How to compare MSP Offers: Price vs. Value – Making the Right Choice for Your Business

Kris WilkinsonNovember 17, 2023

Cyber-Security News/Blog SIRKit News Technical Pro-tips and How-to

In an era where technology and security are essential, choosing the right Managed IT Services Provider (MSP) is a critical decision. An influx of new MSPs has introduced many offerings, promising a variety of services and outcomes. We believe in empowering businesses to understand the offering, ensuring the partnership is resilient, effective and understood. In this article, we’re going to help you compare MSP offers and make an informed decision.

You’ve heard it a million times: You get what you pay for. The MSP industry is no different and is moving towards commoditization with two predominant streams: Price-Centric and Value-Centric. Not all MPS offers are equal, and you should choose one that aligns with your appetite for risk.

Price-Centric MSPs

Price-centric MSPs offer lower rates, which requires them to logically remove pieces to keep the upfront price low. In most cases, you can add additional licenses or services as required (if they offer them) to align the offering with best practices or your tolerance for risk. Be cautious, though, Price-centric MSPs may have a considerable list of support exclusions, resulting in unexpected charges.

Here are several things to consider:

  • They may charge extra for certain technical or proactive services like:
    • Server Backups
    • Microsoft 365 or Google Workspace Backups
    • Onsite work
    • Specific types of incidents (Helpdesk)
    • PC deployments
    • Adding or removing users
    • vCIO (Virtual Chief Information Officer)
    • Strategic planning
    • Access to training platforms
    • Firmware/bios updates for Critical Infrastructure
    • Penetration Testing
  • They may reduce the frequency at which certain services are performed:
    • Applying security updates every year, or not at all, instead of each month
    • Performing phishing testing once per year, instead of every week or two
  • They may remove certain types of security services like:
    • SOC (Security Operations Centre) Protection
    • Phishing Testing
    • DarkWeb Monitoring
    • On-going compliance checks (year-round)
  • They may include lower-quality vendors
    (e.g. using a weaker antivirus that detects or stops less)
  • They may charge for onboarding

This isn’t an exhaustive list, and each MSP is unique. When you receive your proposal, a deeper evaluation should be performed to confirm what is and is not included. If you’re focused solely on price, make sure you’re comfortable with the inherent risk. It’s also important to consider how much more it will cost to add certain services back in, and the financial impact the exclusions list could potentially have overall.

Value-Centric MSPs

Value-centric MSPs generally cost more because they include more. Their offerings are less complex and help businesses adhere to best practices by simply including most services, which results in better protection, transparency, and fewer surprises. Value-centric MSPs tend to be proactive in nature, security-focused, process-driven, and offer deeper integration and strategic planning. As an added benefit, they may not have a lengthy list of chargeable exclusions or available add-ons, because they’re simply included. Value-centric MSPs often appear more expensive at face value, but may ultimately be cheaper if the missing pieces are added back into a competing Price-centric MSP offering.

Questions to ask each MSP

To navigate the complexities, we’ve prepared a list of questions to ask MSPs. This will help you determine what is and is not included, allowing for a line-by-line comparison.

Helpdesk

What it is: Every MSP should offer a helpdesk to support your team day-to-day.
Why it’s important: A weak helpdesk team impacts your team in many ways.

Question(s) to ask:

  1. How much helpdesk time is included during business hours per month?
  2. Is there an extra charge for onsite, after-hours or business-hours support?
  3. What types of support or incidents aren’t covered?
  4. Is there a mandatory escalation process including a max duration per technician, to ensure resolution is efficient?

Preventative Maintenance

What it is:  Your network has many devices connected, including computers, servers, networking and more. All systems should be updated regularly for security, performance and stability.
Why it’s important: Many MSPs do not provide regular maintenance beyond Windows Updates. All network-connected systems, inside and outside your sites, should receive updates via maintenance to protect the business.
Question(s) to ask:

  1. How often are Windows Updates applied to Desktops and Servers?
  2. How often are BIOS and Firmware updates applied to server hardware, network switches, wireless equipment, and firewalls? Is there an additional charge to apply these updates?

Asset Management & 24/7 Monitoring

What it is:  Your network has many devices connected, including computers, servers, networking and more. Each device should be tracked and catalogued so that you maintain an accurate inventory of assets.
Why it’s important:  Security, taxation and visibility.
Question(s) to ask:

  1. Do you regularly scan all connected devices including computers, servers and networking equipment in real time for issues and for asset management purposes? If not, how much does it cost?

