Hourly IT Support vs. Managed IT Services: What West Michigan Businesses Need to Know
Greg Johnson • September 26, 2025

Why Small Businesses Struggle With IT Decisions


For many small and mid-sized businesses in Grand Rapids and across West Michigan, technology management sits at an uncomfortable crossroads. On one side, you know you need reliable, secure, and compliant systems to operate effectively. On the other, IT costs feel unpredictable, and it’s tempting to “call when something breaks” instead of committing to a monthly agreement.

This decision often comes down to two models:


  • Hourly IT support (ad hoc, break-fix)

  • Managed IT services (contract-based, proactive)

Understanding the differences is critical. The choice affects not just your budget but also your productivity, compliance posture, security resilience, and growth potential.

This guide provides a comprehensive, West Michigan–focused look at how these models compare, what other businesses in the region are paying, and why a managed approach often becomes the smarter long-term move.


Defining Hourly IT Support


What Is Hourly (Ad Hoc) IT Support?


Hourly IT support, sometimes called break-fix, is the traditional pay-as-you-go model. When a problem arises, a workstation fails, email goes down, a printer won’t connect, you call an IT provider. They respond, fix the issue, and bill you for the time.


Common Hourly IT Services in West Michigan


  • Basic workstation troubleshooting (slow computers, login errors)

  • Printer, Wi-Fi, and connectivity issues

  • Installing or updating software

  • Email setup and sync problems

  • Security patches and updates (on request)

  • Occasional consulting on IT questions

Pros of Hourly Support


  • Lower initial commitment:  No monthly contracts, easy to get started.

  • Flexibility:  You only pay when you need something fixed.

  • Entry point:  Useful for very small businesses (5–10 devices) that aren’t ready for a bigger IT investment.

Cons of Hourly Support


  • Unpredictable costs:  A server outage or ransomware event could result in thousands in unplanned fees.

  • Reactive, not proactive:  Issues are only addressed after they cause downtime.

  • Limited security posture:  HIPAA, CMMC, or other compliance requirements are hard to maintain without ongoing oversight.

  • Slower resolution:  Pour provider may not know your environment well, meaning troubleshooting takes longer.


Managed IT Services Explained


What Is Managed IT?


Managed IT services are a subscription-based model. Instead of waiting for things to break, your IT environment is proactively monitored, patched, secured, and supported. You pay a predictable monthly fee, typically based on the number of users or devices.


Core Features of Managed IT Services


  • 24/7 monitoring of servers, workstations, and networks

  • Regular security patching and antivirus/EDR

  • Backup and disaster recovery solutions

  • Proactive maintenance to prevent downtime

  • Unlimited helpdesk during business hours

  • Compliance support (HIPAA, PCI, SOC2 readiness guidance)

  • Vendor management (internet providers, printers, line-of-business apps)

  • Strategic IT planning and quarterly reviews

Pros of Managed IT Services


  • Predictable monthly cost

  • Proactive issue prevention — fewer emergencies and downtime

  • Improved security and compliance posture

  • Scalable support as your team grows from 10 to 50+ stations

  • Faster resolution — your IT provider already knows your environment

Cons of Managed IT Services


  • Monthly investment required:  Can feel like a big step for micro-businesses.

  • Requires trust:  You’re handing over day-to-day IT responsibility.


Hourly vs. Managed:  The Cost Comparison


Market Hourly Rates in Michigan (2025)


Based on industry surveys and MSP forums:


  • Tier 1/2 technician: $140–$160/hr

  • Senior engineer/security specialist: $200–$225/hr

  • After-hours emergencies: $250–$300/hr

A simple 10-hour support month at $150/hr = $1,500.


Typical Managed Service Plans in West Michigan


Most providers (including IT Systems LLC) use a per workstation pricing model, typically ranging from $50–$60 per user, per month, with a minimum monthly fee of $500.


This means:


  • A small 5–10 user office might invest around $500–$750 per month.

  • A growing 15–25 user team might invest $1,000–$1,500 monthly.

  • A mid-sized 30–50 user organization may budget $1,500–$3,000 monthly.

