Jump to role

• Service Desk / L1 Support
• L2 / Senior Support
• Senior Engineer / Team Lead
• Architect / Consultant
• Management / Sales Engineering
• Universal Red Flags

Why this exists

MSP interviews are different from corporate IT interviews. They test for billability, flexibility, and tolerance for chaos — things they'd never admit in the job ad.

This guide collects the questions you'll actually hear, what they're really asking, and what the answer tells you about whether you want to work there.

Service Desk / L1 Support ($50K–$70K)

The questions

"How do you handle a user who's frustrated and shouting at you?" - What they're really asking: Can you absorb abuse without escalating? - Green flag: "I stay calm, acknowledge their frustration, and focus on solving the problem." - Red flag: "I'd tell them to calm down or escalate to my manager." (They want autonomous ticket handlers.)

"What's your experience with RMM tools?" - What they're really asking: Have you used ConnectWise, Datto, Ninja, or are we training from zero? - Green flag: Specific tool names + what you liked/didn't. - Red flag: "I'm a quick learner" (translation: no experience, they'll train you cheap).

"How do you prioritise when you have 10 tickets and one user is the CEO's assistant?" - What they're really asking: Can you handle the office politics of MSP work? - Green flag: "I follow the SLA matrix but communicate clearly about expectations." - Red flag: "Whoever shouts loudest gets help first" (they're telling you how it really works).

"Are you comfortable with after-hours work?" - What they're really asking: How much unpaid overtime can we expect? - Ask back: "Is after-hours work paid, TOIL, or expected as part of salary?" - If they're vague, that's a red flag.

"How many tickets do you think you can close per day?" - What they're really asking: Can you hit our utilisation targets? - Green flag: Ask what their average is first. A reasonable target is 8-12/day. - Red flag: "30+" means they're churning and burning.

What to watch for

• Do they mention "ownership" or "growth opportunity" a lot? Usually code for "understaffed."
• Ask about average tenure of the last 3 people in this role.
• If the interview is 15 minutes, they're hiring a body, not a person.

L2 / Senior Support ($70K–$95K)

The questions

"Walk me through how you'd troubleshoot a user who can't connect to the VPN." - What they're really asking: Do you have a methodical process or do you just reboot things? - Green flag: Structured approach — check client config, auth logs, network path, then escalate. - Red flag: "I'd reinstall the VPN client" (treating symptoms, not causes).

"Tell me about a time you automated something and it backfired." - What they're really asking: Do you actually automate, and can you own mistakes? - Green flag: Specific example, what went wrong, how you fixed it, what you learned. - Red flag: "I don't really do automation" or "It never backfires."

"How do you handle a client who insists on a solution that's technically wrong?" - What they're really asking: Can you manage client expectations without burning the relationship? - Green flag: "I explain the risks clearly, document the decision, and offer alternatives." - Red flag: "I just do what they want" or "I refuse and escalate."

"What's your experience with PowerShell or scripting?" - What they're really asking: Can you reduce ticket volume through automation? - Green flag: Specific scripts or tools you've built, even simple ones. - Red flag: "I've run a few scripts" (read: can't write any).

"Describe your ideal ticket load." - What they're really asking: Do you understand the MSP throughput game? - Ask back: "What's the average tickets per engineer per day here?" - If they can't answer, they haven't measured it — meaning it's probably too high.

Senior Engineer / Team Lead ($95K–$130K)

The questions

"How do you keep up with emerging tech while managing BAU workload?" - What they're really asking: We won't give you training time. Can you self-study on weekends? - Green flag: "I block 2-4 hours per week for learning, and I expect my employer to support that." - Red flag: "I study in my own time" (they'll expect this forever).

"Tell me about a project you delivered under budget and ahead of schedule." - What they're really asking: Can you squeeze more value out of thin margins? - Watch for: If they keep circling back to "how did you save money" — margins are tight and they care more about profit than delivery.

"How do you handle a junior engineer who keeps making the same mistakes?" - What they're really asking: Can you manage people or will you just do the work yourself? - Green flag: Structured mentoring — documented process, review, feedback loop. - Red flag: "I'd take over the tickets myself" (they'll pile all work on you).

"What's your disaster recovery experience?" - What they're really asking: Have you actually done DR or just read about it? - Green flag: "I've tested and documented DR plans for X clients." - Red flag: "I understand the theory" (paper DR is useless).

