A Sligo retail business had been paying its IT provider a monthly managed services fee for four years. Desktops were maintained, printers were connected, and the helpdesk answered quickly when something broke. When ransomware encrypted their file server on a Tuesday morning and brought the business to a standstill, the owner called the IT provider expecting a quick response. What he heard instead was: "We don't cover security incidents — that's outside our scope. You'll need to contact a specialist." It was the first time he had heard the word "scope" applied to his contract, and the first time he understood that managing his IT and securing his business were not the same thing.
That gap — between what IT providers deliver and what businesses assume they are getting — is one of the most common and most costly misunderstandings in Irish SME cybersecurity. This post is about what that gap actually looks like, why most IT providers will not raise it with you, and what you need to do to close it.
WHAT
Managed IT support, at its core, is about keeping your systems running. Your IT provider fixes things that break, manages software updates, maintains user accounts, and ensures your internet connection and hardware are operational. That is a legitimate and valuable service. But it is not a security programme.
The confusion arises because several of the things IT providers do look like security. They install antivirus software. They manage patching. They set up firewalls. These are security-adjacent controls, and they are necessary. But they are not sufficient, and there is a significant category of security work that most managed IT contracts do not cover at all.
Your IT provider almost certainly does not have someone monitoring your systems for signs of compromise around the clock. Security Operations Centre (SOC) monitoring — the continuous analysis of logs, alerts, and traffic patterns that would catch an attacker moving through your network — requires dedicated tools and dedicated people. Most Irish SME IT providers are not staffed or tooled for this. They are reactive: they respond when something breaks. Attackers are patient, moving slowly and deliberately over weeks or months before causing visible damage.
Your IT provider's SLA is not the same as cyber protection. A service level agreement that promises to respond to a helpdesk ticket within four hours is about uptime and continuity. It says nothing about detecting a business email compromise, identifying a phishing campaign, or isolating a compromised device before malware spreads. These are security functions, and they require a security programme, not an IT contract.
Do you know specifically what your IT provider's contract covers when it comes to a cyber incident — and have you ever asked them directly? Book a free 20-minute strategy call — we help Irish businesses understand exactly what their IT provider covers and where the security gaps are.
WHAT NOW
There are four questions you should put to your IT provider directly, in writing, and ask for a written response.
The first is: "What happens if one of our accounts is compromised?" The answer will tell you whether they have an incident response process or whether they will be learning on the job at your expense during the worst moment of your business year.
The second is: "Are you monitoring our systems for signs of intrusion — not just for hardware failures?" If the answer is yes, ask them to describe the tools they use, how alerts are escalated, and what their response time is for a security alert versus a standard helpdesk ticket.
The third is: "Who is responsible for our security policy and our user access reviews?" In many Irish SME environments, no one is. User accounts are created when someone joins and rarely removed when someone leaves. Former employees may still have active credentials to company systems. That is not an IT failure — it is a security governance failure, and it is the kind of thing that sits in the gap between IT support and a security programme.
The fourth is: "What does your contract exclude in the event of a cyber incident?" Read the answer carefully. Many IT provider contracts explicitly exclude security incidents, data recovery from ransomware, and any costs associated with a breach. That is not necessarily unreasonable — it reflects the limits of what they are contracted to deliver. But you need to know it before the incident, not after.
The NCSC Ireland is clear that organisations should not rely on a single control or a single vendor to manage their cybersecurity risk.[^1] A managed IT provider is one layer in what should be a layered security programme. If it is your only layer, you have a significant exposure.
WHY IT MATTERS
The Garda National Cyber Crime Bureau receives thousands of cybercrime reports from Irish businesses each year, and the most common factor in serious incidents is not sophisticated technical attacks — it is the absence of basic security governance.[^2] Businesses that assumed their IT provider had them covered and never independently verified that assumption. Businesses where no one had reviewed user access in two years. Businesses where backups were running but had never been tested. These are governance failures that no managed IT contract is designed to prevent.
For businesses in Sligo, Donegal, Cork, and across Ireland that handle personal data — which is virtually every business — the Data Protection Commission expects documented evidence of appropriate technical and organisational measures to protect that data.[^3] If a breach occurs and the DPC investigates, "our IT provider managed our systems" is not a satisfactory answer. The question will be: what security programme did you have in place, who was responsible for it, and how was it reviewed?
The difference between IT support and a security programme is not primarily a technology gap — it is a governance gap. Someone needs to own your security policy, review it annually, assess your risks, manage vendor relationships from a security perspective, oversee user access controls, and ensure your incident response capability is real rather than theoretical. In a large organisation, that is a CISO. In an Irish SME, it is increasingly a vCISO — a virtual security officer who provides that governance function without the cost of a full-time hire.
If your IT provider called you tomorrow to say they had detected unusual activity on your network, do you have a written incident response plan that tells your team exactly what to do next? Book a free 20-minute strategy call — we can help you build that plan and ensure your IT provider's role within it is clearly defined.
WHAT NEXT
First, read your IT provider contract today. Specifically, look for what is excluded. Most contracts are clear about exclusions in the small print, and security incidents are commonly listed there. You need to know what you are and are not buying.
Second, have a direct conversation with your IT provider about where the boundary of their responsibility lies. A good IT provider will be honest about this and may recommend security-specific services or partners to address the gaps. If they cannot clearly define where their responsibility ends, that is information you need.
Third, consider appointing a security-specific advisor — separate from your IT provider — to own your security programme. This does not need to be expensive. A fractional vCISO engagement provides the governance function you need at a cost appropriate to an Irish SME. The objective is to ensure that someone, independent of your IT infrastructure provider, is looking at your security posture with fresh eyes and no commercial interest in keeping the status quo.
Your IT provider is likely doing exactly what you are paying them to do. The problem is that what you are paying them to do is not the same as keeping your business secure. Closing that gap starts with understanding it.
Related Reading
- The Cybersecurity Conversation Every Donegal Business Owner Should Have With Their IT Provider
- The Fractional vCISO Model for Donegal Businesses
- Building a Security Culture: A vCISO's Approach
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission — Ireland: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.