The advantage: costs scale fairly with your team size, and every user gets the same proactive coverage.


When compared side by side, managed services often cost the same or less than a busy month of hourly support — but with far more coverage and protection.


Local Business Scenarios


Example 1: A 7-Station Dental Office in Grand Rapids

This office tried to save costs by handling IT in-house and calling for hourly help. After a ransomware infection, recovery cost them $12,000+ in fees and downtime. They later switched to a managed plan at ~$600/month, which included HIPAA compliance monitoring.


Example 2: A 15-User Nonprofit in Holland

Initially used hourly IT help at ~$1,200/month. After repeated email issues, they transitioned to a Growing Team Plan. They now invest around $1,100/month but have full Microsoft 365 support, backups, and no surprise downtime.


Example 3: A Construction Business in Rockford

Started with hourly support for software installs. After IT Systems LLC identified major gaps in data backup, they converted to a managed plan. The quarterly IT review helped them plan for new ERP software and scale from 12 to 30 employees without IT bottlenecks.


Compliance & Security Considerations


Businesses in healthcare, legal, and financial sectors in Michigan face specific compliance requirements. Hourly IT work often fails to cover:


  • HIPAA security risk assessments

  • Ongoing patch compliance documentation

  • Multifactor authentication enforcement

  • Data retention & recovery audits

A managed plan ensures compliance steps aren’t missed, reducing the risk of fines, data breaches, or lawsuits.


Why West Michigan Businesses Hesitate


Many small businesses in Grand Rapids, Holland, and the Lakeshore hesitate to commit because:


  • They believe hourly is “cheaper”

  • They underestimate IT risks

  • They assume managed IT is only for larger corporations

In reality, the “bubble companies”, businesses with 5–25 devices, stand to gain the most from managed IT. These organizations are growing, rely heavily on technology, but don’t yet have internal IT staff.


IT Systems LLC: Our Approach


At IT Systems LLC, we meet West Michigan businesses where they are. We offer both hourly and managed services, but our goal is always to help clients transition to predictable, proactive support.


Hourly IT Support:


  • Tier 1/2: $150/hr

  • Senior/Security: $200/hr

  • After Hours: 1.5× rate

Managed IT Services:


  • Pricing is based on number of users/workstations

  • $50–$60 per workstation, per month

  • Minimum monthly fee: $500

  • Example ranges:

  • 5–10 users: $500–$750/month

  • 15–25 users: $1,000–$1,500/month

  • 30–50 users: $1,500–$3,000/month

What’s Included in Managed Services:

✔ Unlimited helpdesk
✔ 24/7 monitoring
✔ Security patching & antivirus/EDR
✔ Cloud backup & disaster recovery
✔ Compliance support (HIPAA, etc.)
✔ Vendor management
✔ Quarterly IT reviews


This model ensures small businesses can start at an approachable level, while still protecting IT Systems LLC’s profitability and delivering enterprise-quality services.


Key Takeaways


  • Hourly IT support works for very small or entry-level needs — but costs add up quickly.

  • Managed IT services provide predictable pricing, proactive protection, and compliance peace of mind.

  • For most West Michigan small businesses, the transition to managed services happens naturally once they see the true costs of downtime and security gaps.


If you’re a small business in Grand Rapids, Holland, Kalamazoo, or anywhere across West Michigan, your IT decisions today will shape your growth tomorrow.



  • Use hourly IT support if you’re testing the waters.

  • Move to managed IT when you’re ready for stability, security, and scalability.

👉 Ready to discuss which model fits your business best? Contact IT Systems LLC to schedule a consultation.


