Good small business IT support should do more than answer tickets. It should protect the systems the business depends on, explain risk in plain English, and make ownership clear for accounts, devices, domains, backups and recovery.
Small business IT support checklist
| Support area | What to look for | Why it matters |
|---|---|---|
| Microsoft 365 and identity | MFA, admin separation, mailbox rule review, secure sharing and account recovery checks. | Compromised accounts are one of the easiest ways into a small business. |
| Email security | SPF, DKIM, DMARC, phishing protection, impersonation checks and user guidance. | Email is where invoice fraud, fake login pages and supplier impersonation usually start. |
| Device protection | Managed endpoint protection, patch oversight and clear handling for lost or risky devices. | Staff devices hold tokens, business files and access to cloud systems. |
| Backups and recovery | Coverage for important data, restore testing and written recovery expectations. | A backup is only useful if it can be restored when the business needs it. |
| Documentation | Domains, DNS, hosting, admin access, backup ownership and important supplier details recorded. | Poor documentation makes every outage, staff change or provider switch harder. |
| Reporting | Plain-English summaries of what changed, what is protected and what still needs approval. | Owners need decisions, not a wall of technical noise. |
What should happen in the first month?
The first month should identify the highest-risk gaps and fix the easy wins quickly. For many businesses, that means reviewing Microsoft 365 access, checking email authentication, confirming endpoint protection, documenting domains and admin accounts, and testing at least one important restore.
What should be ongoing?
- Helpdesk support for staff access, devices and business systems.
- Security review of accounts, mailbox rules and suspicious sign-in activity.
- Monitoring and maintenance of endpoint protection and patching.
- Backup oversight and periodic restore checks.
- DNS and domain changes documented when mail, hosting or providers change.
- Owner-level reporting when a decision or risk acceptance is needed.
Red flags when comparing providers
- No clear answer on who owns Microsoft 365, DNS, backups or administrator access.
- No process for provider switching or exit handover.
- Security treated as an optional extra rather than part of normal support.
- No plain-English reporting for business owners.
- No evidence that backups have been tested.
Where to start
If you are not sure what is currently exposed, start with the Free Security Check or run the Domain Health Check. If you are actively comparing providers, read How to Choose an IT Support Provider.
Related reading: Managed IT vs Break-Fix Support, Microsoft 365 Security, and 30-Day Security Hardening Process.