For a long time, choosing an MSP was mainly about support.

• Who answers the phone?

• How quickly do tickets get handled?

• Can they fix the laptop, email issue, printer problem, or user request?

Those questions still matter. But for many owner-managed SMEs in Sussex & Kent, they are no longer the main buying criteria.

In 2026, the sharper question is:

Who owns the baseline?

A 10–25 seat business does not usually need a complicated IT strategy. But it does need clear answers about the controls it relies on: Microsoft 365 access, device security, patching, backup, monitoring, malware protection, joiners, leavers, and incident escalation.

More SMEs are changing how they choose an MSP because vague responsibility is becoming harder to defend. Ticket response is only one part of the decision. Owners, finance leads, and operations managers now want to know what is covered, what can be shown, and who takes charge when pressure arrives.

Why MSP selection criteria changed

The change is not being driven by fashion or a new set of tools.

It is being driven by the way SMEs are now assessed by customers, insurers, suppliers, and their own leadership teams.

Three pressures are making the old selection model feel incomplete.

1. Supplier and customer scrutiny is more common

SMEs are increasingly being asked security questions by other organisations.

A customer may want to know whether Cyber Essentials is in place. A larger supplier may ask about MFA. A procurement form may ask about backups, access controls, patching, endpoint protection, or incident response.

These questions are no longer reserved for large companies.

The NCSC’s Cyber Essentials Supply Chain Playbook encourages organisations to embed Cyber Essentials across their supply chains, which means more SMEs should expect baseline security questions to come from customers and partners, not just from IT providers.

This changes the way an SME evaluates an MSP.

The question is no longer just:

“Will they support our users?”

It becomes:

“Can they help us explain our current position clearly when someone asks?”

That matters when an owner is completing a customer questionnaire and realises the answers are scattered across emails, supplier portals, old proposals, and assumptions.

It matters when an office manager has to confirm whether MFA applies to all users.

It matters when a director wants to know whether the business can back up what it says it has in place.

For SMEs reviewing cyber security expectations, our Cyber Security & Cyber Essentials page explains how baseline IT security controls fit into a practical SME environment.

2. Insurer and control scrutiny is more detailed

Insurance conversations are also becoming more specific.

Insurers and brokers may ask about controls such as MFA, patching, endpoint protection, backup, privileged access, and incident readiness. They are not simply asking whether the business has an IT provider. They want to understand whether key controls exist and whether someone is maintaining them.

Marsh reported that UK ransomware claims in the first quarter of 2025 were up by one-third compared with the previous quarter, reinforcing why insurance discussions continue to focus on controls, readiness, and due diligence.

An MSP cannot promise an insurance outcome. That would be the wrong claim.

But an MSP can either make control questions easier to answer or harder to answer.

A finance lead preparing for renewal may need to know:

• What is included in the current agreement?

• Which controls are covered?

• Which items sit outside scope?

• Are we paying for protection, or just assuming it exists?

• Would we need extra services to answer basic insurer questions properly?

This is where selection criteria have changed.

The buyer is not only comparing monthly support cost. They are checking whether the provider gives enough certainty to support commercial decisions.

3. Incident-time decision latency is now a business concern

The third driver is speed of decision-making during disruption.

When everything is working, vague responsibility can stay hidden. During an incident, it becomes obvious.

If there is a compromised account, a suspicious device, a failed backup, or a serious Microsoft 365 issue, an operations lead needs to know who does what.

• Who disables access?

• Who checks the device?

• Who reviews alerts?

• Who confirms whether data can be restored?

• Who coordinates suppliers?

• Who advises the owner on the next step?

If responsibility is split across different providers, tools, invoices, and informal arrangements, decisions take longer.

That delay is not just an IT issue. It affects continuity, customer communication, insurance conversations, and management confidence.

The UK Cyber Governance Code of Practice sets out how boards and directors should govern cyber risk, reflecting the fact that cyber security is now a leadership and governance issue, not just a technical one.

For SMEs, that does not mean turning every IT decision into a board paper.

It means choosing an MSP who can give practical answers before something happens.

What new MSP selection criteria look like

The new selection criteria are not complicated.

They are more commercial.

A business still needs responsive support, but it also needs to know whether the provider can maintain the baseline in a way that stands up to customer questions, insurer scrutiny, and operational pressure.

A stronger MSP conversation now includes questions like:

• Can you explain our current setup in plain English?

• What do you own, and what sits outside your responsibility?

• Which controls are included as standard?

• What can we show if a customer or insurer asks?

• How do you identify gaps before they become urgent?

• Who coordinates decisions during an incident?

• How do you handle changes in staff, devices, access, and risk over time?

These are not technical nice-to-haves.

They are buying criteria.

• An owner wants fewer grey areas.

