This blog was originally published by Net at Work Inc. here

Why Traditional Managed IT Security Isn’t Enough Anymore, and What SMBs Should Do Instead

The primary reason businesses with fully managed IT still get breached: their agreement covers system management, not modern cybersecurity. Attackers exploit identities, credentials, and access permissions—the things that keep working even as they’re abused. Managed IT keeps systems running. Cybersecurity protects them from being compromised. Most small-to-medium sized business (SMB) contracts only fully cover the first. 

Key Takeaways 

– Why managed IT and cybersecurity aren’t the same thing
– The structural gaps hidden in most managed services provider contracts
– What a modern, security-first managed services provider can deliver
– The questions to ask your provider this week 

The Managed Services Provider Assumption: “We’re Covered”

Equating IT support with security made sense when the main threats were viruses, hardware failures, and network outages. But that world is gone. Attackers now go after credentials, identities, and the relationships between systems and users, not the perimeter. 

As Brian Kingsley, Practice Director of IT Managed Services at Net at Work, puts it: “Security protection is a living thing and requires constant communication and adjustments as the landscape changes. If you bought a product and have not been involved since, that is almost a guarantee you have a problem.” 

The distinction matters: support keeps your systems running, but security protects them from being compromised. These are different disciplines, and assuming one covers the other creates dangerous blind spots. 

How Security Fails Even When IT Is “Working” 

Those blind spots become apparent when you examine what traditional IT metrics measure. Excellent help desk response times, 99.9% server uptime, and flawless nightly backups won’t prevent an attacker with valid credentials from accessing your most sensitive data. 

Today’s attacks follow predictable patterns that traditional IT support isn’t designed to catch: 

– Stolen credentials from phishing or dark web purchases give attackers legitimate access, bypassing perimeter defenses entirely.
– MFA bypass through social engineering and technical exploits defeats the protection many consider their strongest defense.
– Third-party access abuse turns trusted provider connections into attack vectors.
– Permissions sprawl builds up over time—an intern who got admin access two years ago, a contractor whose login never got revoked, a finance app no one remembers approving—creating unmonitored pathways to sensitive data.  

Consider what happened to Clorox in August 2023. As reported by Cybersecurity Dive, hackers breached the company through a social-engineering attack that targeted their IT help desk. The breach crippled their ability to ship products for months.  

Clorox has since filed a $380 million lawsuit against the firm that managed their help desk, alleging credentials were handed to attackers without proper authentication. Tickets were being resolved the whole time. Their IT was “working.” Their security wasn’t. 

Why Traditional Managed Services Provider Models Leave Security Gaps

The Clorox breach illustrates a broader pattern. Traditional managed services provider models have structural gaps that leave clients exposed, even when service levels are being met. 

The result is that SMBs end up paying for managed IT and assuming security comes with it, when in practice, the agreement covers system management while the work of defending against modern attacks goes unowned. The gap is in the assumption that the correct tools are being run. 

Here’s what SMBs typically assume their managed services provider is handling but isn’t: 

– Reactive ticketing instead of continuous oversight. Problems are addressed after they’re reported, not proactively detected.
– No clear ownership of security tools. Tools get deployed without anyone responsible for monitoring alerts, tuning configurations, or responding to incidents.
– No identity visibility. Organizations are blind to who is accessing what resources and whether that access is appropriate.
– No defined incident responsibility. When something goes wrong, valuable time is lost determining who responds. 

Another structural problem is how traditional models separate support and security.  

“The traditional model splits support and security into two distinct products,” Kingsley notes. “When a client gets a support agreement, they are often without basic protection unless they then sign up for another agreement they’re not always aware of. It lets the managed services provider compete on price, but the client often doesn’t know what they need and doesn’t have it.” 

What SMBs Should Expect Instead 

Recognizing these gaps is the first step. The next is knowing what a modern managed IT partnership should deliver to strengthen your security posture and give you confidence in what’s being done: 

– Clear security ownership. Someone is explicitly responsible for your security posture, not just your uptime.
– Identity-first visibility. You can see who is accessing your systems, from where, and whether their behavior patterns are normal.
– Always-on monitoring. Threats are detected as they emerge, not after damage is done.
– Measurable maturity. Benchmarks let you track improvement over time. 

