If you run a small business in the UK and you pay someone to look after your IT, you probably have no idea whether they are actually any good. You know they answer the phone when something breaks. You know they send you an invoice every month. Beyond that, you are trusting that they know what they are doing — and that trust is not always well placed. This is a straightforward checklist for working out whether your IT company is competent, whether your contract is fair, and whether you are getting what you pay for.
Start With the Basics: Are They Certified?
Certifications are not everything, but they are a minimum threshold. If your IT company cannot show you any of the following, that is your first warning sign.
Cyber Essentials is a UK government-backed scheme run through IASME that covers five basic technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. Any IT company supporting small businesses in the UK should hold Cyber Essentials certification at minimum. From April 2026, the updated Cyber Essentials v3.3 requirements mandate MFA on every cloud service that supports it — if your IT provider has not mentioned this to you, they are not keeping up.
You can check whether a company holds Cyber Essentials certification on the NCSC search page at ncsc.gov.uk/cyberessentials/search. If they are not listed, ask them why.
CompTIA A+ is the baseline technical qualification for IT support staff. It requires passing two exams covering hardware, networking, troubleshooting, and security fundamentals. It has no formal prerequisites, which means there is no excuse for a support technician not to hold it. Ask your IT company what certifications their engineers hold. If the answer is vague or defensive, take note.
Microsoft certifications matter if your business runs on Microsoft 365. Look for Microsoft 365 Certified or Azure certifications among their team. A company that supports Microsoft 365 environments without any Microsoft-certified staff is winging it.
The Contract: What You Should See and What You Should Not
What UK Small Business Owners Should Expect From IT Support SLAs
Target response and resolution times for a UK small business IT support contract, by issue priority level.
Source: CTC editorial assessment based on UK IT channel benchmarks, February 2026
Your IT support contract is where the relationship is defined. If you have never actually read yours, now is the time.
Response time SLAs should be spelled out in writing. A reasonable SLA for a UK small business IT provider is a response within one hour for critical issues (server down, email outage, data breach) and four hours for non-critical requests. If your contract says "best endeavours" or "as soon as practicable" without a number attached, you do not have an SLA — you have a promise.
Contract length matters. Monthly rolling contracts or 12-month agreements are standard. If you are locked into a 36-month contract with 90-day notice periods, your provider is prioritising their revenue over your flexibility. Anything longer than 24 months should raise questions.
Exit terms should specify exactly what happens when the contract ends. Your provider should return all your data, hand over admin credentials for every account they manage (Microsoft 365, domain registrar, firewall, backup service), and provide a handover document. If there are no exit terms in your contract, you will discover the hard way that leaving is harder than it should be.
Insurance: Ask for confirmation of Professional Indemnity insurance and Cyber Liability insurance. A minimum of one million pounds cover for each is standard for IT companies working with SMBs. If they cannot produce certificates, they are underinsured.
Security: The Questions They Should Answer Without Hesitating
Your IT company is responsible for your digital security. These are the questions you should be able to ask and get a clear, specific answer.
Where are our backups stored, and when were they last tested? The answer should include a location (ideally off-site or cloud, not just a USB drive in the office), a schedule (daily at minimum), and a date when they last did a test restore. If they have never tested a restore, your backups are theoretical.
Who has admin access to our systems? Your IT company should be able to list every account with administrative privileges across your Microsoft 365 tenant, your network, your firewall, and your backup system. If they do not know, nobody is managing your access controls.
What happens if your company goes bust? This is uncomfortable to ask and essential to know. A well-run IT company has a business continuity plan that includes handing client data and credentials to a nominated third party. If they look offended by the question, that tells you something.
Are you reporting our security posture to us regularly? A good IT provider sends you a monthly or quarterly report covering patch status, backup success rates, security incidents, and any actions they have taken. If you never receive reports, you are paying for reactive support, not managed IT.
The Red Flags That Should Worry You
Red Flag Frequency: What UK SMBs Report About Their IT Providers
Based on CTC reader survey and UK IT channel feedback, showing the percentage of small businesses that report each red flag with their current IT provider.
Source: CTC editorial assessment based on UK SMB feedback, February 2026
Some warning signs are obvious once you know what to look for.
They only contact you when the invoice is due. A proactive IT company schedules regular reviews — quarterly at minimum — to discuss your setup, upcoming changes, and security improvements. If the only email you get is the invoice, you have a billing relationship, not a support relationship.
They resist giving you admin credentials. Your Microsoft 365 tenant, your domain name, your firewall — these belong to your business, not your IT provider. If they hold admin access and refuse to share it, they are creating dependency rather than providing a service. You should always have a break-glass admin account that you control.