• A finance lead wants scope clear before renewal.

• An operations lead wants to know what happens before disruption exposes gaps.

That is why the question has moved from “who answers tickets?” to “who owns the baseline?”

For businesses comparing support models, Managed IT Services should be assessed through that lens: not just what tasks are handled, but how responsibility is structured.

Patchwork responsibility vs predictable accountability

This is where buyers are becoming more selective.

In the past, an SME might have judged an MSP mainly on helpfulness, response time, and whether day-to-day issues were resolved. Those are still valid signals, but they do not show the full picture.

A provider can be helpful and still leave important responsibility unclear.

That is what makes patchwork responsibility difficult to evaluate. On the surface, the business may have support, backup, security software, monitoring, and Microsoft 365 administration. But when a customer, insurer, or incident forces a direct question, the owner may discover that each part has a different owner, a different scope, or a different assumption behind it.

Predictable accountability changes the evaluation.

The buyer is not asking for a longer feature list. They are asking for a clearer operating answer:

• What baseline do you expect us to maintain?

• How do you check whether we meet it?

• What happens when we do not?

• What sits inside your responsibility?

• What can we rely on?

• Where are the boundaries?

This is the key distinction.

A patchwork model asks the buyer to piece the answer together.
An accountable model gives the buyer a clear view of who owns what.

For a small SME, that can matter more than a broad menu of optional services. It helps the leadership team understand risk without becoming technical. It helps finance see whether the agreement reflects the controls the business depends on. It helps operations know who to contact when a decision is needed.

The best MSP selection process in 2026 is less about asking, “What else can we add?”

It is about asking, “Where does responsibility sit?”

Why this is not only a cyber security issue

Cyber security is part of the shift, but it is not the whole story.

A baseline is only useful if it is maintained in normal operations. Access changes, devices change, software changes, staff change, and supplier requirements change.

The Cyber Security Breaches Survey 2025/26 found that phishing remained the most common breach or attack type, affecting 38% of businesses. For SMEs, the practical point is simple: controls need to be owned before something happens, not discussed only after a problem appears.

The buying question is broader than security software.

It is about whether the business has a provider who can keep the baseline visible, current, and explainable.

How to review your current MSP model

Before changing MSP, review your current arrangement through three simple lenses: ownership, scope, and evidence.

Ownership

Start with responsibility.

Ask who owns the baseline across Microsoft 365, devices, access, patching, endpoint protection, backup, monitoring, and joiners or leavers.

The answer should not depend on guesswork.

You want to know who is responsible, who acts when something changes, and who coordinates decisions if there is a problem.

Scope

Next, check what is actually included.

This is where many SME leaders notice vague wording. A proposal may say “security support” or “backup assistance”, but that does not always explain what is covered day to day.

Ask which controls are included, which are optional extras, and which fall outside the agreement.

A finance lead should be able to understand the scope before renewal, not after an incident or questionnaire exposes a gap.

Evidence

Finally, ask what can be shown.

• Can the provider explain the current baseline in plain English?

• Can they show which key controls are in place?

• Can they identify known gaps?

• Can they help respond to customer, supplier, or insurer questions?

• Can they explain what has changed since the last review?

The aim is not paperwork for its own sake.

The aim is to avoid relying on assumptions.

If the answers are unclear, the problem may not be the provider’s intentions. It may be that the model was built around support activity rather than baseline ownership.

Start with baseline clarity before making an MSP decision

Changing MSP is not always the first step.

The better first step is to understand what is currently owned, what is assumed, and where the gaps are.

That gives the business a clearer basis for any decision. You may stay with your current provider and ask sharper questions. You may decide the model needs to change. Or you may discover that support is working, but responsibility is not clear enough.

For owner-managed SMEs in Sussex & Kent, this is the 2026 MSP selection shift.

The question is no longer only:

“Who answers tickets?”

It is:

“Who owns the baseline we rely on?”

To clarify that before making a supplier decision, you can Book a Security Triage Call, Download our CE-baseline Checklist, or Learn about the Security Baseline Review.

FAQs

Why are SMEs changing how they choose an MSP?

Because customers, suppliers, insurers, and leadership teams are asking more specific questions about controls, scope, and responsibility. Ticket response still matters, but it no longer answers the full buying question.

What does “who owns the baseline?” mean?

It means knowing which provider is responsible for the core controls the business relies on, how those controls are maintained, what can be shown, and where responsibility begins and ends.

Is this the same as choosing an all-inclusive MSP?

Not exactly. The point is not the label on the package. The point is whether the MSP selection process tests for clear ownership, defined scope, and practical proof before the business relies on the provider.

What should we do before changing MSP?

Review your current arrangement through ownership, scope, and evidence. A Security Triage Call can help clarify whether the current baseline is understood before you make a supplier decision.