Does Boston Managed IT work with companies with 50 to 100 employees?

Yes. Boston Managed IT specializes in companies with 50 to 150 employees — the size where IT complexity outgrows break-fix support but doesn't justify a large internal IT department. We provide a dedicated IT team, structured helpdesk, Microsoft 365 management, cybersecurity, and virtual CIO services designed specifically for mid-sized businesses in Greater Boston.

What is the right size company for a managed IT provider in Boston?

Managed IT services are most valuable for companies with 25 to 200 employees. Boston Managed IT focuses on the 50 to 150 employee range — organizations large enough to have complex IT needs across multiple users, devices, and cloud systems, but without a full internal IT department. At this size, a managed IT provider delivers better coverage at lower cost than hiring in-house.

What is managed IT services?

Managed IT services means a third-party provider like Boston Managed IT proactively manages your technology infrastructure, helpdesk, cybersecurity, and cloud systems for a flat monthly fee. Instead of calling for help after something breaks, you get continuous monitoring, patching, and support that prevents problems before they cause downtime.

How much does managed IT cost for a 50 to 100 person company in Boston?

For a company with 50 to 100 employees in Greater Boston, managed IT typically costs between $100 and $250 per user per month depending on scope. Boston Managed IT uses flat per-user pricing that includes helpdesk support, 24/7 monitoring, security, Microsoft 365 management, and vendor coordination — no surprise hourly charges. A 75-person company can typically expect full managed IT coverage for a predictable monthly budget.

Does Boston Managed IT serve Newton, Cambridge, and other Greater Boston cities?

Yes. Boston Managed IT provides on-site and remote managed IT services throughout Greater Boston including Newton, Waltham, Cambridge, Brookline, Burlington, Needham, Wellesley, Natick, Framingham, and surrounding communities. Our team is based in Waltham, MA and provides same-day on-site support across the region.

What makes Boston Managed IT different from other MSPs in Boston?

Boston Managed IT is a locally owned MSP based in Waltham, MA, focused on companies with 50 to 150 employees across Greater Boston. We offer a dedicated client team, average response times under 15 minutes, transparent per-user pricing, and deep expertise in Microsoft 365, cybersecurity, and compliance. Our Google rating is 5.0 stars across 22 reviews.

May 1, 2026

Business Continuity Planning for Small Businesses: What You Actually Need and How to Build It in a Day

Name: Boston Managed IT
Address: 282 Moody Street, Suite 312, Waltham, MA, 02453, US
Telephone: +16173225155
Rating: 5.0

Business, Business Continuity, Cyber Security

< BACK TO BLOG

The Short Version

A Business Continuity Plan (BCP) is the documented, tested process your organization follows to keep operating — or return to operation — after a disruptive event. You don’t need a hundred-page document to have a functional plan. What you need is clarity on six questions: What are your critical functions? How quickly must they recover? What’s the minimum resource set to do that? Who makes decisions in a crisis? What’s the communication protocol? And have you tested any of this? This guide answers all six and walks you through building a working plan.

What Business Continuity Planning Actually Is

Business continuity planning is not about preparing for the apocalypse. It’s about the realistic scenarios that actually disrupt small businesses: ransomware attacks, key staff becoming unavailable, office inaccessibility, critical vendor failures, and extended power or internet outages. The goal is to have a documented, actionable response — not a theoretical framework that nobody reads.

The discipline emerged from financial services and healthcare compliance requirements, which is why most BCP literature is written for large enterprises. Small businesses don’t need an enterprise BCP — they need a plan that’s proportionate to their size, reviewed annually, and actually tested.

Business planning documents on a desk — An effective BCP doesn’t need to be long — it needs to be accurate, accessible, and tested.

BCP vs. Disaster Recovery

These terms are often used interchangeably, but they address different problems:

A Business Continuity Plan addresses the question: “How does the business keep operating during a disruption?” It covers people, processes, communications, and workarounds. It may not require any technology to execute — it’s the plan for running a business in degraded conditions.

A Disaster Recovery Plan (DRP) addresses the question: “How do we restore our technical systems after a failure?” It covers backup restoration, failover procedures, RTO/RPO targets (covered below), and vendor dependencies for cloud and hosting infrastructure.

Both plans are necessary and complementary. The BCP tells you how to operate while the DRP is executing. The DRP tells you how to get systems back. Small businesses often only document one of the two — usually the DR side, because it’s more tangible — and discover during an incident that they didn’t know how to route customer calls or process orders without their normal systems.

The 6 Core Components of a BCP

1. Business Impact Analysis (BIA)

A Business Impact Analysis identifies your critical business functions and quantifies the cost of their disruption. For each function — customer billing, order fulfillment, client communication, payroll processing — you document what happens if it’s unavailable for 1 hour, 1 day, 1 week. The BIA output is a priority list: which functions must be restored first, and which can wait.