"How do you bill your time?" - What they're really asking: Are you hitting 80%+ utilisation? - Ask: "What's the minimum utilisation target here?" - If it's >85%, they're optimising for billing, not for quality.

Architect / Consultant ($120K–$160K)

The questions

"Design a solution for a 200-user org migrating from on-prem to M365." - What they're really asking: Can you produce billable architecture without supervision? - Green flag: Structured approach — discovery, pilot, migration phases, rollback plan. - Red flag: Missing licensing costs, user training, or support transition.

"How do you handle a client who wants a solution that doesn't scale?" - What they're really asking: Can you sell the right solution or will you just give them what they want? - Green flag: "I explain the cost of rework in 12 months. Sometimes they still choose the short-term option, and I document that."

"Tell me about a time you disagreed with a technical decision from above." - What they're really asking: Will you be a yes-person or do you have backbone? - Green flag: Specific disagreement, how you presented evidence, outcome. - Red flag: "I always follow direction" (lying) or "I went over their head" (can't manage up).

"What certifications do you hold and which ones are you working towards?" - What they're really asking: Are you self-investing or waiting for them to pay? - Ask: "What's the training budget and do you support certification time?" - If they don't answer clearly, you'll be funding your own certs.

Management / Sales Engineering ($130K–$180K+)

The questions

"How do you balance engineering quality with commercial reality?" - What they're really asking: Can you deliver cheap solutions profitably? - Green flag: "I scope properly, document trade-offs, and make sure the client understands what they're paying for." - Red flag: "We do what it takes to win the deal" (you'll be selling garbage).

"What's your approach to team utilisation targets?" - What they're really asking: How hard will you push the engineers? - Green flag: "Targets are a guide. I look at quality, retention, and client satisfaction too." - Red flag: "Everyone should be at 90% or we're not profitable enough."

"Describe your experience with profit and loss management." - What they're really asking: Can you run a contract profitably? - Watch for: If they ask this for a non-P&L role, they're testing if you think like an owner (meaning: you'll be expected to care about margins more than your team).

Universal Red Flags — Any Role

These aren't questions — they're things to notice during the interview process itself.

Before you accept

Ask these three questions in your final interview:

1. "What does success look like in the first 90 days?" — If they can't articulate it, there's no structure.
2. "Can I speak with someone who's been in this role for 6-12 months?" — If no, they're hiding churn.
3. "What's one thing you wish you'd known before joining?" — Honest answers reveal the real culture.

See also: Contract Red Flag Scanner, MSP Salary Calculator, MSP Exit Navigator

Minimal by design. The MSP Playbook is primarily a static site. We don't have user accounts, comments, or login systems.

Information You Voluntarily Provide

• Email address — if you subscribe to our newsletter via Buttondown. We only use this to send you the newsletter. We never share, sell, or rent it.
• Anonymous MSP reviews — if you submit a review via our form. These are published without any identifying information.

Automatically Collected

• Aggregated page views — via Google Analytics 4 (GA4). We can see which pages are popular, but we cannot identify individual visitors. GA4 anonymizes IP addresses by default.
• Search queries — our client-side search runs entirely in your browser. No search data is sent to any server.

What We Don't Collect

• No cookies for tracking or advertising
• No user accounts or profiles
• No IP logging (GA4 is configured to anonymize)
• No third-party tracking scripts (except GA4)
• No fingerprinting or device identification

Newsletter Data

Newsletter subscriptions are managed through Buttondown, a privacy-respecting email platform. When you subscribe:

• Your email is stored securely on Buttondown's infrastructure
• You can unsubscribe at any time via the link in every email
• We never access your email for any purpose other than sending the newsletter
• We do not build profiles, segment by behaviour, or track your reading habits

Third-Party Links

The MSP Playbook contains links to external sites (Glassdoor, Fair Work Ombudsman, company websites, news articles). We are not responsible for their privacy practices.

Your Rights

Under the Australian Privacy Act 1988 (Cth) and the GDPR (if you're in the EU):

• Right to access — ask us what data we hold about you
• Right to deletion — ask us to delete your data
• Right to unsubscribe — every newsletter email has an unsubscribe link

To exercise these rights, email hello@mspplaybook.reviews.

Changes

If this policy changes materially, we'll note it in our changelog.

Last updated: June 2026.

If you work in IT for an Australian MSP, your minimum wages and conditions are almost certainly set by the Professional Employees Award 2020 (MA000065).

It's the award that covers employees in the information technology industry — which includes computer system design, software development, IT consulting, managed services, and related services.

