A small business owner in Stuart asks his IT provider one question and gets a confident answer: yes, we handle your cybersecurity. The owner relaxes. Six months later there is a ransomware note on the office workstation, the bookkeeper’s email has been quietly forwarding invoices to a fake address for ten days, and the IT provider explains that none of those things were actually in scope. The bill for cleanup is going to be larger than two years of managed IT fees combined.
That gap, between what an owner thinks managed IT covers and what it actually covers, is one of the most common reasons a covered, paying small business still walks into a serious incident. Managed IT and managed security are different scopes. Most providers in the Treasure Coast space sell some of both, but rarely all of both, and almost never the entire stack a modern small business actually needs.
Here is what is typically in a managed IT contract, what is usually missing on the security side, and how to figure out whether your provider is closing the gap or quietly leaving it open for someone else to fall into.
What Does Managed IT Usually Cover For Security?
Standard managed IT in a small business contract is operational support. The job is keeping the systems running, the users productive, and the small everyday problems off the owner’s desk. The day-to-day work in a typical contract usually includes:
- Help desk for password resets, mailbox issues, application errors, and basic device support.
- Patching the operating system and the major applications on a regular schedule.
- Endpoint antivirus on every managed workstation and server.
- Backup of the critical data, usually with a baseline retention policy that may or may not be tuned to your real recovery targets.
- Monitoring whether the servers, switches, internet circuit, and core cloud services are up.
- Onboarding and offboarding workflows for new and departing employees.
This is real work and it catches a lot. Consistent patching alone closes most of the easy attack paths against a small business, signature antivirus stops the noisy older malware, and a good user-account lifecycle shuts down a huge class of after-the-fact access problems. None of this is fake security.
Where Most Managed IT Contracts Quietly Stop
The question is what your managed IT service level agreement actually lists in the security section, line by line. If the agreement commits to antivirus on managed endpoints and nightly backups, that is genuine security work. It is also not a complete security program. Most agreements stop at that operational layer. The deeper detection, response, and threat-hunting layer either lives in a separate engagement with the same provider, lives with a different provider, or does not exist at all.
A good test is to read the contract with one question in mind: when an attacker actually gets in, who is named, on what response time, and with what authority to act. If the contract is silent on that, the security half of the engagement probably needs to be defined more carefully than the marketing copy made it sound.
What Is Managed Security And How Is It Different?
Managed security, sometimes called managed security services or an MSSP engagement, is a different kind of work. The job is not keeping the systems running. The job is detecting attackers, stopping them, and figuring out what they touched before, during, and after the moment something fires.
The work behind that scope usually involves several pieces that operational IT does not include by default:
- A continuously monitored security operations function that watches alerts from endpoints, identity systems, network gear, and cloud services on a real twenty-four-hour schedule.
- Detection rules tuned for the kinds of attacks small businesses actually face, not generic enterprise patterns built around a Fortune 500 environment.
- Response actions when something does fire, including isolating a host, killing a suspicious process, disabling a compromised account, and revoking active session tokens.
- Periodic threat hunts looking for the quiet, slow attacks that did not trigger an alert on day one and would otherwise sit inside the environment for weeks.
- Reporting that explains what the attacker tried, what got blocked, what the gap was, and what should change in the next thirty days.
Why The Two Scopes Get Confused
Several of these pieces depend on infrastructure most managed IT contracts do not include. A properly configured managed firewall on the perimeter gives the security side visibility into outbound connections and lateral movement attempts. Without that visibility, even a strong response team is missing half the story. Identity logs from Microsoft 365 or Google Workspace, network flow data, and endpoint telemetry all have to be flowing into one place before any of the detection work can happen.
Where managed IT asks is the system working, managed security asks is somebody in here who should not be. Both are real, both matter, and one is usually not a free upgrade on the other. The pricing for each one is also different. Managed IT is priced per user or per device on the assumption of predictable break-fix volume. Managed security is priced on the assumption of an always-on operations team plus the tooling that team needs to do its job, and the unit economics rarely fit under the same line item.