Computer Deployments

What it is: This refers to setting up and integrating new computer systems within your network.
Why it’s important: Proper computer deployments ensure that new systems are securely and effectively integrated into your existing network. Most MSPs do not include time to deploy or rebuild computers, which means your business will incur extra charges.
Question(s) to ask:

  1. Do you charge extra to deploy, or rebuild, computers? If so, how much?
  2. If deployment is included, do the computers have to be purchased from the MSP to be eligible?
  3. Do you come onsite to set them up? Is onsite deployment an extra charge?
  4. How do you ensure all computers are set up properly and include all software and settings for the particular user?
  5. Do you have an evergreening process that helps us replace computers every 3-5 years proactively? How often do we meet to review the list of PCs and budget for them?
  6. Before reusing and rebuilding a computer for another user, do you securely wipe the drive to ensure existing data cannot be recovered by the next user?

Potential Impact: $250-$800 per PC per deployment

Adding / Removing Users

What it is: Users come and go. When this happens, accounts need to be created or shutdown.
Why it’s important: Many MSPs charge extra to add or remove users.
Question(s) to ask:  

  1. Do you charge extra to add or remove users? If so, how much?

Potential Impact: $50-$250 per user add or removal

Microsoft 365 or Google Workspace Backup Service

What it is: This service ensures that your data stored in Microsoft OneDrive, Google Drive, Teams, SharePoint, and Email are continuously backed up and safeguarded.
Why it’s important: It acts as a safety net, protecting your data from loss through accidental deletion, security threats, or unexpected issues typically caused by users (not Microsoft). As on-premise servers become irrelevant, backing up your data with Microsoft is just as important as a server backup.
Question(s) to ask:  

  1. Do you include a Microsoft 365 or Google Workspaces backup service that protects all users and shared data? If not, how much is it?
  2. How many times per day does it backup each user’s data?
  3. Does it protect private messaging data between users in Microsoft Teams?
  4. What doesn’t it protect?
  5. Where is the data stored when backed up (e.g. Canada)?

Potential Impact: $5-$10 per user per month.

EDR Protection

What it is: Endpoint Detection and Response (EDR) is a security solution that helps in identifying and responding to suspicious activities on endpoints like computers and servers.
Why it’s important: It enhances the protection of your endpoints from advanced threats, ensuring that risks are quickly identified and mitigated.
Question(s) to ask:

  1. Is EDR Protection included with the service for all computers and servers? If not, how much is it?

Potential Impact: $3-$7 per endpoint per month

SOC Protection

What it is: A Security Operations Center (SOC) is a centralized team that deals with security issues on an organizational and technical level. They provide real-time 24/7 security incident monitoring, containment, and support. A SOC should not be mistaken for regular 24/7 RMM monitoring, which is often designed to identify site outages or general technical issues.
Why it’s important: This ensures continuous surveillance of your systems, promptly identifying and responding to threats.
Question(s) to ask:

  1. Is a SOC (Security Operations Center) service included? If not, how much is it?
  2. Is the SOC service your own, or outsourced to a third party? Which one?
  3. Please clarify how your SOC service differs from standard RMM monitoring in terms of specific tools, processes, and personnel dedicated to real-time cybersecurity threat detection and response.

Potential Impact: $5-$20 per user per month

Penetration Testing

What it is: An annual security exercise where security professionals simulate cyberattacks on your system to identify vulnerabilities. There are numerous levels of Penetration Testing available.
Why it’s important: It helps in proactively identifying and addressing potential weaknesses before they are exploited by attackers. It also holds your MSP or MSSP accountable by having a third-party or third-party service analyze your cyber-security posture.
Question(s) to ask:

  1. Is Penetration Testing included? If not, what does it cost?
  2. Is the test performed by your own team or a third-party security partner? Who is it?
  3. Please explain the depth and extent of your penetration testing services, particularly focusing on whether it involves standard automated tool-based testing or advanced penetration testing involving cyber-security experts and more comprehensive testing techniques.

Potential Impact:  $2,500-$50,000 per year, depending on the level of testing

Online University and Training Portal

What it is: Online platforms that provide various training modules related to cybersecurity and office productivity.
Why it’s important: Continuous learning helps keep the team updated with the latest best practices and threat prevention strategies.
Question(s) to ask:

  1. Is an online training portal available with course material that can be used during employee onboarding, or annually, to provide basic cyber-security training? If not, what does it cost?
  2. Does the portal offer additional courses for Microsoft 365 or Google Workspaces?

Potential Impact: $5-$15 per user per month

Phishing Testing

What it is: Regular simulated e-mail phishing testing provided by a service provider to educate the team and assess their awareness and responsiveness to emerging phishing threats.
Why it’s important: This exercise helps ensure your team is equipped to recognize and appropriately respond to ongoing phishing attacks.
Question(s) to ask:

  1. Is a Phishing Testing service included? If not, how much is it?
  2. Does the testing service run weekly, bi-weekly, monthly, quarterly, or annually?
  3. What happens when an employee fails a phishing test?

