For small and medium businesses in South Africa, IT support is an essential dependency. When your systems go down, your business stops. When your data is compromised, the consequences — financial, reputational, and regulatory — can be severe. Yet most business owners do not have the technical knowledge to evaluate the quality of their IT provider's work, which creates conditions for a range of problematic practices: unnecessary complexity that creates lock-in, billing for work that was not done, security advice that serves the provider's product preferences rather than your actual risk, and slow response to critical outages.
The IT support industry in South Africa is largely unregulated at the individual practitioner level, though companies dealing with personal data are subject to POPIA obligations. This means your evaluation of an IT provider depends entirely on your ability to ask the right questions. These are the warning signs that indicate a provider who will cost you more than their monthly retainer suggests.
They Cannot Explain Their Service Level Agreement in Plain Terms
A Service Level Agreement (SLA) is the document that defines what you are actually paying for: response times for different categories of issue, what is and is not included in the monthly retainer, escalation procedures for critical failures, and what happens when the provider misses a commitment. An IT company that cannot produce a clear, written SLA — or whose SLA is so vague that it commits them to nothing specific — is not giving you a service. They are giving you a relationship that is entirely on their terms.
Before signing any IT support agreement, request the SLA in writing. Specifically check: the response time commitment for a server outage or business-critical failure (anything longer than 4 hours during business hours is inadequate for most small businesses), the response time for standard issues, whether after-hours support is included or billed additionally, and the process for escalation when the first-line technician cannot resolve the issue. An SLA that does not commit to specific timeframes is not an SLA — it is a marketing document.
They Create Unnecessary Technical Complexity
A pattern common to poor IT providers: systematically increasing the complexity of your infrastructure beyond what your business needs — additional servers, proprietary monitoring tools, custom configurations that only they understand — in ways that make it difficult and expensive to switch providers. This is called "technical lock-in" and it is a deliberate strategy to make the cost of leaving higher than the cost of tolerating poor service.
Good IT support simplifies where possible. Your infrastructure should be documented, understandable to you at a summary level, and portable — another provider should be able to take over without starting from scratch. Ask your provider for a network diagram and a plain-language summary of your infrastructure. Ask what would be involved in transitioning to a different provider. A provider who becomes defensive about these questions, or who says the transition would be "very complex," may be counting on that complexity as a retention mechanism rather than a genuine technical necessity.
They Bill by the Hour Without Proactive Monitoring
There are two broad models for small business IT support: break-fix (you call when something breaks, they come and fix it, you are billed by the hour) and managed services (a monthly retainer for proactive monitoring and maintenance). Break-fix billing creates a perverse incentive: the provider earns more when your systems fail more often. Managed services create the opposite incentive: the provider earns the same whether your systems need work or not, so they are financially motivated to keep things running smoothly.
An IT provider who only reacts to failures — rather than proactively monitoring server health, updating software, managing backups, and identifying problems before they become outages — is not providing IT management. They are providing an expensive repair service. For any business that depends on digital systems, proactive managed services with defined monthly deliverables are almost always better value than reactive break-fix billing, even if the monthly cost appears higher.
They Have Not Discussed Your Backup and Disaster Recovery Plan
In South Africa, where load shedding, power surges, and ransomware attacks are all documented risks, a backup and disaster recovery plan is not optional — it is the most important insurance a business can have for its data. An IT provider who has never discussed your backup strategy, who cannot tell you how frequently your data is backed up, where it is stored, and how long a restore would take, is not managing your risk adequately.
Ask your provider: what is our current backup frequency, where are backups stored (on-site and off-site?), when was the last backup restore tested, and how long would it take to recover from a complete server failure? These questions should produce specific, documented answers. If the response is vague — "we have backups in place, don't worry" — without specifics, your backup strategy may be theoretical rather than tested. Untested backups are not backups; they are the illusion of a safety net.
They Cannot Explain Your Cyber Security Posture
POPIA (the Protection of Personal Information Act) creates legal obligations for South African businesses around data protection. A data breach — through ransomware, phishing, or inadequate access controls — can trigger reporting obligations to the Information Regulator and potential liability to affected individuals. Your IT provider should be advising you on your cyber security posture, not just keeping your printers connected.
Ask your provider: what email security filtering is in place, are staff endpoints protected by managed endpoint security, is multi-factor authentication enabled on email and cloud accounts, and what is the process if a staff member clicks a phishing link? If the provider cannot answer these questions, or if the answer to any of them is "no" without a plan to address it, your business is carrying cyber risk that could have serious financial and legal consequences.
They Resist Providing Documentation of Your Own Systems
Your IT infrastructure documentation — network diagrams, server configurations, software licences, backup schedules, password management records — belongs to your business, not to your IT provider. A provider who maintains all documentation internally and does not share it with you is creating dependency by information asymmetry. If they ever become unavailable — through business closure, a dispute, or simply poor availability — you are left unable to manage or transition your own systems.
Request quarterly reports that include a summary of your infrastructure, recent work completed, and upcoming maintenance items. Insist that all passwords and access credentials are stored in a system accessible to at least one person in your business, not only on the provider's systems. A professional IT provider will welcome this documentation culture. One who resists it is protecting their position at your expense.
Quick Checklist Before You Sign
- Received a written SLA with specific response time commitments for critical and standard issues
- Asked what your infrastructure would look like from another provider's perspective — is it documented and portable?
- Confirmed the service model: proactive managed services with monthly deliverables, not just break-fix billing
- Asked for the backup frequency, off-site storage location, and date of last restore test
- Confirmed email security filtering, endpoint protection, and MFA are in place or planned
- Insisted on access to your own credentials and documentation — not just the provider's internal records
- Asked how long transition to a new provider would take and what it would involve
- Read reviews from other small business owners about response reliability and transparency
Reviews from business owners about how their IT provider handled a critical outage are the most revealing signal of real-world performance. KiesSlim lists IT support companies across South Africa with verified business reviews — check what others have experienced before you hand over the keys to your systems.