What Your Previous IT Provider Left Behind

One of the hardest conversations in managed IT has nothing to do with budgets, timelines, or technology choices. It happens in the first few weeks after a new client signs on, when the initial security assessment reveals that the previous provider wasn’t doing what the client thought they were paying for. Unpatched firewalls, admin accounts with default passwords, backup systems that haven’t run a successful test in months. The problems are often serious, and the business owner sitting across the table trusted someone to prevent exactly this.

We’ve had this conversation enough times that we’ve developed a clear approach to it. This post is for business owners who are considering switching IT providers, or who have been with the same one for years and aren’t sure whether they’re actually protected. Even if you never become our client, knowing what to look for could save your business.

What We Actually Find

Every new client engagement starts with a full assessment of the existing environment. We’re not looking for reasons to criticize the previous provider. We’re building a baseline so we know what needs attention first. But what we find is often worse than the client expects.

The most common pattern is an MSP that installed monitoring agents on endpoints and then provided no other meaningful value. No checks to verify that the services they promised were actually running. Broken application updates that went unnoticed. Firmware updates on firewalls and switches that were months or years behind. OS patches that were configured but never verified as successfully applied. The agents were there, the dashboard probably showed green, and nobody looked deeper.

In more extreme cases, we’ve found active malicious software on systems that were supposedly being monitored. We’ve discovered admin accounts from multiple previous MSPs, all still active, with passwords that had never been changed. Phantom IT access from providers the client stopped using years ago, still sitting in Active Directory with full administrative privileges. These aren’t hypothetical scenarios. They come directly from our onboarding assessments.

Why These Gaps Happen

It’s easy to assume the previous provider was negligent or dishonest. Sometimes that’s true, but more often the explanation is less dramatic. Many smaller MSPs are under-resourced. They take on more clients than their team can support, and the work that doesn’t generate immediate tickets gets deferred indefinitely. Firmware updates, backup verification, documentation, compliance reviews: these are all proactive tasks that require discipline and time, and they’re the first things that slip when a provider is stretched thin.

Some providers also operate on outdated practices. They set up the environment once, install their tools, and then move into a reactive mode where they only respond to problems as they arise. There’s no regular cadence of security reviews, no quarterly check against compliance requirements, no periodic audit of who has access to what. The client assumes these things are happening because they’re paying a monthly fee. The provider assumes the client would ask if they wanted more.

Neither side is entirely wrong, but the result is the same: gaps accumulate silently until someone actually looks.

How We Approach the Conversation

When we sit down with a business owner to walk through assessment findings, the goal is never to say “your old provider was terrible.” That doesn’t help anyone, and it puts the client in a defensive position about a decision they already made. Instead, we focus on what needs to happen next.

The conversation follows a straightforward structure:

• Here’s what we found. We present the findings factually, organized by severity. Critical issues first: active threats, exposed admin accounts, failed backups. Then systemic issues: missed patches, outdated firmware, missing documentation.
• Here’s what it means for your business. We connect each finding to a business risk the owner can understand. An unchanged admin password isn’t just a technical oversight; it means anyone who ever had that password still has full access to your systems. A backup that hasn’t been tested means your recovery plan is a guess.
• Here’s what we’re going to do about it. We present a remediation plan with clear priorities and timelines. Critical risks get addressed in the first week. Systemic issues follow a 30-60-90 day schedule. The owner walks away knowing exactly what happens next and when.

The business owner’s reaction is usually a mix of frustration and anxiety. They feel betrayed by someone they trusted, and they’re worried about what else might be wrong. Both of those feelings are valid. The best thing we can do in that moment is be straightforward about the problems while showing a clear path forward.

Red Flags to Watch For Now

You don’t need to wait for a provider transition to find out whether your current IT provider is leaving gaps. There are warning signs you can check today.

They can’t produce documentation on request. Ask your provider for a current network diagram, a list of all admin accounts and who controls them, and your last backup test report. If they can’t deliver these within 48 hours, they probably don’t have them. A well-run managed IT operation maintains this documentation as standard practice.

You’ve never had a security review meeting. If your provider has never sat down with you to discuss your security posture, walk through findings from a vulnerability scan, or review who has access to your critical systems, that review isn’t happening behind the scenes either.

They never bring up compliance. If your business handles healthcare data, financial information, defense contracts, or consumer PII, your provider should be proactively discussing compliance requirements with you. If compliance has never come up in conversation, it probably hasn’t come up in their work either.

You don’t know what they’re patching or when. Patching isn’t just installing Windows updates. It includes firmware on your firewall, updates to your line-of-business applications, and security patches for your networking equipment. If your provider can’t tell you what was patched last month and what’s pending, the answer may be “nothing.”

The same issues keep recurring. Break-fix providers solve the same problem repeatedly without addressing the root cause. If your team keeps hitting the same issue every few months, your provider is treating symptoms instead of fixing the underlying problem.

What a Good Transition Looks Like

Switching providers is stressful, and fear of disruption keeps many businesses with an underperforming provider longer than they should stay. Understanding what the process actually involves can make the decision easier. We’ve written about the real costs and logistics of switching IT providers, and the short version is that a structured transition doesn’t require downtime or chaos.

A responsible transition follows this sequence:

1. Assessment and risk triage (Week 1-2). Full environment audit, critical vulnerabilities identified and remediated immediately, all unknown admin accounts disabled or passwords rotated.
2. Documentation and baseline (Week 2-4). Network diagrams, asset inventories, license audits, and a compliance gap analysis if applicable. This becomes the foundation for everything that follows.
3. Remediation roadmap (30-60-90 days). Systematic work through the issues found during assessment, prioritized by risk. Firmware updates, patching cadence established, backup verification schedule, security stack deployment.
4. Ongoing governance. Regular security reviews, quarterly business reviews with leadership, documented change management, and proactive compliance monitoring.

The difference between a provider who installs agents and disappears and one who operates this way is the difference between paying for a service and actually receiving one.

Asking the Right Questions

If you’re evaluating whether your current provider is doing the work, or you’re vetting a new one, here are five questions that will surface the truth quickly:

1. Can you show me the results of our last backup restore test?
2. What firmware version is running on our firewall, and when was it last updated?
3. How many admin accounts exist in our environment, and who controls each one?
4. What compliance frameworks apply to our business, and where do we stand against them?
5. When was our last security assessment, and what did it find?

A provider who is doing the work will answer these confidently and with specifics. A provider who isn’t will deflect, delay, or give vague assurances. The answers tell you everything you need to know.