Choosing an IT provider feels like it should be straightforward. Someone looks after your computers, your email works, and you call them when something goes wrong. But the gap between a provider who keeps you running and one who leaves you exposed is wide, and you often do not find out which one you have until something breaks.
Most small businesses in Sydney choose their IT provider based on price or a referral. Those are not bad starting points, but they are not enough. The provider who quotes the lowest monthly fee may also be the one who has no idea whether your backups work.
Here are five questions to ask before you sign. They apply whether you are choosing your first managed IT provider or considering a switch from your current one.
1. Do They Monitor Proactively or Just React
This is the most important question and the easiest to test. Ask the provider: “If one of my servers goes down at 2am, how would you know?”
A reactive provider finds out when you call them the next morning. A proactive provider has monitoring in place that alerts their team in real time. They know about problems before you do.
Proactive monitoring covers device health, network performance, disk space, security alerts, and backup status. It means someone is watching your systems around the clock, not waiting for your phone call.
If the provider cannot clearly explain how their monitoring works and what it covers, that tells you something.
2. Do They Test Backups
Almost every IT provider will set up backups. Far fewer actually test them.
A backup that has never been restored is a guess. You are assuming it works. When you need it, after a ransomware attack, a hardware failure, or an accidental deletion, is the worst time to find out it does not.
Ask the provider: “How often do you test restores, and can you show me the results?” A good provider runs test restores on a schedule and documents them. They can tell you exactly how long a full restore would take and what your recovery point is, that is, how much data you would lose in a worst-case scenario.
The answer you are looking for is specific. “We test restores monthly and here’s what the last one showed.” If the answer is vague, “we check the backup logs,” that is not the same thing. Checking that a backup ran is not the same as confirming it can be restored.
3. What Security Baseline Do They Implement
Every IT provider will say they take security seriously. The question is what they actually do about it.
Ask for specifics. Do they implement multi-factor authentication (MFA), a second verification step when logging in, across all accounts? Do they manage patching, meaning security updates are applied on a regular schedule? Do they deploy endpoint detection and response (EDR), which monitors devices for suspicious behaviour? Do they follow a recognised framework like the Essential Eight, which is a set of eight security controls published by the Australian Cyber Security Centre?
A provider who cannot clearly list the security controls they implement as standard is a provider who does not have a security baseline. That means your protection depends on whatever was set up when you first started with them, and nothing has been reviewed since.
At CIO Tech, we implement a defined security stack for every client. It is not an add-on. It is part of how we handle IT.
4. Where Are They Based
This matters more than most people think. If your provider is based overseas or uses an offshore helpdesk, you will notice it when you need someone on-site.
A locked-out staff member at 8:30am needs help now, not in a different time zone’s business hours. A server issue that requires physical access to your office cannot be solved remotely from another country. A security incident where someone needs to walk through your office and check devices needs a local team.
Ask where their engineers are located. Ask how quickly they can get someone to your office if needed. Ask whether the person answering the phone is in Sydney or in a call centre overseas.
There is nothing wrong with remote support for routine issues. Most day-to-day IT support can be handled remotely. But when you need someone on-site in Sydney, you need them to actually be in Sydney.
5. Do You Get Reporting
If you are paying a monthly fee for managed IT, you should know what you are getting for it. That means reporting, not just invoices.
A good IT provider sends you a regular report that covers: how many support tickets were raised and resolved, what patching and updates were applied, what security events were detected, whether backups ran successfully, and what the overall health of your environment looks like.
This is not about creating paperwork. It is about accountability. Without reporting, you have no way to know whether your provider is actually doing what they promised.
Ask to see a sample report before you sign. If they do not produce reports, you are paying for a service you cannot verify.
The Question Behind the Questions
All five of these come down to one thing: is your IT provider managing your technology, or are they just available when you call?
The difference matters because IT problems do not announce themselves on a schedule. A ransomware attack does not wait until business hours. A failed backup does not send you a polite notification. A security gap does not show up on your monthly invoice.
You need a provider who is watching, maintaining, and improving your setup as a matter of course, not one who waits for you to notice something is wrong.
Next Step
If you are evaluating providers or just want to understand where your current IT stands, we are happy to have a conversation. No pitch, no pressure, just a straightforward discussion about what you need and whether we are the right fit. Get in touch.
