If you run a small or midsize business, you have three real ways to handle IT. You can call someone only when something breaks (break-fix), hire your own staff to run it (in-house), or pay a managed IT provider a flat monthly fee to run and protect everything for you (managed IT). For most businesses past a handful of computers, managed IT wins on the things that actually cost money: less downtime, predictable spending, and someone watching your systems before they fail instead of after.
Break-fix still fits a very small shop with little technology. A full in-house team makes sense once you are large enough to keep one busy. Plenty of businesses land in the middle, with a setup called co-managed IT, where an outside team backs up the person you already have.
Key Takeaways
- Break-fix means you only pay when something breaks, but you also eat the downtime, and the bill is whatever the emergency turns out to be.
- In-house IT gives you a dedicated person who knows your business, but one hire cannot cover nights, weekends, vacations, and every specialty at once.
- Managed IT is a flat monthly fee for proactive monitoring, help desk, patching, and security, so most problems get caught and fixed before they reach you.
- Co-managed IT pairs your internal person with an outside team, filling the gaps without replacing anyone.
- The decision comes down to four things: how predictable you need costs to be, how much downtime you can tolerate, your security risk, and how fast you need help when something goes wrong.
Why “we’ll fix it when it breaks” quietly costs you
Think about how you treat a work truck. You can drive it until something lets go on the highway and then call a tow, or you can keep up the oil changes and watch the warning lights so it does not strand you in the first place. Business IT is the same choice, and most owners are running it the first way without ever really deciding to.
Here is what the tow on the highway looks like. The server dies the morning of payroll. The one employee who is good with computers spends the day on the phone with a vendor instead of doing their actual job. Nobody can take an order, pull up a chart, or send an invoice until it comes back, and by the time it does you have lost a day, paid an emergency rate, and you still do not know why it happened or whether it will happen again next week. The real cost was never the repair bill. It was the idle hours, the customers who got told “our system is down,” and the trust that takes a lot longer to rebuild than the server took to fix.
The other half of the problem is security, and here I will be blunt: nearly every owner I talk to believes it will not happen to them. You do not get to choose whether you are a target. Attacks are mostly automated now, scanning the internet for any business with a gap, and a small office in Iowa looks the same to a bot as a company ten times its size. A serious breach is expensive, too. IBM’s 2025 Cost of a Data Breach Report puts the global average at $4.44 million across the organizations it studied. Your business will not see a number like that, and you do not need to. A few days down, files you cannot reach, and a scramble to rebuild is enough to wreck a quarter.
So the question is not who you call when you break down. It is how you keep from breaking down on the day you can least afford it.
What is break-fix IT, and when does it still make sense?
Break-fix is the tow-truck model, and it is the one most businesses start with. Something stops working, you call a local computer shop or a contractor, they bill you for the time and parts, and the relationship ends when the problem is solved. No contract, no monthly fee, and no one watching your systems between calls.
The appeal is obvious. You only pay when you need help, so on a quiet month you pay nothing. For a business with two or three computers, no server, and almost nothing that would stop the day if it failed, that can be plenty.
The catch is everything that happens between calls. Nobody is applying security patches, confirming your backups actually ran, or noticing the drive that is about to fail. You find out about problems the same way your customers do, when they stop you from working. And because a break-fix shop makes its money when things break, there is no built-in reason for it to make your systems more stable. It is a fine way to fix a printer. It is a gamble as a strategy, and the thing you are betting is that nothing important breaks at a bad time.
Should you hire in-house IT instead?
The opposite approach is to bring IT into the building, the way you might put a full-time mechanic on staff: hire your own technician or build a small department. The upside is real. Someone is on staff who knows your people, your software, and your quirks, and they are right there when you walk over to ask.
The limits show up fast for a small business. One person is a single point of failure. They take vacations, get sick, and eventually move on, and your whole IT operation can walk out the door with them. No one person is an expert in everything, either. The skills to run a help desk, secure a network, manage a firewall, and plan a cloud migration rarely live in the same human, so you end up hiring outside help anyway for the parts your person does not cover. And a full-time hire is a salary plus benefits plus ongoing training, whether or not there is a full day of IT work to fill. Plenty of businesses pay for forty hours and get maybe fifteen of real IT work, with nobody covering the nights and weekends when a server actually tends to fail.
In-house starts to pay off when you are big enough, or specialized enough, to keep that person genuinely busy, and can afford a second one so you are not resting everything on one set of shoulders.
What do managed IT services actually cover?
Managed IT flips the model from reactive to proactive, and it looks a lot more like that maintenance plan than like a repair shop. You pay a provider, usually a flat monthly fee, to run and protect your technology on an ongoing basis: watching the systems around the clock, applying patches, managing your firewall and antivirus, running and testing backups, staffing a help desk, and looking after the servers and hardware. The whole point is to catch the failing drive and the missed update the way a good mechanic catches a worn belt, before it leaves you on the shoulder.