Many MSP workers have never heard of it. Many MSP owners hope you never do.

Does This Award Cover You?

The Professional Employees Award covers:

1. Employers principally engaged in the information technology industry
2. Their employees who are covered by the classifications in Schedule A of the award

The "information technology industry" includes: - Computer system design and related services - IT consulting services - Managed services (this means most MSPs) - Software development and publishing - Telecommunications services - Data processing and web hosting - Computer maintenance and repair

Who Is Excluded?

• Managers who truly meet the managerial exclusion (genuine management of a business unit with hiring/firing authority — not just "service desk manager" as a title)
• Senior executives earning above the high-income threshold ($175,000+ as of 2026)
• Some independent contractors (though many are misclassified — see Sham Contracting
• Clerical employees doing purely administrative work (covered by the Clerks Award instead)

If you're an IT professional working at an MSP and your salary is under ~$175,000, chances are very high you're covered by this award.

Classification Levels: What You Should Be Paid

The award has five classification levels for IT professionals. Here's what each level means:

Level 1 — Entry Level (~$1,078/week)

• Minimal experience or just starting in IT
• Works under close supervision and direction
• Tasks are routine and clearly defined
• Limited decision-making responsibility
• Examples: L1 helpdesk trainee, junior IT support

Level 2 — Intermediate (~$1,225/week)

• Some experience and developing skills
• Works under general supervision but with some autonomy
• Applies established procedures to routine problems
• Examples: L1 helpdesk (experienced), junior network technician, desktop support

Level 3 — Experienced Professional (~$1,400/week)

• Sound knowledge in their area
• Works under general direction with significant autonomy
• Exercises independent judgment in solving problems
• May supervise or mentor junior staff
• Examples: L2 engineer, systems administrator, network engineer (mid-level)

Level 4 — Senior Professional (~$1,600/week)

• Highly developed knowledge and skills
• Broad autonomy with minimal direction
• Responsible for complex problem-solving and design
• May manage projects or significant technical areas
• Examples: Senior engineer, solutions architect, technical lead, project manager (technical)

Level 5 — Lead Professional (~$1,800+/week)

• Advanced knowledge including strategic understanding
• Self-directed with responsibility for outcomes
• Provides technical leadership and strategic advice
• May manage teams or significant client relationships
• Examples: Principal engineer, practice lead, senior architect, technical director

Note: The figures above are approximate minimum weekly rates under the award. Exact rates change annually (typically July 1). The rates above reflect the award as of mid-2025. Check the Fair Work Ombudsman website for current rates.

The "Annual Salary Arrangement" Trap

Most MSPs pay an annual salary rather than an hourly wage. This is legal — but only if your salary covers all award entitlements.

How It Works

Your contract might say: "Your annual salary of $85,000 includes all award entitlements including overtime, penalty rates, and allowances."

This is called an annual salary arrangement (ASA) or loaded rate. It's valid if:

1. The salary genuinely compensates for all award entitlements
2. The salary is above the award minimum (including all penalties and overtime you actually work)
3. The arrangement is documented in your contract

The Problem

Many MSP workers on $70,000-90,000 are working 45-55 hour weeks with regular on-call and after-hours work. When you calculate what the award actually requires:

If you're being paid $80,000 but working 50-hour weeks with on-call, you're being underpaid. The "annual salary arrangement" doesn't protect the employer if the salary isn't high enough to cover actual entitlements.

Overtime, Penalties, and Allowances

Overtime

The award requires:

• Time and a half for the first 3 hours overtime
• Double time after that
• Double time for Sunday work
• 2.5x for public holidays

Shift Penalties

• Afternoon shift (12 PM - 8 PM): 15% loading
• Night shift (8 PM - 6 AM): 30% loading
• Rotating shifts: Additional allowances

On-Call Allowance

If your MSP requires you to be available after hours, you're entitled to an on-call allowance. The amount depends on the level of availability required.

Travel Allowances

If you're travelling between client sites and your MSP doesn't provide a company vehicle, you may be entitled to travel allowances or reimbursement.

Common Award Violations in MSPs

1. "Your salary covers everything" (but the salary is too low)

This is the most common violation. The annual salary arrangement only works if the salary genuinely covers all award entitlements. If you're doing regular overtime, on-call, or weekend work, your salary needs to be high enough to cover those entitlements.

What to check: Divide your annual salary by your actual hours worked. If it's less than the award hourly rate plus loadings, you're being underpaid.

