We Thought Our IT Guy Had It Covered

Recently, I sat in on a meeting with a nonprofit organization that had just experienced a ransomware attack.

They were shaken. Not just by the disruption, but by the confusion.

For years, they had worked with an IT provider they genuinely liked.

Whenever something went wrong, they called him. He showed up quickly. He fixed the issue. They were back up and running.

They described him as responsive, knowledgeable, and reliable.

Until the ransomware incident.

The Moment Everything Changed

When the attack happened, the organization naturally turned to their IT provider for answers and reassurance.

They expected he had been monitoring for threats. They assumed someone was reviewing vulnerabilities. They believed backups were being validated regularly.

Instead, he explained something important:

They were operating under a break-fix model.

And he was correct.

What Break-Fix Actually Means

Break-fix is exactly what it sounds like.

When something breaks:

  • You call.
  • The technician fixes it.
  • You pay for the service.
  • Everyone moves on.

There is nothing inherently wrong with this model.

It works well for:

  • Hardware replacements
  • Printer issues
  • Network outages
  • Immediate troubleshooting

But it is reactive.

It does not include:

  • Ongoing security monitoring
  • Risk assessments
  • Vulnerability management
  • Backup testing
  • Access reviews
  • Security governance

It addresses visible problems.

It does not proactively search for invisible ones.

The Assumption Gap

What struck me in that meeting was the gap between expectation and scope.

The nonprofit believed:

“Our IT person handles our technology.”

But in reality, the agreement was:

“We fix issues when you call.”

Those are very different things.

Their IT provider wasn’t negligent. He was operating within the boundaries of the model they had chosen.

There simply was no structured security oversight.

What an MSP Model Looks Like

A Managed Service Provider (MSP) model is fundamentally different.

Instead of waiting for something to break, the MSP:

  • Monitors systems continuously
  • Applies patches based on risk
  • Reviews access and permissions
  • Tests and validates backups
  • Tracks vulnerabilities
  • Implements and manages security controls
  • Aligns technology with compliance expectations

It’s proactive.

The goal is not just fixing problems; it’s reducing the likelihood and impact of them.

Why This Difference Matters Today

Years ago, break-fix was often sufficient.

Technology environments were simpler. Threat actors were less organized. Regulatory pressure was lighter.

Today:

  • Ransomware is automated.
  • Credential theft is common.
  • Threat actors target small and mid-size organizations.
  • Nonprofits are not immune.

In this environment, waiting for something to break can be costly.

Because ransomware doesn’t call first.

The Hard Conversation

During that meeting, I told the organization something important:

Their IT provider was correct.

He was doing exactly what he was hired to do, fix issues as they arose.

He had no involvement in ongoing security oversight because that wasn’t part of the model.

That clarity was uncomfortable, but necessary.

The real issue wasn’t poor service.

It was misalignment between expectations and scope.

The Question Every Organization Should Ask

Not:

“Do we have someone we can call?”

But:

“Who is actively managing our risk?”

Who is:

  • Monitoring our environment?
  • Reviewing vulnerabilities?
  • Validating backups?
  • Overseeing access controls?
  • Updating safeguards as our organization evolves?

If the answer is “no one unless we notice a problem,” then the model is reactive.

And today, reactive IT can leave organizations exposed.

A Practical Perspective

This is not about criticizing break-fix providers.

It’s about understanding the difference between:

Reactive support and Structured, proactive risk management.

Both have their place.

But they are not interchangeable.

A Practical Next Step

If your organization relies on calling someone when something breaks, that may have worked well for years.

But it’s worth asking a different question now:

Who is actively managing our risk — not just fixing our problems?

At Netready, we work with organizations that want clarity around that difference. We help leadership teams understand:

  • What is truly covered
  • What isn’t
  • Where their exposure may be accumulating
  • And what proactive, security-driven IT management actually looks like

This isn’t about criticizing your current provider.

It’s about aligning expectations with reality.

If this story resonates, it may be worth stepping back and evaluating whether your current IT model aligns with today’s risk landscape.