By Greg Johnson July 7, 2026
Article Summary: Immutable backups are backup copies that nobody can change or delete during a fixed retention period, including administrators and attackers using stolen credentials. Cyber insurance carriers ask about them on renewal applications because ransomware operators routinely destroy backups before encrypting production systems. A backup sitting on your network under regular admin credentials does not qualify. Cyber insurance applications include a question that catches a lot of small business owners off guard: “Do you maintain immutable, air-gapped, or offline backups of your critical business data?” Carriers added that question to renewal forms because ransomware operators worked out that the fastest way to force a payout is to wipe the backups first and encrypt everything else after. CISA, the FBI, and the Internet Crime Complaint Center have all documented this pattern as one of the most common moves in current ransomware playbooks. A business whose backup copies can be deleted using the same admin credentials an attacker just stole has no recovery path other than paying the ransom. This post covers what immutable backup means, three common backup setups that do not qualify, the questions to send your IT provider before you sign the form, and what to do if your honest answer is no. Immutable backup, defined An immutable backup is one that cannot be modified or deleted for a fixed period of time, including by you, by your IT provider, and by anyone using stolen admin credentials. The stolen credentials piece is what carriers care about. Most backup systems can be wiped by anyone with admin access. Immutability means the backup platform itself enforces the lock at the storage layer, and no credentials, however privileged, can override it during the retention window. Some platforms call this object lock, write-once-read-many, or WORM storage. The terminology varies between vendors, but the underlying control is the sam. Three common backup setups that do not qualify Three setups come up regularly that don't satisfy the immutability question, even though business owners often assume they do. A NAS or external drive in your office A network-attached storage device sitting in your server room is reachable from your network by design. If ransomware spreads across your environment, it can reach the NAS. An attacker with domain admin credentials can wipe what's on it. An external drive that someone plugs in once a week and leaves connected has the same exposure. These devices have a role in a broader backup strategy. On their own, they do not satisfy the immutability question. Microsoft 365 retention treated as a backup Microsoft 365 includes data retention features, and some businesses use them as their backup solution. They are not a backup in the sense the form is asking about. An attacker with global admin access to your tenant can delete data and purge retention holds. Under Microsoft's shared responsibility model , customers retain responsibility for backup and protection of their own data, separate from what Microsoft provides at the platform level. If your only protection for Microsoft 365 data is what Microsoft provides natively, the honest answer to the immutability question is no. A cloud backup with immutability switched off This is the most common gap. Many reputable backup platforms include immutability as a feature, but the setting is not always enabled by default. The capability exists, and someone needs to turn it on. Your business may be paying for a backup solution that looks credible on paper while the immutability toggle sits in the off position. You cannot tell from the outside without checking. Three questions to send your IT provider before you sign the form Copy these into an email and send them before you check the box. Question one: “Are our backups immutable, and if so, how long is the immutability window?” Carrier guidance has tightened in the past two years. Most insurers want a window of at least 14 days as a floor, with 30 days increasingly cited as the preferred minimum. Attackers sometimes sit in a network for weeks before triggering ransomware, which means a backup from yesterday may already be compromised. The window needs to be long enough to give you clean restore points from before the attacker arrived. Question two: “If our domain admin account or Microsoft 365 global admin account were stolen tomorrow, could that account be used to delete our backups?” The correct answer is no. If the answer is yes, or if your provider is not sure, your backups are not immutable in the way the form means. Question three: “Can you send me a screenshot or vendor documentation showing that immutability is enabled on our account?” A provider who can send something concrete has done the work. If they come back with verbal reassurance and nothing to show, treat that as a no until they can demonstrate otherwise. What a qualifying setup looks like For your backup to honestly satisfy the question on the form, a few things need to be true at the same time. The backup platform needs immutability turned on, not only available as a feature. Several major vendors including Veeam, Datto, Rubrik, and Acronis offer the capability, along with most cloud storage providers that support S3-compatible object lock. A vendor name on the invoice does not, by itself, answer the question. The setting has to be turned on, scoped properly, and tied