2. Wrong classification level

Some MSPs classify experienced engineers as Level 1 or 2 to pay less. The classification should reflect your actual duties, not whatever pays the MSP the least.

What to check: Compare your actual duties against the classification descriptions above. If you're doing Level 3 work but being paid at Level 1, that's an underpayment.

3. No overtime for scheduled after-hours work

If you're rostered for maintenance windows or on-call, that time must be counted. Some MSPs try to claim after-hours work is "built into your salary" while also requiring excessive hours.

4. Unpaid travel time

Travel between client sites during the work day is work time. Some MSPs don't pay for travel between sites.

What to Do If You Think You're Underpaid

Step 1: Calculate What You Should Be Getting

Use the award rates (check Fair Work Ombudsman for current rates) and calculate what you should be paid based on: - Your actual classification level - Your actual hours worked - Any overtime, penalties, on-call - Any allowances

Step 2: Compare to Your Actual Pay

If there's a gap, calculate the underpayment amount.

Step 3: Check Your Contract

Does it reference the Professional Employees Award? Does it have an annual salary arrangement clause?

Step 4: Raise It

Some MSPs genuinely don't realise they're underpaying. A polite but informed conversation can sometimes resolve it.

Step 5: Fair Work Ombudsman

If your MSP won't fix it, contact the FWO on 13 13 94. They can investigate and recover unpaid wages.

Step 6: Legal Advice

If the amounts are significant, an employment lawyer can advise on your options.

Key Takeaways

1. The Professional Employees Award covers most MSP workers in Australia
2. There are 5 classification levels — make sure you're classified correctly
3. Annual salary arrangements are common but often underpay — especially for high-hours MSP roles
4. Overtime, on-call, and penalties add up fast — if your salary doesn't cover them, you're being underpaid
5. The award is enforceable — you can recover underpayments going back up to 6 years

This article provides general information about the Professional Employees Award 2020 (MA000065) as at June 2026. Award rates and conditions change annually. Check the Fair Work Ombudsman website for current rates. This does not constitute legal advice.

Related: Fair Work and MSPs | Wage Theft in IT | Sham Contracting in IT | MSP Salary Guide 2026 | Salary Calculator

In March 2026, the Fair Work Ombudsman and Australian Taxation Office jointly announced a major sham contracting operational intervention targeting the IT industry.

They're not messing around.

The FWO identified sham contracting as a priority area specifically because of the widespread misclassification of IT workers — including those in the MSP sector. Their preliminary findings showed that a significant portion of workers classified as "contractors" were legally employees.

For MSPs, the contractor model is deeply embedded. Many MSPs operate with 30-60% of their technical workforce classified as contractors. Some are legitimate. Many are not.

Why MSPs Love the Contractor Model

Let's be honest about why contractors are so common in MSPs:

For the MSP: - No payroll tax (saving 4.75-6.85% depending on state) - No superannuation guarantee (saving 11.5%) - No annual leave (saving 8% of salary) - No sick leave (saving 6% of salary) - No workers comp insurance (saving 2-5%) - No notice period or redundancy pay - Easier to "restructure" (fire without Fair Work protections) - Clients billed out at 2-3x the contractor rate

For the worker: - Higher hourly rate (usually 15-30% above employee rate) - More flexibility (in theory) - Ability to claim deductions (though this is often oversold)

But here's the thing: most MSP "contractors" are employees under the law.

The Multi-Factor Test: Are You Really a Contractor?

Courts and the ATO use a multi-factor test to determine whether someone is genuinely a contractor. No single factor is decisive — it's the total picture.

Indicators You're Actually an Employee

The Red Flags Every MSP Contractor Should Know

🚩 You work exclusively for one MSP. If you have one "client" and that client is your MSP, that's a strong indicator of employment. Genuine contractors have multiple clients.

🚩 You use MSP equipment. If they give you a laptop, phone, tools, VPN access — these are hallmarks of employment. Contractors use their own tools.

🚩 You have set hours. If you're expected to be available 9-5 (or 7-7, which is common in MSPs), you look like an employee. Contractors control their own schedule.

🚩 You attend team meetings. Stand-ups, all-hands, planning sessions — these are employee activities. Contractors don't attend internal team meetings.

🚩 You can't subcontract. If your contract says you can't send someone else to do the work, that's employment. Genuine contractors can delegate.

🚩 You're paid hourly with no invoicing. If you submit timesheets but get paid a regular amount without issuing invoices with GST, that's disguised employment.

