Are you paying for IT support, or waiting for the breakdown? 

There are two ways to buy IT. You can pay for someone to fix things when they break, or you can pay for someone to make sure they do not. They look like the same contract on a price sheet. In 2026, they are not the same business outcome. 

Most recruitment owners are paying for the first while assuming they have the second. The engineer turns up when called, the invoices are reasonable, nothing on the surface suggests a problem.

Underneath, nobody is watching the patching, testing the backups, or reviewing who still has access. The arrangement only fails on the day it matters – and by then the cost is no longer the monthly retainer. 

The good week is the one with no surprises 

Most owners assume their IT is fine because nothing has gone wrong this week. That feels like a reasonable position. It is not, quite, the same thing as IT being fine. 

The mechanic comparison is the one that lands. You only hear from your garage when something is already broken. By the time the engineer is in the car park, the repair bill is on its way. Nothing about that arrangement tells you whether the brake pads were checked last quarter, or whether the timing belt is overdue. 

Most SME IT contracts are written exactly the same way. Something breaks, you call, an engineer attends, an invoice is generated. Nothing about that model has anything to say about whether your devices were patched last Tuesday, or whether your backups would actually restore. 

The most expensive IT incidents we have seen across recruitment businesses did not start as incidents. They started months earlier, as a missed patch, an MFA gap, a backup nobody had tested. The week the call comes is the week the cost becomes visible. That is the wrong week to find out. 

What proactive IT actually means in 2026 

The National Cyber Security Centre rewrote the rules in 2024 and most owners have not caught up. The new patching expectation is explicit. Internet-facing services within five days. Internal systems within fourteen. Faster when the vulnerability is being actively exploited. 

The line worth taking to your next IT review is the NCSC’s own: 

“It is important that the business owns the risk, not the security team, and that it is visible to senior leaders.” 

That sentence reframes IT from a cost centre to a board accountability. It also dismantles the case for break-fix in a single line. A reactive arrangement cannot meet a five-day patching window because nothing is monitoring. The first time anyone notices a vulnerability is the day it gets exploited. 

The honest framing: the tools of proactive IT now sit inside Microsoft 365 Business Premium. Most recruitment SMEs already pay for them. The variable is not whether your business has access to the tools. It is whether anyone is configuring them, monitoring them, and reporting on them every month. 

The monthly report on the founder’s desk 

This is the artefact that decides the argument. A serious managed service produces it. Break-fix structurally cannot. 

What should be in it. 

Service desk numbers. Tickets opened and closed. How fast somebody answered. How many calls got fixed first time. What customers said when asked. 

Endpoint health. Patch compliance against the five-day and fourteen-day windows. Encryption coverage. Endpoint protection enabled. 

Backup and disaster recovery. Backup success rate, and the date of the last successful restore test. A backup that has never been restored is not, technically, a backup. 

Identity and security. MFA coverage as a percentage. Blocked sign-ins. Conditional access exceptions. Phishing reports. 

Incident posture. Open vulnerabilities by severity. Date the incident response plan was last reviewed. 

The single best number on this list, if you only watch one, is the proportion of issues fixed at first contact. It is the strongest single driver of how your team experiences IT. If it climbs over three months, your service is improving. If it does not move, you are paying for repair, not support. 

The founder test, on Monday morning, is one question: ‘When was our incident response plan last reviewed?’ If nobody owns the answer in your business, that is the gap a managed service exists to close. 

What three named UK incidents looked like 

This stopped being theoretical in 2025. 

Jaguar Land Rover. Production halted at three UK plants for five weeks. Tens of thousands of employees stood down. The entry vector was a social-engineering phone call. 

KNP Logistics. A 158-year-old Northamptonshire haulier entered administration in late 2023. Hundreds of redundancies. The entry vector was a single guessed weak password on one staff account, with no MFA in front of it. The company did not survive. 

Marks and Spencer. Around six weeks of online disruption over Easter 2025. A nine-figure operating-profit hit. The entry vector was a third-party contractor whose credentials were used to access the network. 

The pattern across all three is the same. None of them were exotic. The fix in each case was not more sophisticated technology. It was the routine, monthly, boring work that a managed service produces and a break-fix arrangement does not. 

Why this bites harder in 2026 

The macro picture turns this from a security argument into a survival argument. 

Small business confidence in the UK is at its lowest reading since the pandemic. A meaningful share of owners now expect to contract, sell up or close within twelve months. In a market where one in three small business owners thinks their business will not be here in a year, an avoidable IT incident is not an inconvenience. It is a contributor to the closure rate. 

What to do with this on Monday morning 

Three things, in order. 

  • Ask your current provider for last month’s report. The actual document. Patching percentages, first-contact resolution, backup-test date, incident response plan review date. If you do not get one, you have your answer about what you are paying for. 
  • Ask when your incident response plan was last reviewed. If nobody owns the answer, fix that this week. 
  • Pick one number off the report and watch it for three months. Start with first-contact resolution. If the number does not move, you are paying for repair, not support. 

The good week is the one where nothing broke. The good year is the one where you can prove, on paper, why nothing broke. Break-fix cannot produce that paper. That is the difference. 

If a serious incident hit your business this week, what would your last monthly IT report tell you about why? 

Let’s talk

Complete this quick form, and we'll be in touch to schedule a call at a time that suits you.
Our diverse team brings the knowledge and perspectives to provide IT solutions that are reflective of and responsive to the unique needs of your business.

CONTACT US

+44 20 7947 0345 hello@avensystech.com
Office 7
35 – 37 Ludgate Hill
London
EC4M 7JN
© Copyright 2025 Avensystech
Sitemap Privacy Policy Cookie Policy