Potential Impact: $1-$5 per user per month

Dark Web Scanning

What it is: Regular scans on the dark web to ascertain if your business data is being traded or is at risk.
Why it’s important: It helps in identifying potential threats and data breaches early, enabling proactive protective measures.
Question(s) to ask:

  1. Is Dark Web Scanning included? If not, how much is it?
  2. How often does the service run its scans?
  3. When content is found, is there a charge to deal with remediation? If so, how much?

Potential Impact: $1-$5 per user per month

Drive Encryption

What it is: Tools like BitLocker are used to encrypt drives in computers, protecting the stored data.
Why it’s important: It adds an extra layer of security, safeguarding sensitive information like PII (Personally Identifiable Information) from unauthorized access and theft. For example, if an HR employee’s computer housing e-mail or documents about employees is lost or stolen, you must be able to prove it was encrypted or report the incident as a privacy breach to the government.

Question(s) to ask:

  1. Is Drive Encryption monitoring included for all computers? If not, how much?

Potential Impact: $2-$7 per device per month

Additional Considerations

Based on experience, we recommend confirming if the following services or fees are covered by the offering:

  • Is After-Hours Support Included? Support outside of regular hours might be more expensive. Some providers charge higher hourly rates for after-hours services, adding to the cost. We recommend working with an MSP that includes after-hours support for emergencies, and emergencies should be defined by both parties ahead of time so that it’s understood.
  • Does the MSP charge extra to support mobile devices (e.g. iPhone, iPad)? Some MSPs may charge an extra fee for each mobile device that needs support. Confirm if additional costs can be expected.
  • Does the MSP charge to build quotes for Projects? Some providers might add extra charges for creating project quotes (we’re not talking about doing the actual project work). These fees can add unexpected costs, ranging from 0.5 to several hours of work. Ideally, you shouldn’t pay to have a quote created. This should be something that is covered as part of the MSPs Proactive Process.
  • Does the MSP support Third-Party Software? Support for LOB (line-of-business) software used by your team might not be included and could come with hourly charges, making the service more costly in the long run. Confirm if all of your software will be supported under the agreement.
  • Does the MSP include LOB Software Updates? Applying updates to third-party software or fixing related issues might come with extra hourly costs, adding to the overall expense. Confirm if applying updates for applications like QuickBooks, Sage 300, or other applications, is included.
  • Are Unforeseen Incidents from Software Updates covered? Unexpected problems might not be covered when updates are applied, leading to additional hourly charges for fixing issues not included in the standard package. Confirm if this is included.
  • Does the MSP charge an Onboarding Fee? Starting the service might come with an extra fee, adding to the initial cost. This fee could be a flat rate or equivalent to a month of services.
  • Does the MSP charge an Assessment Fee? Initial assessments may also have extra charges, adding another cost at the beginning of the service.

Example Comparison

As you receive proposals, build a comparison table that can be used to confirm what is and is not included, and how each addition or exclusion impacts the overall price. For demonstration purposes, the table below focuses exclusively on price influencers. When you build your own table, ensure you include all of the questions provided above so that you get a broader understanding to compare against.

In this example, after running the numbers against the total number of users, the Price-Centric MSP:

  • Costs more
  • Has less included in the offer
  • Offers more risk because of the number of exclusions

If your business is looking for less risk each month, from both a financial and security perspective, the Value-Centric MSP is the logical choice.

Summary

In conclusion, choosing the right Managed IT Servics Provider (MSP) is a critical decision that can significantly impact your business. It’s essential to understand the difference between Price-Centric and Value-Centric MSPs and align your choice with your risk appetite. Remember, not all MSP offerings are equal. Price-centric MSPs may offer lower rates but exclude important services or best practices, which could lead to unexpected charges or incidents. They may also not be cheaper after you account for the missing pieces. On the other hand, Value-centric MSPs may appear more expensive at face value but often provide more comprehensive proactive services and maturity, resulting in better protection, transparency, and fewer surprises.

When evaluating MSPs, ask detailed questions about their offerings and run a full comparison line by line. Consider the potential charges for additional services like computer deployments, adding/removing users, cyber-security, backups, and onboarding. Consider whether you want the MSP to be more integrated, strategic, proactive, or simply a helpdesk.

Ultimately, the goal is to forge a resilient, effective, and understood partnership with your MSP. By making an informed decision, you can ensure that your chosen MSP will meet your business’s needs and help you navigate the complexities of today’s technological landscape.

SIRKit is a Value-Based MSP that believes in transparent, comprehensive services that protect our partners. If you need help comparing MSPs, please don’t hesitate to reach out to us. We’ve helped hundreds of businesses make logical choices, even it means proceeding with a third party.