2. Risk Assessment

The risk assessment identifies the scenarios most likely to trigger a continuity event. For most small businesses, the top five are: ransomware/cybersecurity incident, critical employee unavailability, office inaccessibility, key software/SaaS platform outage, and primary internet or power failure. The assessment estimates both likelihood and impact, which drives which risks get the most planning attention.

3. Recovery Strategies

For each critical function and each identified risk, you document the specific recovery strategy: What’s the workaround if the primary method is unavailable? Who executes it? What resources are required? Recovery strategies are concrete, not aspirational — “we’ll figure it out” is not a strategy.

4. Plan Documentation and Procedures

The actual written plan includes: activation criteria (what triggers the plan), the decision-making chain (who declares an incident and who has authority to activate recovery procedures), contact lists (staff, vendors, customers, regulators), step-by-step procedures for each recovery scenario, and resource lists (offsite storage locations, backup vendor contacts, alternate facility details).

5. Communication Plan

A communication plan addresses internal coordination (how staff are notified of an incident and given instructions) and external communication (what customers, partners, and regulators are told, and when). Most small business BCPs omit external communication entirely — which means clients discover your outage by calling and getting no answer, rather than from a proactive message from you.

6. Testing and Maintenance

A plan that has never been tested is a document. Testing reveals assumptions, outdated contact information, missing procedures, and process gaps that aren’t visible on paper. Annual testing — even a 2-hour tabletop exercise — is the difference between a plan that works and one that fails at the worst possible time.

RTO and RPO: The Two Numbers That Drive Everything

Recovery Time Objective (RTO) is the maximum acceptable time your critical systems can be down before the impact becomes intolerable. An RTO of 4 hours means your plan must be designed to restore those systems within 4 hours. An RTO of 24 hours gives you more time — but also means you can tolerate a full day of disruption, which may not actually be true when tested.

Recovery Point Objective (RPO) is the maximum acceptable data loss measured in time. An RPO of 4 hours means you can afford to lose up to 4 hours of transactions, which means your backup frequency must be at least every 4 hours. An RPO of 24 hours means daily backups are sufficient.

RTO and RPO are business decisions, not technical decisions. The technical architecture must be built to meet the business requirements, not the other way around. Most small businesses set their RTO/RPO based on what their current backup infrastructure provides, rather than what the business actually needs. The right sequence is: determine what the business requires, then build the infrastructure to support it.

The Most Common BCP Mistakes

The plan is stored only in the systems it’s supposed to recover: If your BCP is a Word doc on your file server, and the file server is offline, you don’t have a BCP. Store it in at least two places outside your primary infrastructure — a printed copy, a personal cloud drive, a shared external document.
Contact lists aren’t maintained: Employee turnover, new vendors, changed phone numbers, and updated escalation paths make contact lists stale within 6–12 months. Quarterly review of contact information is minimal.
Only IT has a copy: The people who need to execute the plan during an incident are often not IT staff. Operations managers, HR, customer-facing staff, and executives all need access to the portions of the plan relevant to their roles.
No backup restoration tests: Stating that backups exist is not the same as knowing they work. Backup restoration testing — actually restoring data from backup and verifying it’s intact — should happen at least quarterly for critical data.

Testing Your Plan

There are three levels of testing, each progressively more rigorous:

Tabletop exercise: A facilitated discussion where key staff walk through a simulated scenario. No actual systems are moved or data restored — it’s a conversation. Takes 2–4 hours. Reveals gaps in the plan and in staff understanding. Minimum recommended frequency: annually.

Functional test: Specific recovery procedures are actually executed — failover to backup systems, restoration from backup, activation of alternate communication channels. Only affects non-production or isolated systems. More disruptive but more revealing.

Full simulation: A comprehensive test that simulates a real incident, including all recovery procedures, communications, and escalations. Rarely performed by small businesses but appropriate before major infrastructure changes or after a significant incident.

Check Business Continuity Plan Generator — Free

Answer a series of questions about your business operations, critical functions, and recovery requirements, and the generator produces a customized BCP document you can download, store, and begin testing. The output includes RTO/RPO recommendations, contact list templates, and a testing calendar.

Nicholas Salem is the CEO of Boston Managed IT, a managed services provider serving professional services firms and small businesses across Greater Boston. BMIT helps clients build and operate security programs that meet Massachusetts compliance requirements.

About the Author

Nicholas Salem

As the CEO of BMIT, a leading managed IT services company, Nick Salem is responsible for providing strategic leadership and direction to the organization. With over 15 years of experience in the IT industry, Nick has a strong track record of driving business growth and improving operational efficiency through the use of technology.

Your IT Partner Is Just a Click Away. Are you ready to stop thinking about IT?

We handle the infrastructure, helpdesk, and security — Boston businesses rely on us so they never have to think about IT again.

Book a consultation