How Do You Tell If Your MSP Is Falling Short?
A few quick checks expose where most small business managed IT contracts come up short on the security side. Walk through these with whoever holds the contract today, and write the actual answers down rather than the verbal reassurance.
Does The Contract List Specific Security Outcomes?
Antivirus installed is a tool. Detect and respond to malicious activity on all endpoints within fifteen minutes, twenty-four hours a day, is an outcome. Managed IT usually commits to the first. Managed security commits to the second. If the contract only lists tools without measurable outcomes, the provider is not on the hook for actually stopping an attack, only for installing the things that might help.
Is There Real Coverage On Security Alerts After Hours?
A lot of small business contracts say twenty-four by seven in the marketing copy and mean help desk only. Security alerts that fire at two in the morning should have a response path that does not depend on a technician noticing on Monday morning. Ask specifically: when a high-severity alert fires at 2 AM on a Saturday, who is paged, what do they have authority to do, and how long does the contract give them to do it. If the answer is fuzzy, the after-hours coverage is probably fuzzy too.
Is Real Detection Running On Every Laptop?
There is a meaningful difference between traditional antivirus and modern endpoint detection and response on every laptop. Detection-and-response tools see the behavior of an attack, including process injection, lateral movement, credential dumping, and ransomware encryption patterns, and can stop the chain early. Signature antivirus only sees known files. Modern attackers are very good at not being known files. If the contract uses the word antivirus without naming a detection-and-response platform, that gap is worth closing before any other change.
Is There A Written Incident Response Plan?
A response plan that lives in somebody’s head is not a plan. The provider should be able to hand you the document, walk you through who owns each role, and show you the date of the last tabletop exercise. Plans that have never been rehearsed tend to fall apart at the worst moment. Plans that have been rehearsed even once a year hold up surprisingly well.
Is Anyone Watching The Identity Logs?
Most modern attacks against small businesses start with a successful login from somewhere unusual, not with a malware infection. If nobody is watching the Microsoft 365 or Google Workspace sign-in logs, the perimeter is wide open even when every device is patched and every laptop has a working antivirus. Identity monitoring is usually inside managed security, not managed IT, and the lack of it is one of the most common silent gaps in a small business stack.
If the answers to these checks are mostly an I think so or a let me get back to you, the security half of the engagement is not where it needs to be. That does not mean the current provider is wrong. It usually means the contract was scoped for operational support and was never expanded to the security operations layer that small businesses now need to function.
What Belongs In A Small Business Security Stack?
A complete small business security stack, whether one provider runs all of it or two providers split it, should cover six layers. Walk through which layers already exist in your environment, which are partially covered, and which are missing entirely. A small business does not need every layer at enterprise grade, but it does need every layer to exist, somebody named on each one, and a clear answer to what happens when this fires at three in the morning.
The Six Layers To Map
- Identity and access. MFA on every account that touches business data, conditional access policies for risky sign-ins, regular review of who has admin rights, and a documented process for revoking access on the day someone leaves.
- Endpoint protection. Patching, modern endpoint detection-and-response (not just signature antivirus), full-disk encryption, and a mobile device management policy for company phones and tablets that touch business email.
- Email and web. Inbound filtering for phishing and business email compromise, URL rewriting and attachment sandboxing, DNS-based blocking of known-bad domains, and DMARC, SPF, and DKIM configured correctly on the sending domain.
- Network. Managed firewall, segmentation between the guest network and the business network, segmentation for IoT devices, and monitoring of outbound traffic to known command-and-control destinations.
- Backup and recovery. Tested restores, immutable backup copies the attacker cannot reach from the production network, and recovery time and recovery point targets that actually fit the business.
- Detection and response. A central place where the alerts go, twenty-four-hour monitoring, an on-call responder with the authority to act, and dark-web monitoring that catches leaked credentials before they get used.