to credentials that aren't shared with the rest of your environment. The backup credentials need to sit outside your regular administrative accounts. If the same login that manages your Microsoft 365 environment also controls your backup platform, a compromised admin account can reach both. A qualifying setup uses isolated credentials outside your day-to-day identity environment. The retention window needs to be long enough. A 24-hour backup that overwrites itself daily does not help if an attacker has been in your environment for a week. CISA's #StopRansomware Guide lists immutable, tested backups as a baseline control, and most insurers now align with that position. Restores also need to be tested. A backup nobody has tried to restore in the past 12 months is not something you can rely on when it matters. Most carriers now ask for the date of your last successful restore test, and they want to see one. What to do if your honest answer is no Declare what you have on the form, and use the renewal process as the reason to fix what isn't there. The first step is to ask your IT provider whether immutability can be enabled on your existing platform. In many cases the platform already supports it, and turning it on is a configuration change rather than a new product purchase. If the platform supports it and nobody has switched it on, that conversation can usually be resolved in a few days. If your provider does not know what you're asking, or cannot give a clear answer to the three questions above, that response is itself important information. This area needs attention before your next renewal date, even if other parts of your IT setup are handled well. One thing to avoid: do not check yes on the form to dodge a premium hike. Cyber insurance applications function as warranty documents. If a forensic investigation after a claim finds your backups did not match what you declared, the carrier can rescind the policy. Coverage is then treated as if it never existed, and any prior payouts under the same policy term can be clawed back. Misrepresentation discovered after a claim is one of the most expensive mistakes a small business can make on an insurance form. Checking no on the form will likely cost you something at renewal, either in premium or in coverage terms. That's a known cost, and it's manageable. Take the hit on the application, and use the months between now and your next renewal to close the gap. Article FAQs What does immutable backup mean, in plain English? A backup that nobody can change or delete for a set period of time, even with administrator credentials. The storage platform enforces the lock at the system level, so user permissions cannot override it. Is Microsoft 365's built-in retention a backup? No. Native retention can be bypassed by a global admin or by anyone who steals one. Microsoft's shared responsibility model places backup of your data on the customer, separate from retention. How long should the immutability window be? Most insurers and security frameworks point to a minimum of 14 days. 30 days is increasingly the preferred floor, and some carriers want longer. A longer window gives you more confident recovery if an attacker has been inside your environment for an extended period. Can my IT provider just turn immutability on? Often, yes. If your backup platform supports the feature and it has not been enabled, this is a configuration change rather than a new purchase. Ask for written confirmation once it's done. What happens if I check yes on the form when I shouldn't? The carrier can rescind the policy after a claim, which voids coverage retroactively. Any prior payouts under the same policy term can also be clawed back. Misrepresentation is one of the most common reasons cyber claims are denied. Article used with permission from The Technology Press.
A person sits at a desk with their head in their hand, frustrated by a computer, with the text:
By Greg Johnson April 4, 2026
Is your Grand Rapids medical or dental practice truly HIPAA compliant? Learn why "calling when it breaks" leads to massive data breach risks and how proactive managed IT saves your reputation and your budget.
A laptop showing a VPN application screen sits on a white desk next to a potted plant, with a company logo in the corner.
By Greg Johnson March 13, 2026
Learn what a VPN is and why small businesses use one to protect remote access, secure public WiFi, and keep company data safe.
By Greg Johnson February 27, 2026
Learn what cyber insurance carriers require in 2026, why small businesses get denied, and how IT Systems LLC in Grand Rapids helps West Michigan companies get approved and stay covered.
By Greg Johnson February 13, 2026