A few of the pieces are worth knowing in plain terms, because they are where the money is well spent. Patching and monitoring are the oil changes and the dashboard lights, unglamorous and automatic, and the reason small problems stay small. Real security today means endpoint detection and response, which watches each device for suspicious behavior, rather than old-style antivirus that only recognizes the threats already on its list. It means multi-factor authentication and least-privilege access, so one stolen password does not hand over the whole network.
And it means backups you have actually tested, with a defined recovery point and recovery time: how much data you can afford to lose, and how fast you need to be running again. This is the one I will plant a flag on. When we run our first audit with a new client, the single most common thing we find is that they have no proper, recoverable backups. They believe they are covered, but if they walked in tomorrow to find their data gone, they would have no real way to get it back. An untested backup is not a safety net. It is a guess.
One honest note. Managed IT lowers your risk a great deal, but nothing removes it entirely. Anyone who promises to stop every attack is selling you something. The job is to shrink the damage when something does slip through, and to get you back fast, not to pretend the risk is gone.
What if you already have an IT person?
This is the option most owners do not know exists, and it is often the best fit. Co-managed IT is not “fire your person and outsource everything.” It is keeping the internal staff you have and adding an outside team alongside them.
Your person keeps doing what they are good at and what only an insider can do: knowing the business, helping coworkers, handling the day-to-day. The provider covers what is hard for one person to do alone: round-the-clock monitoring, security tooling, patching at scale, after-hours coverage, and the specialties a single hire cannot keep up with. Your person also stops being the single point of failure, because someone has their back when they are out or buried.
If your internal IT person is drowning, or you quietly worry about what happens the week they are on vacation, co-managed is usually a better answer than either replacing them or hiring a second full-timer.
How do you choose the right model for your business?
Skip the feature lists and weigh four things honestly. The first is cost predictability. Break-fix is cheapest in a calm month and brutal in a bad one, while managed IT is a known number you can budget around, and if a surprise four-figure repair bill would actually hurt, that predictability is worth real money. The second is how much downtime you can absorb. Be honest about what an hour, or a day, of being down costs you in lost work, lost sales, and the customer who heard “our system is down.” The less you can take, the less break-fix makes sense. The third is security risk. If you hold customer data, take payments, or have to meet rules like HIPAA, PCI, or your state’s privacy law, “we patch when we remember” is not a position you can defend, and the proactive model stops being optional. The fourth is response speed, which is really the highway question again: when you break down, can you sit in a queue until tomorrow, or do you need someone who answers nights and weekends with a commitment in writing?
A rough rule of thumb from doing this a while: under a handful of computers with little to lose, break-fix can carry you. Past that, the real choice for most small and midsize businesses is managed or co-managed, not whether to be proactive at all. Big enough to keep two IT people busy, and a full in-house team starts to earn its place. Whatever you are leaning toward, start with an honest technology audit of what you actually have and where it is exposed, because you cannot choose well if you do not know the real state of your systems.
Where ANP fits
Advanced Network Professionals is a Spencer-based managed IT provider, and this is the model ANP is built around. We are a local team of 17, Microsoft- and Fortinet-certified, and a member of the Spencer Chamber of Commerce, not a far-off call center. Every engagement starts with an audit of what you have, which is usually where those missing backups come to light. We document what we find, fix the most important problems first, then keep everything monitored and maintained so issues get caught before they turn into outages. ANP runs fully managed IT services for businesses without internal staff and co-managed IT for those who have a person they want to keep, and backs both with 24x7x365 support. If you are weighing your options, the page above lays out what we cover, and a short technology consulting conversation can help you figure out which model fits before you commit to anything.
Frequently Asked Questions
How much do managed IT services cost?
Most managed IT is priced as a flat monthly fee, usually per user or per device, so the number is predictable. What you pay depends on how many people and devices you have, what is included, and how much security and compliance you need. The honest way to get a real figure is a short look at your environment rather than a number pulled off a web page.
Is managed IT worth it for a small business?
For most businesses past a few computers, yes, because the cost of one bad outage or breach usually dwarfs the monthly fee. The value is less in any single repair and more in the problems that never happen because someone caught them early. Very small setups with little technology may still do fine on break-fix.
Can I keep my current IT person and still use a managed provider?
Yes, and that is exactly what co-managed IT is for. Your internal person keeps the work that benefits from an insider, and the provider adds monitoring, security, after-hours coverage, and specialized help. It also means your business is not stuck the week your person is out.
What is the difference between break-fix and managed IT?
Break-fix is reactive: you call when something breaks and pay per incident. Managed IT is proactive: a flat fee for ongoing monitoring, maintenance, and security designed to prevent the break in the first place. The short version is that break-fix fixes problems and managed IT works to keep you from having them.
Talk it through with a local team
You do not have to sort this out alone, and you do not have to commit to anything to get a straight answer. If you want help figuring out which model fits your business, request a quote or contact ANP, and we will start with a look at what you have today. No pressure, no jargon.
John Hass is the Managing Partner of Advanced Network Professionals in Spencer, Iowa, and has spent nearly three decades in IT helping northwest Iowa businesses run and protect their technology.