problem during a ransomware attack is a business-ending problem.
The Compliance Question
If you're in healthcare, financial services, bookkeeping, tax preparation, or any industry that handles sensitive client data, there's another layer to this that most IT providers don't touch at all.
HIPAA requires healthcare providers to have a documented security program — risk assessments, written policies, workforce training, audit controls, incident response plans, business associate agreements. The FTC Safeguards Rule requires the same for financial institutions — and that definition is broad enough to include your bookkeeper.
These aren't suggestions. They're federal law. With real penalties. HIPAA fines start at $100 per violation and go up to $50,000 per violation depending on the level of negligence. The FTC can fine you up to $100,000 per violation, and individual officers and directors can be fined personally.
Ask your IT provider: "Are we compliant with HIPAA?" or "Are we compliant with the FTC Safeguards Rule?" If they say "yes" — ask them to show you the documentation. The risk assessment. The written policies. The training records. The incident response plan.
If they can't produce it, you're not compliant. You just have an IT provider who told you what you wanted to hear.
I'm not saying they're lying to you on purpose. Most small IT providers aren't compliance experts. They're good at fixing computers and setting up networks. But compliance isn't optional for regulated businesses, and "my IT guy handles it" isn't an answer that holds up when the auditor or the insurance adjuster is sitting across the table from you.
Why This Isn't About Bashing Your IT Guy
I want to be clear about something. I'm not writing this to make you fire your current provider and hire me. I'm writing this because I've sat across the table from business owners after something went wrong, and the conversation is always the same: "I thought we were covered."
That's the sentence that breaks my heart every time. Because they did think they were covered. They were paying someone. They trusted someone. And that someone either didn't know what was needed or didn't tell them the truth about what was missing.
The business owner isn't the one who failed. The expectation gap failed them.
And here's the hard part — your IT provider might be a great person. They might be responsive. They might fix your printer when it jams and reset your password when you forget it. They might genuinely care about your business. But caring about your business and being equipped to protect your business are two different things.
The Questions That Matter
I'm going to give you a list of questions. Not because I want you to interrogate your IT provider. But because you deserve to know where you stand. These are yes-or-no questions, and every "no" is a gap in your protection.
Do we have AI-powered endpoint detection and response on every device? Do we have 24/7 security monitoring with human analysts? Do we have dedicated email security beyond the built-in spam filter? Do we have a SIEM that provides audit logging and compliance reporting? Is multi-factor authentication enforced on every account and every system? Are our backups encrypted, immutable, tested, and air-gapped? Do we have an enterprise firewall with intrusion detection? Do we have DNS filtering to block malicious websites? Do we have a written incident response plan? If we're in a regulated industry — do we have a documented compliance program?
If your IT provider can answer yes to all of those and show you the evidence, you genuinely are covered. Shake their hand and tell them you appreciate them.
If they can't — that's not a reason to panic. It's a reason to have an honest conversation. Either with them about what needs to change, or with someone else about what's possible.
What "Covered" Actually Feels Like
I'll tell you what it feels like when a business is actually protected, because I think most business owners have never experienced it.
It feels like nothing.
That's the whole point. You don't think about it. You don't worry about the phishing email that Susan in accounting clicked on, because the email security caught it before it landed. You don't worry about the ransomware that tried to execute at 3am, because the SOC analysts isolated the device and killed the process before it spread. You don't worry about the laptop that got stolen from the car, because it was encrypted and the data is unreadable. You don't worry about the auditor, because the compliance documentation is in a binder and the risk assessment was done six months ago.
You just run your business. That's what covered feels like. And that's what every business owner deserves.
The Honest Truth
Here's the part where I'm supposed to pitch you my services. I'm not going to do that.
What I am going to say is this: if you read through those questions and realized you don't know the answers — find out. Ask your current provider. Have the conversation. If they have good answers, that's great. If they don't, that's information you need.
The worst thing you can do is assume. Because assumptions don't hold up on the worst day of your business. Plans do. Documentation does. The right tools in the right hands do.
Don't wait for the worst day to find out whether you're actually covered. Find out now, while it's still a conversation and not a crisis.