Every IT support company in Cyprus will tell you the same things.
Proactive. Responsive. Your trusted technology partner. The proposals arrive with similar layouts, similar promises, and similar pricing tiers.
And on paper, most of them look credible enough.
The problem is that the gap between what is promised during a sales conversation and what is actually delivered once the contract is signed can be enormous.
Most business owners only discover that gap when something has already gone wrong.
This article is for business owners and managers who want a practical way to evaluate their options before signing anything. You don’t need a technical background to use it. You just need to know which questions to ask and what a good answer actually sounds like.
Why the Wrong Decision Is Harder to Undo Than Most People Expect
Switching IT providers is not like switching a phone contract. It takes time, it creates disruption, and if it’s handled poorly, it poses real risk: data that isn’t transferred properly, systems that lose monitoring coverage during the gap, and configurations that the outgoing provider holds and won’t document.
Most business owners know this, which is part of why so many stay with an underperforming provider. Change feels risky. Staying feels safer, even when staying means accepting slow response times, recurring problems that never fully get resolved, and a growing suspicion that nobody is really watching the systems the way they should be.
But the cost of staying with the wrong provider grows over time. Vulnerabilities that should have been addressed months ago haven’t been. The security controls discussed in the initial proposal never materialised. Monitoring tools flagged alerts that sat in a queue nobody looked at. And eventually, one of those unresolved gaps becomes something serious.
The businesses that come to us after a difficult experience with another provider almost always describe one of the same four situations: a ransomware attack, a significant period of downtime, an invoice they didn’t expect and couldn’t justify, or the gradual realisation that their provider had no actual plan for their technology beyond keeping the lights on.
In most cases, the situation was preventable. In most cases, the warning signs were there earlier, but there was no framework for recognising them.
The Thing Most People Don’t Know About the IT Industry
Before you start comparing proposals, there’s something worth understanding about the industry you’re buying from.
IT support is completely unregulated. In Cyprus and most countries worldwide, there is no governing body, no required qualification, and no minimum standard a company must meet before calling itself a managed service provider. Anyone can register a business, write a proposal, and start selling IT support contracts. There’s nothing stopping them.
This isn’t a criticism of individual providers. Most people in the industry are capable and well-intentioned. But it does mean the quality gap between the best providers and the worst is wider than in almost any other professional services sector. And because the gap isn’t visible from the outside, the only reliable way to identify which side you’re dealing with is to ask the right questions and pay close attention to how they’re answered.
The Questions Worth Asking Before You Sign Anything
These seven questions are the ones we recommend putting into any IT provider you’re seriously considering. The content of the answers is important. But so does the confidence and specificity with which they’re given.
What does your onboarding process look like?
This is the single most revealing question you can ask, and it’s the one most businesses forget to ask until it’s too late.
A provider with a real onboarding process will describe a structured process: a discovery audit of your environment, documentation of every device, application, and third-party vendor, an assessment of your current risks, and a written remediation plan before any ongoing work begins.
They’ll typically have a defined 30-60-90 day framework with clear milestones at each stage.
A provider without a real process will give you something that sounds reasonable but contains no substance. “We’ll get to know your systems.” “We hit the ground running.” What that means in practice is that nobody maps your environment properly, nobody identifies your risks systematically, and when something goes wrong 6 months later, there’s no documented baseline to work from.
Onboarding is where IT relationships are made or broken. If a provider can’t describe their process in specific terms, that tells you something important about everything that follows.
How do you handle security, and what does your standard approach include?
The answer to this question will tell you very quickly whether a provider treats cybersecurity as a discipline embedded in everything they do or as an optional extra they tack onto proposals when clients ask for it.
A strong answer is specific. It covers identity-first access controls, multi-factor authentication enforced across all users and applications, endpoint detection and response tools that go beyond basic antivirus, mobile device management, a documented backup strategy with tested recovery, and an ongoing security awareness programme for staff.
A weak answer sounds like: “We have antivirus and a firewall.” Or: “We can look at security options if that’s something you want to add.” The first reflects a level of thinking that belongs to a different decade. The second tells you security is treated as an upsell rather than a baseline.
A useful follow-up question: walk me through exactly what happens if one of my staff clicks a link in a phishing email right now, from the moment of the click through to resolution.
How a provider answers that question tells you more about the maturity of their security approach than any amount of marketing copy.
