Here’s something that surprises most business owners when they stop to think about it: the company that runs your IT holds the keys to almost everything you own. Your email, your files, your backups, the admin accounts behind your Microsoft 365 tenant, often the passwords to your banking and finance systems. And yet anyone can set themselves up as an IT provider or “MSP” tomorrow morning — no licence, no exam, no minimum standards, no register, and no one to answer to if it all goes wrong.
We think that’s a problem. Not because we want more red tape — we run a small business too — but because the gap between how much trust clients place in their IT provider and how little accountability that provider actually carries has become impossible to ignore.
Every other trusted profession is regulated
Think about who else gets access to the sensitive, dangerous or business-critical parts of your life. Almost all of them are regulated, licensed or accredited:
- Financial advisers and mortgage brokers answer to the Financial Conduct Authority.
- Solicitors answer to the Solicitors Regulation Authority.
- Accountants belong to bodies like the ICAEW or ACCA with codes of conduct and disciplinary powers.
- Gas engineers must be on the Gas Safe Register. Electricians work to recognised competent-person schemes.
The logic is always the same: the work is important enough, and the harm from doing it badly severe enough, that society has decided you can’t just claim to be competent — you have to prove it, and keep proving it. Now ask yourself: is the company holding every password, every backup and every scrap of customer data your business owns really less critical than the person who services your boiler?
The stakes have quietly become enormous
A generation ago, “the computer guy” fixed a jammed printer and set up your email. Today your IT provider effectively runs the nervous system of your business. When they get it wrong — a misconfigured backup, a firewall left open, an admin account with no multi-factor authentication — the consequences aren’t a slow morning. They’re ransomware that locks you out of everything, a data breach that lands you with an ICO investigation, or weeks of downtime that some businesses simply never recover from.
The provider made the decisions that led to that. But in most cases there is no professional body to report them to, no register they can be struck off, and no minimum standard they were ever legally required to meet in the first place.
Anyone can call themselves an expert
This is the part that worries us most. The words “managed service provider,” “IT support” and “cyber security expert” are completely unprotected. Someone can watch a few videos, buy a logo, and start looking after other people’s businesses by the end of the week. There’s no way for a customer to tell, from the outside, whether they’re hiring a genuinely skilled team or someone well out of their depth — until something breaks and it’s far too late.
Certifications like Cyber Essentials and ISO 27001 do exist, and good providers hold them. But they’re entirely voluntary. There’s nothing stopping a provider with none of them from marketing themselves exactly like one that has invested years getting them right.
The problems regulation would help fix
A sensible, proportionate framework wouldn’t just tick a box. It would tackle real behaviours we see hurting businesses right now:
- Holding clients hostage. Too many providers keep the domain name, the Microsoft 365 tenant or the admin accounts locked inside their account rather than the client’s — so leaving becomes painful or impossible. (We wrote about this in protecting your domain name.) Regulation could make it a requirement that clients always own and can access their own systems.
- Silence after a breach. There’s often no obligation on a provider to tell a client promptly and honestly when something has gone wrong on their watch. Mandatory, timely breach transparency should be the baseline.
- Selling what pays best, not what fits. Without a code of conduct, there’s little to stop a provider recommending the products that earn them the biggest margin rather than the ones the client actually needs.
- No minimum security bar. Multi-factor authentication, tested backups, patching, sensible access controls — these should be table stakes, not optional extras that a cheaper provider quietly skips.
- No exit rights. Clear, enforceable rules on notice periods, data handover and offboarding would end the “we’ll release your data once you’ve paid” standoffs that still happen far too often.
What good regulation might look like
We’re not asking for something that only giant national firms could afford to comply with — that would simply wipe out the independent, local providers that many businesses value most. A workable model could include:
- A recognised register of accredited IT and security providers, so customers can check credentials the way they’d check a Gas Safe number.
- A baseline minimum security standard every provider must meet and be audited against.
- A clear code of conduct covering client ownership of systems, breach disclosure and conflicts of interest.
- Professional accountability — a body that can investigate serious failures and remove bad actors from the register.
- Appropriate insurance so clients aren’t left carrying the full cost when a provider’s mistake causes real damage.
The honest counter-argument
We should be fair: regulation isn’t a magic wand. Done badly, it becomes expensive box-ticking that a big firm absorbs easily and a two-person outfit can’t — pushing exactly the good, small providers out of the market while the cowboys carry on regardless. Any framework has to be proportionate, affordable for small firms, and focused on outcomes that genuinely protect customers rather than paperwork for its own sake. But “it could be done badly” is an argument for doing it carefully, not for leaving one of the most trusted roles in modern business entirely unregulated.
Where we stand
We’d welcome sensible regulation — and we’re not waiting for it to arrive. Snap IT is Cyber Essentials Plus certified, we build every client setup so that you own your domain, your tenant and your admin accounts, and we’ll always tell you plainly if something has gone wrong. We’re also going a step further: we’ve begun implementing our own Information Security Management System (ISMS), with a view to achieving ISO 27001 — the international standard for managing information security — so that the way we protect our clients’ data is independently audited and held to a formal, recognised benchmark. We already work as though someone were checking, because we think that’s simply how a business handling this much of your livelihood ought to behave.
The bottom line
Your IT provider has more access to your business than almost anyone else you deal with — and right now, in most cases, far less accountability than any of them. Until that changes, the responsibility falls on you to choose carefully: ask what certifications they hold, insist that you own your own systems, and check how honestly they behave when things go wrong. If you’d like a second opinion on whether your current provider measures up, we’re always happy to take a look.