The reason most managed IT contracts do not include all six layers is straightforward. They were priced for operational support, not for security operations. That does not make the provider wrong. It makes the contract incomplete. The two paths from there are to expand the existing scope with the same provider, or to layer a managed security engagement on top of the existing managed IT relationship and have the two contracts spell out who owns what.
Either path can work. What does not work is leaving the question unresolved, because the assumption that managed IT silently covers all six layers is exactly how a small business pays for security every month and still ends up calling a forensics firm after an incident.
Frequently Asked Questions
What is the difference between an MSP and an MSSP?
An MSP, or managed service provider, keeps the IT environment running and the users productive. An MSSP, or managed security service provider, detects and responds to security incidents inside that environment. Many small business providers do some of both under one roof, but the dividing line is usually the level of dedicated security operations, the round-the-clock alert response, and the certifications the security analysts hold. A provider that mostly runs an MSP business may layer in some managed security work, but it is rarely the full MSSP scope and the contract usually reflects that.
Can one provider really do both managed IT and managed security well?
Yes, but the contract has to explicitly cover both scopes, not assume that one of them implies the other. Ask to see the security operations capability, the alert response process, the after-hours staffing plan, and the certifications on the security side specifically. If those answers come from sales rather than from a security engineer who actually runs the operation, treat that as a yellow flag and ask the same questions again in a more technical conversation.
How much more does managed security typically cost a small business?
The added cost depends on what is already in place. Adding round-the-clock detection and response on top of a baseline managed IT contract often runs in the range of twenty-five to sixty percent of the existing per-user fee, depending on the size of the environment and the risk profile. A small business with ten users and low data sensitivity pays much less than a thirty-user practice with HIPAA exposure. The right way to budget is to size the incident the business cannot afford, then work backward from what coverage actually prevents that incident.
Do small businesses really need managed security, or is solid managed IT enough?
A small business with low data sensitivity, MFA on every account, modern patching, and tested backups is already in better shape than most of its peers. The question is what the failure mode looks like. If a ransomware event or a wire-fraud incident would seriously hurt the business, the math usually favors adding security operations rather than hoping the operational stack catches everything. If the business handles regulated data, the answer is almost always yes.
What should be in writing when you add managed security?
Specific detection scope including endpoints, identity, network, and email. Response time targets for security alerts at each severity level. Defined after-hours coverage. Who has authority to isolate a device or disable an account during an active incident. The communication path during an event, including who calls the business owner and on what timeline. A defined reporting cadence with both monthly and post-incident reports. Avoid vague language like advanced security monitoring with no metrics attached, because that language is impossible to enforce later.
How can a small business test whether managed security is actually working?
Ask the provider to run a simulated phishing campaign, an unauthorized USB device test, and a benign endpoint detection test, such as the EICAR test file or a known PowerShell pattern, on a sample workstation. A working program produces an alert, a documented response, and a follow-up report within the agreed time window. If any of those steps quietly fail, the gap is concrete and the conversation about closing it gets a lot more productive.
Does cyber insurance care about managed security specifically?
Cyber insurance renewal questionnaires increasingly ask about endpoint detection and response, MFA on every account, monitored backups, and twenty-four-hour alert response. A managed IT contract that does not address those items can put a renewal at risk or push the premium up sharply. The questionnaire itself is a useful gap analysis even if the business is not changing carriers, because it tends to list the controls insurers now consider table stakes for any small business they want to cover.
Where Should You Start?
The easiest first step is to map the six-layer stack against what your current provider actually delivers today. Most owners find at least one layer that is quietly missing, one that is named in the contract but never tested, and one that everyone assumed was the other team’s job. From there, the conversation with the provider, whether expanding the existing scope or bringing in a second partner, gets a lot more concrete.
If you would rather not run that map alone, a baseline security risk assessment gives you a layer-by-layer view of what is covered, what is missing, and what would change first. From that point, the question stops being am I really protected and becomes what specifically gets fixed this quarter.