What are your SLAs, and how do you track and report against them?
Service level agreements define how quickly a provider will respond to and resolve different types of issues. They are, in theory, the mechanism that holds a provider accountable for their promises.
In practice, they’re only meaningful if there’s a system for tracking and reporting on them.
Ask for tiered response times based on severity: critical issues, such as a full outage or ransomware attack; urgent issues affecting multiple users; and standard day-to-day requests.
Then ask how performance against those SLAs is measured and shared with you. A serious provider will give you access to a reporting portal or a regular summary showing ticket volumes, response times, and resolution rates.
If a provider lists SLA commitments in their proposal but can’t explain how they’re tracked, those numbers are decorative. They are not a commitment.
What does your monitoring actually cover, and what happens when something gets flagged?
Almost every managed IT proposal mentions 24/7 monitoring. What that phrase covers varies significantly between providers.
Ask what tools they use for remote monitoring and management.
Ask what categories of events trigger an alert.
Ask who receives that alert, what the escalation path looks like, and how quickly a flagged issue gets acted on.
Then ask them to give you a recent example of something they’re monitoring caught before a client noticed it.
Providers with genuine monitoring capabilities answer these questions with specifics and examples. Those who don’t tend to speak in generalities and pivot back to marketing language when pressed.
How do you approach IT strategy for your clients?
This question draws a clear line between IT support companies and IT partners.
A support company keeps your existing infrastructure running and responds if something goes wrong. That’s a legitimate service, but it’s limited.
A partner does those things and also builds a technology roadmap aligned with where your business is going, conducts regular strategic reviews, flags risks before they turn into problems, and advises on timing and investment decisions.
Ask whether they assign a named person responsible for your account’s strategic direction.
Ask how often they hold formal business reviews.
Ask what a technology roadmap looks like for a business of your size and what the process is for building one.
If every answer circles back to helpdesk and ticket management, you’re looking at a support company. For some businesses, that’s sufficient.
But if technology plays a meaningful role in how your business operates and grows, you need someone who is thinking further ahead than the next issue in the queue.
What happens when something goes seriously wrong, and can you give me a practical example?
Every IT provider will describe their incident response capability in impressive terms. What you want is a practical example, instead of a hypothetical one.
Ask them to describe the most significant incident they dealt with for a client in the last year. You are not judging the severity of the incident. You are judging how they responded to it.
Did they communicate proactively throughout, or did clients have to chase for updates?
Did they take ownership of the problem or look for ways to attribute it elsewhere?
Did they fix the underlying cause, or just the surface symptom?
And did anything change in their process afterwards to reduce the risk of it happening again?
A provider who handles this question well, honestly and specifically, with no attempt to minimise or deflect, is showing you exactly the kind of accountability you want available when your business is under pressure.
What does the exit process look like if we decide to leave?
Most businesses forget to ask this until they are already trying to leave. Ask it before you sign.
You want to understand the contract term, the required notice period, who owns the documentation for your environment, how data and credentials are transferred when the relationship ends, and whether there are financial penalties for early termination.
A provider who is confident in the quality of their service has no reason to make exit difficult. If this question produces hesitation or evasive answers, that’s information worth having before you commit.
What to Pay Attention to Beyond the Words
The substance of the answers counts. But so does everything around them.
A provider worth working with answers operational questions immediately, in plain English, with specific examples. They don’t need to defer to colleagues. They don’t retreat into technical language when the conversation gets precise.
And they don’t treat detailed questions as an affront to their credibility.
A provider worth being cautious about struggles when specifics are required. They use phrases like “it depends” and “we’re flexible” as answers to questions that have concrete answers. They speak confidently about philosophy and values but go vague when asked about process and accountability. Watch for the difference between a provider who is describing what they actually do and one who is describing what they think you want to hear.
Final Words
Choosing an IT provider is one of those decisions that feels low-stakes until it isn’t. The businesses that come through periods of cyber threat, rapid growth, or operational disruption with minimal damage aren’t lucky. They made a deliberate decision to treat technology as business infrastructure rather than a background cost, and they chose a provider with the discipline and accountability to back that up.
The IT Services Buyer’s Guide, written by CDMA’s CEO Michael Nicolaou, covers 11 strategic decisions that determine whether your IT setup genuinely protects your business or quietly exposes it.
It’s free, written in plain English, and built for people who want to make this decision well.