Phishing emails are one of the most common and costly cyber threats facing small businesses in Grand Rapids, Michigan. These attacks are designed to trick employees into revealing passwords, approving fraudulent payments, or clicking malicious links that compromise company systems. For many small businesses, phishing is not a technical failure, it’s a human one. Understanding how these scams work and how to protect your team is one of the most important cybersecurity steps you can take. What Is a Phishing Email? A phishing email is a fraudulent message designed to appear legitimate. It often impersonates: A software provider A coworker or manager A vendor A bank or payment platform A service like Microsoft 365 or Google Workspace The goal is simple: Steal login credentials Redirect payments Install malware Gain access to sensitive company data Modern phishing emails are highly convincing. They often use real logos, accurate formatting, and urgent language that pressures employees to act quickly. Why Small Businesses in West Michigan Are Prime Targets Many small business owners assume hackers only target large corporations. In reality, small businesses are often more attractive targets because: They have fewer security layers Teams operate with high internal trust Financial processes are less segmented Attackers use automated tools that cast wide nets In West Michigan, we frequently see phishing attempts aimed at healthcare offices, schools, nonprofits, professional services, and trade-based businesses. Size does not protect you. Preparation does. What a Phishing Attack Can Cost a Small Business The impact of a successful phishing attack can include: Account takeover Fraudulent wire transfers Payroll diversion scams Data exposure Operational downtime Reputational damage Even a single compromised inbox can expose vendor communications, client data, and financial workflows. The cost is rarely just financial, it’s operational. Why Employee Awareness Is Just as Important as Security Tools Email filtering tools block many threats. But not all of them. Phishing works because it exploits human behavior: urgency, authority, and routine. An employee sees: “Your password expires today.” “Invoice attached.” “Wire transfer needed before 3pm.” They react quickly. That’s what attackers rely on. Technology helps. But your team is the final line of defense. How to Protect Your Team from Phishing Attacks 1. Enforce Multi-Factor Authentication (MFA) MFA prevents stolen passwords from being enough to access accounts. 2. Use Advanced Email Filtering Basic spam filters are no longer sufficient. Modern tools analyze behavior patterns, impersonation attempts, and domain anomalies. 3. Secure Your Email Domain (SPF, DKIM, DMARC) Proper domain configuration helps prevent spoofing and impersonation. 4. Provide Ongoing Security Awareness Training Annual training isn’t enough. Phishing evolves constantly. Employees need regular reminders and real-world examples. 5. Monitor Login Activity Unusual login attempts, impossible travel events, or repeated failed logins should be flagged and investigated quickly. Real Examples of Phishing We’ve Seen Locally Without naming names, we’ve seen: Fake DocuSign emails requesting credential re-entry Payroll change requests appearing to come from company leadership “Microsoft password expired” alerts Vendor invoice impersonation with slightly altered email domains Each one looked legitimate at first glance. How IT Systems, LLC Helps Grand Rapids Businesses Reduce Phishing Risk At IT Systems, LLC, phishing protection is not just about installing software. We help businesses: Configure secure email environments Implement multi-factor authentication Monitor suspicious activity Provide employee awareness guidance Respond quickly when incidents occur Security works best when tools, training, and monitoring work together. Frequently Asked Questions About Phishing Emails How do phishing emails bypass spam filters? Attackers constantly adapt tactics to avoid detection. Some phishing emails use legitimate compromised accounts, which makes them harder to detect. Can small businesses really be targeted? Yes. Many phishing campaigns are automated and target thousands of small businesses at once. Is Microsoft 365 or Google Workspace secure enough by default? Both platforms provide strong security foundations, but proper configuration, MFA, and monitoring are critical for full protection. What should we do if an employee clicks a phishing link? Immediately reset passwords, revoke sessions, review login history, and assess potential data exposure. How often should phishing training happen? At least annually, with periodic reminders and updates throughout the year. Strengthen Your Email Security Phishing emails don’t always look suspicious at first glance. If your business hasn’t reviewed email security or employee awareness in the past year, it may be time to take a closer look. 👉 Talk with our team about strengthening your email security.
Small business office setting for a Grand Rapids, Michigan business.
By Greg Johnson January 30, 2026
Learn how much IT services cost for small businesses in Grand Rapids, Michigan. We explain hourly rates, managed IT pricing, and what actually impacts cost.
Person in a suit drawing an upward-trending productivity graph on a chalkboard.
By Greg Johnson January 16, 2026
Is your technology helping your team or holding them back? Discover why "digital friction" is the biggest threat to Grand Rapids businesses in 2026.
Four people collaborating around a laptop in an office. They are looking at the screen, smiling.
By Greg Johnson January 2, 2026
A practical guide for small businesses across Grand Rapids and the West Michigan lakeshore
Woman at desk with laptop, notebook, and phone, looking stressed; glasses nearby.
By Greg Johnson December 19, 2025
Stop fixing tech only after it breaks. Use our 2026 IT Planning Guide to budget for upgrades, secure your data, and grow your West Michigan business.
By Greg Johnson December 5, 2025
Stay ahead of 2026 privacy laws with this compliance checklist for West Michigan businesses. Learn what’s new, what to avoid, and how to protect your data and reputation.
Show More