“Executives and businesses need to keep in mind that a security solution will work, until it doesn’t,” Kingsley emphasizes. “And once it doesn’t, your business will suffer the consequences.” 

The framework that delivers these capabilities is Zero Trust, an approach that assumes nothing inside or outside the network should be automatically trusted. Every access request must be verified, every identity must be validated, and every activity must be monitored. 

What a Security-First Managed Services Provider Looks Like

Adopting Zero Trust changes how you evaluate IT partnerships. Zero Trust serves as a lens for decision-making, providing clear criteria for evaluating changes: does this increase or decrease our attack surface? Does it improve or degrade our visibility? These questions cut through vendor marketing to focus on security outcomes. 

Zero Trust also bridges the traditional gap between IT operations and security, integrating them around one goal: ensuring that the right people have the right access to the right resources at the right time, and nothing more. Whether you’re adding new employees, applications, or locations, the same principles apply.  

Putting these principles into practice requires a managed services provider built for modern threats. Net at Work is an example of this model because security is integrated into core service delivery rather than treated as an optional add-on. That means unified managed IT and security agreements, identity-driven service design, governance, and execution working together, and maturity benchmarking against recognized frameworks like NIST and CISA. 

Questions SMB Leaders Should Ask Their IT Partner

Whether you’re evaluating a new provider or your current one, the right questions can reveal whether your IT partner is protecting your organization or simply keeping the lights on. 

1. “Who owns identity risk in our environment?”If the answer is unclear or defaults to “that’s your responsibility,” you have a gap. Someone should be actively managing identity lifecycle, access permissions, and credential security.
2. “How would we detect misuse of valid credentials?”Traditional security tools focus on blocking unauthorized access. But what happens when an attacker logs in with stolen but legitimate credentials? Your provider should have an answer.
3. “Are we security-mature or just operationally stable?”Uptime and ticket resolution metricsdon’t measure security. Ask how your security posture is assessed and whether it’s improving. 
4. “What happens in the first hour of a real incident?”The answer reveals whether incident response is planned or improvised. Look for specific roles, responsibilities, and communication protocols.

And if you ask whether a product will prevent ransomware, pay close attention to the response. “If someone answers ‘yes’ to that question, then that is a major red flag because they are guaranteeing something that is impossible,” Kingsley notes. “The security landscape is constantly changing, and it’s important to realize security is a layered, multi-faceted approach.” 

Key Takeaways: Five Actions You Can Take Now

1. Audit your current security agreements.Pull out every contract you have with IT vendors and service providers.Identify exactly what security protections are included in your base agreements versus what’s treated as optional add-ons.  
2. Ask your providers the evolution question:“How does your approach adapt as the threat landscape changes?” Listen carefully to the answer. If it centers on buyingadditional products or upgrading to premium tiers, that’s a warning sign. If it describes ongoing assessment, continuous improvement, and framework-based security, you’re likely in better hands.  
3. Test what’s actually being done, not just what’s in the contract.Ask your provider for specifics: who reviews identity activity, how often, and what triggers a response? Who would call you in the first hour of an incident, and what is their name? If the answers are vague or generic, the work you assumed was happeningprobably isn’t. 
4. Request a Zero Trust readiness assessment.An IT maturity or Zero Trust readiness assessment can give you a clear picture of your current risk profile,identify priority gaps, and provide a framework for improvement, without the pressure of a major engagement. Many providers, including Net at Work, offer these assessments for organizations evaluating their security posture. 
5. Use your cyber insurance requirements as a coverage test.Insurers havetightened what they require over the past two years, which makes their checklists a useful third-party audit of what you have. Anything the insurer requires that your managed services provider isn’t demonstrably doing is a gap between what you assumed was covered and what is. 

Want to find out what your current managed services agreement covers? Contact Net at Work for a Zero Trust readiness assessment—a no-pressure review to strengthen what you have, close the gaps, and give you confidence in what your agreement covers.