Why small businesses need real IT support.
"We have a guy" used to be enough. The threat landscape, the regulatory landscape, and the cyber-insurance landscape have all changed underneath that arrangement. Here is the honest case for professional IT — and where the "guy" model still works.
For a long time, "we do not really need IT" was a defensible position for a small business. Computers worked, email worked, the printer mostly worked. When something broke, the IT-savvy person on staff figured it out, or you called someone for the day. Cheap. Pragmatic. Worked.
That world is over. Three things changed.
1. The threat landscape
The 25-person Ottawa law firm or dental clinic is squarely in the ransomware crew's target window. Per the CIRA 2024 Cybersecurity Survey, 28% of Canadian organisations have been victims of a successful ransomware attack — up from 17% in 2021. Per Sophos' 2025 Active Adversary Report, 56% of intrusions involve attackers logging in with valid credentials, and 83% of ransomware payloads are dropped outside business hours.
"We are too small to be a target" stopped being true around 2020. The attackers automate; you do not have to be famous to be reached.
2. The regulatory landscape
Ontario's PHIPA, federal PIPEDA, US-side HIPAA for cross-border patients, PCI-DSS for cards, sector-specific rules for legal and accounting professional bodies. Compliance is not optional, the obligations grew, and the documentation burden grew. The small-business "we just do our thing" model produces no documentation — and no documentation, to a regulator, looks like no controls.
3. The cyber-insurance landscape
82% of Canadian organisations now have cyber insurance (CIRA 2024). The application questionnaire became the policy. MFA, EDR, MDR, immutable backup, written IR plan — the things insurers require are exactly the things informal IT does not produce. Premiums for businesses that cannot answer "yes" go up; coverage tightens; in some cases, renewals get refused.
What professional IT actually does
The good case for an MSP is not "they will fix your printer faster." It is:
- A documented baseline. Inventory, configurations, accounts, backups — all written down. Survives staff turnover. Passes an audit.
- Continuous security operations. Patch management, EDR monitoring, MDR alerting, backup testing. None of these are projects; all of them are disciplines.
- Strategic planning. What needs to be replaced when. What new threats matter to your specific business. Where to spend the next IT dollar.
- Vendor management. Microsoft, your firewall vendor, your phone system, your line-of-business app vendor. One coordinator instead of you handling each.
- Predictable cost. Fixed monthly bill. No "the server died, here is a $9,000 invoice" surprises.
Where the old model still works
Below 5 staff, limited compliance burden, no sensitive data, no online sales — a part-time freelance IT contractor works fine. The math changes around 8–15 employees, when the operational complexity exceeds what part-time attention can sustain.
What it costs
For a Canadian SMB in 2025, fully-managed IT typically lands at $175–$325 CAD per user per month for a complete plan including helpdesk, security stack, backup, M365 administration, and vendor management — security-heavy plans push past $400 (per F12's 2025 Canadian managed-IT pricing guide). Cheaper plans exist; they leave more on you.
The best test: ask your insurance broker what your premium would look like with and without 24/7 SOC, EDR, immutable backup, written IR plan. Then add up the net cost. The answer is usually less ambiguous than it feels in the abstract.
Take a brief to talk through your specific environment.
Sources: CIRA 2024 Cybersecurity Survey · Sophos 2025 Active Adversary Report.
// Frequently asked questions
How small is too small for an MSP?
Below 5 staff and limited tech complexity, a part-time freelance IT contractor often works fine. Above 10 staff, with M365 / cybersecurity / compliance considerations, a managed plan usually wins on both reliability and total cost. The transition point is roughly 8–15 employees in our experience.
Can we just use the IT-savvy person on staff?
It works in the short term. It fails in three predictable ways: that person becomes a single point of failure (vacation, illness, departure), they cannot keep up with the security landscape part-time, and they end up doing IT instead of their actual job — which is what you hired them for.
What does basic IT support actually cover?
Helpdesk for staff issues, Microsoft 365 administration, security tooling deployment and monitoring, backup management, patch management, vendor coordination, strategic planning. Not all providers cover all of it — the scope is a function of the contract.
How much does basic IT support cost?
For a Canadian SMB in 2025, expect $175–$325 CAD per user per month for a fully-managed plan, with security-heavy plans pushing past $400 (per F12's 2025 Canadian pricing guide). Per-device-only plans are cheaper but typically exclude licenses, advanced security, and after-hours support.
What happens if we keep doing IT ourselves?
Sometimes nothing for years. When something does go wrong — ransomware, a failed server, a compliance audit, a key person leaving — the cost of the absence usually exceeds what professional IT would have cost over the entire prior period. The risk is real but unevenly distributed.