🚩 You're on their roster. If you're on a 24/7 roster or shift schedule, you're an employee.

🚩 You're called a "team member" or "engineer." If your MSP refers to you internally as part of the team, that's evidence of integration — and integration suggests employment.

The Cost of Getting This Wrong

For the MSP

The penalties for sham contracting are severe:

• Fair Work Act penalties: Up to $18,780 per breach for individuals, $93,900 per breach for companies
• Back-pay of entitlements: Annual leave, sick leave, public holidays, notice period, redundancy
• Superannuation guarantee charge: Unpaid super from the entire period, plus the SG charge (which is higher than the SG rate) plus administrative penalties
• PAYG withholding: The ATO can assess unpaid PAYG withholding from the entire period
• Payroll tax: State revenue offices can back-tax unpaid payroll tax
• Workers comp premiums: Unpaid premiums going back years
• Legal costs: Defending a sham contracting claim can cost $50,000-150,000

For the Worker

If you're misclassified:

• You miss out on: Super (11.5% of your pay), annual leave (4 weeks), sick leave (10 days), public holidays, long service leave, notice period, redundancy, workers comp
• You pay more tax: Employees have PAYG withheld; contractors pay their own tax quarterly
• You have no job security: You can be terminated (sorry, "contract ended") with no notice
• You may owe tax: If you've been calling yourself a contractor but are really an employee, the ATO may assess you as an employee — and you might owe additional tax

The good news: If you've been misclassified, you can claim unpaid entitlements going back up to 6 years.

Common MSP Contractor Arrangements — Legitimate or Not?

Labour Hire Arrangement

You're employed by a labour hire company but working at an MSP. This can be legitimate if the labour hire company pays your super, leave, and other entitlements. It's sham contracting if the labour hire company is a shell that your MSP set up to avoid obligations.

"ABN Contractor" Working Full-Time at One MSP

This is the most common sham contracting scenario. You have an ABN, invoice weekly, but work 38+ hours exclusively for one MSP, use their equipment, and attend their team meetings. This is almost certainly an employment relationship.

Genuine Subcontractor (Multiple Clients)

You have an ABN, work for 3-5 MSPs on specific projects, set your own schedule, use your own equipment, and can send someone else. This is legitimate contracting.

Fixed-Term Project Contract

You're engaged on a 3-month contract for a specific project (e.g., M365 migration). You work set hours but the engagement has a defined end. This is a grey area. If you're under their control during the project, you may be an employee for that period.

What to Do If You Suspect Sham Contracting

Step 1: Gather Evidence

• Your contract (read it carefully)
• Evidence of control (schedules, rosters, instructions)
• Equipment provided (laptop, phone, etc.)
• Exclusivity (you only work for them)
• Integration (email signature, business cards, "team" references)

Step 2: Do the ATO Employee/Contractor Decision Tool

The ATO has an online tool that can help determine your status: ato.gov.au/employee-or-contractor

Step 3: Contact Fair Work Ombudsman

Call 13 13 94 or visit fairwork.gov.au. You can make an anonymous tip-off.

Step 4: ATO Tip-Off

The ATO actively encourages tip-offs about sham contracting. You can report online at ato.gov.au/tip-off.

Step 5: Seek Legal Advice

Employment lawyers can advise on your specific situation. Many offer free initial consultations.

The Bottom Line

If you're an MSP worker with an ABN who: - Works exclusively for one MSP - Uses their equipment - Has set hours - Can't delegate work - Attends team meetings - Is treated like an employee but paid like a contractor

You're almost certainly being sham contracted.

You're missing out on super, leave, and protections. And your MSP is saving 15-25% of your real cost by breaking the law.

The ATO and Fair Work are actively targeting this. It's only a matter of time before they come for the MSP industry.

This article provides general information only. For specific circumstances, consult an employment lawyer or contact the Fair Work Ombudsman.

Related: IT Contractor Rights Through MSPs | Fair Work and MSPs | Right to Disconnect | Professional Employees Award Guide

Since 26 August 2024, Australian employees in non-small businesses have had the legal right to refuse work-related contact outside working hours. From 26 August 2025, that right extended to every employee in the country, including those at small businesses.

No industry is more affected than MSPs.

Managed services runs on after-hours work. Maintenance windows. Weekend patching. On-call rotations. "Just quickly check" emails that arrive at 9 PM. Slack messages about a client's printer that somehow became urgent at 10:30 on a Saturday night.

