What’s the real difference between managed IT and break-fix support?
Break-fix IT means paying by the incident: something breaks, you call a technician, you get billed for the hours it takes to fix it. Managed IT is a flat-rate subscription covering monitoring, patching, backups, and security as ongoing work, with incident response included rather than billed separately. The core difference is timing — break-fix responds after a problem has already caused downtime, while managed IT is built to catch issues (a failing drive, an expiring certificate, an unpatched vulnerability) before they turn into an outage.
For a 15-20 person Boston firm, that distinction shows up directly in the invoice. A single afternoon outage under a break-fix contract can run several hours at an hourly rate before the root cause is even found, because no one was watching the systems beforehand. Under managed IT, the same failing hardware is usually flagged by monitoring software days or weeks earlier.
How much does IT downtime actually cost a small business?
Downtime costs compound quickly once payroll, lost billable hours, and missed client deadlines are added up, even for firms with fewer than 50 employees. Industry benchmarking from Datto’s State of the MSP research consistently finds that businesses without proactive monitoring experience both more frequent and longer outages than those under managed service agreements, because problems aren’t caught until a system has already failed for end users.
The math matters most for professional services and healthcare-adjacent firms in Massachusetts, where a half-day outage can mean missed filing deadlines, delayed client deliverables, or compliance exposure under state recordkeeping rules — costs that don’t show up on the IT invoice but hit the business anyway.
Why are Massachusetts small businesses a growing ransomware target?
The FBI’s Internet Crime Complaint Center (IC3) reported that business email compromise remains one of the costliest categories of cybercrime nationally, with billions in reported annual losses, and small businesses are disproportionately represented because they typically lack dedicated security staff. Verizon’s Data Breach Investigations Report has repeatedly found that a large share of confirmed breaches hit organizations with fewer than 1,000 employees — the exact size range of most Boston-area SMBs.
Massachusetts adds a specific compliance layer on top of the general threat: under 201 CMR 17.00, any business that owns or licenses personal information about a Massachusetts resident is required to maintain a written information security program (WISP), regardless of the business’s size or industry. A break-fix relationship, where IT only shows up when something is already broken, rarely includes the ongoing documentation and monitoring that a WISP requires.
What should a Boston business look for when evaluating an MSP?
Three things separate a managed IT provider worth paying for from one that isn’t: response time commitments in writing (not verbal promises), a documented backup and disaster recovery test schedule (not just “we run backups”), and a named security framework the provider works from (CIS Controls, NIST CSF, or similar) rather than ad hoc practices. Ask any provider, local or national, to show — not describe — their patch compliance reporting and their most recent backup restore test. If they can’t produce it on request, it likely isn’t happening on a schedule.
Frequently Asked Questions
Is managed IT more expensive than break-fix in the long run? Break-fix often looks cheaper month-to-month because there’s no subscription fee, but it shifts the cost to unpredictable emergency labor rates and the business impact of downtime, which typically exceeds the flat monthly fee of a managed plan once an outage occurs.
Do small businesses actually need a Written Information Security Program (WISP)? Yes — Massachusetts law (201 CMR 17.00) requires any entity handling personal information of a MA resident to have one, regardless of company size.
How often should backups be tested, not just run? A working managed IT practice tests restores on a regular schedule (commonly monthly or quarterly) rather than assuming a completed backup job means the data is recoverable.
What counts as personal information under Massachusetts law? A resident’s first and last name combined with a Social Security number, driver’s license number, or financial account number is covered under 201 CMR 17.00’s definition.
Can a small business switch from break-fix to managed IT mid-contract? Most break-fix arrangements aren’t locked into long terms, so a transition typically starts with an infrastructure assessment before the new provider takes over monitoring and support.