They cannot explain things in plain language. Technical jargon has its place, but your IT company should be able to explain what they are doing and why in terms you understand. If every conversation feels like a lecture, they are either showing off or hiding behind complexity.
They have no documented process for onboarding or offboarding staff. When you hire someone new, your IT company should have a checklist: create accounts, set permissions, configure devices, enrol in security policies. When someone leaves, the reverse: disable accounts, revoke access, wipe devices. If they wing this every time, your security has gaps.
They push hardware sales over service quality. Some IT companies make their margin on selling you equipment rather than providing good support. If every conversation turns into a pitch for new laptops or servers, check whether the recommendation is driven by your needs or their sales targets.
What IT Support Should Cost: Benchmarking for UK Small Businesses
One of the reasons small business owners struggle to evaluate their IT company is that they have no idea whether they are paying a fair price. IT support pricing in the UK is not standardised, and providers quote in different ways — per user per month, per device, fixed monthly retainer, or ad hoc hourly rates. Without a benchmark, you cannot tell whether you are getting value.
For a UK small business with 5 to 30 users, fully managed IT support — covering helpdesk, monitoring, patching, backups, security, and vendor management — typically costs between £50 and £100 per user per month including VAT. That range depends on complexity. A 10-person office running Microsoft 365 with a single server sits at the lower end. A 25-person firm with multiple sites, on-premise infrastructure, and compliance requirements sits at the upper end.
If your provider charges per device instead of per user, the pricing is less transparent. A user with a laptop, a mobile phone, and a monitor connected to a docking station could be counted as one, two, or three devices depending on how the provider defines it. Per-user pricing is simpler and easier to compare.
Watch out for providers who quote a low monthly retainer but charge separately for projects, out-of-hours support, new user setup, or hardware procurement. The retainer looks affordable until the extras add up. A good IT support contract covers all day-to-day support within the monthly fee and only charges separately for clearly defined project work — a new office setup, a server migration, or a major software deployment.
If you are paying less than £40 per user per month, your provider is either cutting corners or subsidising the support with hardware sales margins. If you are paying more than £120 per user per month for a straightforward small business setup, you are either getting premium service or overpaying. In both cases, ask for a breakdown.
How to Switch IT Providers Without Breaking Things
If your current provider fails the checklist above and you decide to move, the switching process matters as much as the choice of new provider. A badly managed transition can cause more disruption than the problems you are trying to solve.
Start by reading your contract. Check the notice period — 30 days is reasonable, 90 days is common, and anything longer is designed to make leaving difficult. Check whether there are early termination fees and whether they are proportionate. A termination fee that equals the remaining contract value is punitive.
Before you give notice, get your house in order. You need to know — or find out — who owns what. Your domain name registration, your Microsoft 365 tenant, your firewall configuration, your backup service, your antivirus licences, your broadband account. If your IT company registered any of these in their name rather than yours, reclaiming them takes time and sometimes costs money.
Request a full asset and credential handover in writing as part of your notice. This should include global admin access to your Microsoft 365 tenant, DNS management access for your domain, VPN and firewall configuration files, backup account credentials and encryption keys, a list of all software licences and their renewal dates, and documentation of your network setup.
A professional IT company will cooperate with this handover even though they are losing the business. If they obstruct the process, delay handing over credentials, or claim they cannot share configuration details for security reasons, that behaviour confirms you are making the right decision to leave.
Give your new provider at least two weeks to review the handover documentation before the cutover date. The ideal transition happens during a quiet period — avoid month-end, tax deadlines, or any week when your business has a major event. A Friday afternoon cutover gives the weekend as a buffer for problems, but make sure your new provider offers weekend support during the transition.
What Good IT Support Actually Looks Like
For a UK small business with 5 to 30 staff, good IT support means you barely think about IT. Your systems work. Your staff can get help quickly. Your data is backed up and tested. Your security is kept current without you having to chase it.
A good IT company contacts you before problems escalate, explains the options in language you understand, gives you honest advice even when the honest answer is "you do not need to spend money on this," and treats your business data as if it were their own.
The benchmark is not perfection — things break, outages happen, and no IT company can prevent every problem. The benchmark is how they respond when things go wrong and whether they are honest about what happened and what they are doing to prevent it recurring.
The Five-Minute Test
If you want a quick way to evaluate your current IT provider, try this. Call them on a Tuesday afternoon and ask these five questions:
When was our last backup test restore? What version of Windows are our machines running? Do you hold Cyber Essentials certification? What is our average ticket response time this quarter? If we wanted to leave, what is the process?
If they can answer all five clearly and without getting defensive, you probably have a decent IT company. If they stumble on more than two, start looking at alternatives. And if they cannot answer any of them, you are not getting managed IT support — you are getting someone to call when things break.