This article is your practical guide to what the right to disconnect actually means for MSP technicians, engineers, and account managers — and what your employer can and can't demand.

How the Right to Disconnect Works

The right to disconnect is part of the Fair Work Act. It gives employees the right to refuse to monitor, read, or respond to work-related communications outside their working hours, unless that refusal is unreasonable.

The law does not ban employers from contacting you after hours. It gives you the right to say no.

It Applies To

• Employees of all business sizes (small businesses since August 2025)
• All forms of contact: phone, email, messaging apps (Teams, Slack, WhatsApp), SMS
• All contexts: after hours, meal breaks, annual leave, sick leave, personal leave
• On-call arrangements where you're genuinely available (but you can refuse contact outside your agreed on-call hours)

It Does Not Apply To

• Independent contractors (though this is a grey area — see our Sham Contracting guide)
• Genuine emergencies where you're the only person who can resolve a critical issue
• Contact that's part of your agreed duties (e.g., scheduled maintenance windows you've accepted)

What This Means for MSP Workers

1. The "Quick Question" Culture Is Now Legally Questionable

Every MSP worker knows the pattern:

"Hey, sorry to bother you after hours — quick question about the Acme Corp firewall rules..." "Can you just check that backup job?" "Client XYZ is complaining about slow internet, can you log in and take a look?"

These aren't emergencies. They're convenience for managers and clients. And you now have a legal right to ignore them.

What you can say: "I'm not available after hours. Please log a ticket and I'll action it first thing tomorrow."

What they can't do: Penalise you, write you up, or hold it against your performance review.

2. On-Call Must Be Compensated (and Clearly Defined)

If your MSP requires you to be on call, the arrangement needs to be:

• In your employment contract (not implied or "everyone does it")
• Compensated — either through an on-call allowance, overtime pay, or clearly factored into your above-award salary
• Clearly defined — what hours, what responsibilities, what escalation process

If your MSP expects you to be available after hours but doesn't pay you for it, you have strong grounds to refuse contact under the right to disconnect.

3. Maintenance Windows and Scheduled After-Hours Work

Scheduled after-hours work that you've agreed to (e.g., "we run patching every Saturday 2-4 AM, you're rostered once a month") is not covered by the right to disconnect — it's part of your agreed duties.

However: - It must be in your contract or rostered in advance - You must be compensated (overtime, TOIL, or factored into salary) - Unreasonable rostering (e.g., every weekend, no notice) can be challenged

4. MSP Managers Are Also Protected

If you're a team lead or service desk manager, you're still an employee. Your boss can't contact you about operational issues at 11 PM and expect a response.

The "Emergency" Exception (and How MSPs Abuse It)

The right to disconnect includes an exception for genuine emergencies. If there's a critical security incident, a major outage affecting multiple clients, or a disaster scenario — it's reasonable to contact you.

But MSPs love to classify routine issues as emergencies:

The test: Would a reasonable person consider this an emergency? If the issue can wait until business hours without causing serious harm, it's not an emergency.

What to Do If Your MSP Violates Your Right to Disconnect

The right to disconnect is enforceable. If your employer takes adverse action against you for refusing after-hours contact, you may have a claim:

1. Document everything. Save emails, take screenshots of messages, record dates and times of contact.
2. Check your contract. Does it mention after-hours work, on-call, or out-of-hours contact?
3. Raise it internally. Some MSPs genuinely don't realise they're overstepping.
4. Contact Fair Work Ombudsman. They can investigate and mediate.
5. General protections claim. If your employer penalises you, you may have a claim under the Fair Work Act for adverse action.

Key Contacts

• Fair Work Ombudsman: 13 13 94
• Fair Work Commission: 1300 799 668
• Your union (if you're a member of Professionals Australia, ASU, or similar)

Practical Scenarios for MSP Workers

Scenario 1: The 9 PM Slack Message

Your manager: "Hey, can you check the backup status for Client ABC? Client flagged an issue."

Your response: "I'm not available after hours. I'll check it first thing tomorrow and update the ticket."

Legal reality: This is textbook right to disconnect. Unless there's evidence backups actually failed and data is at risk, this is a routine query that can wait.

Scenario 2: The Saturday Morning "Urgent"

Your manager texts at 8 AM Saturday: "Client XYZ's server is down. Need you to log in and check."

Your response: If you're not on call or rostered, you can refuse. If it's a genuine outage affecting operations, it's reasonable to respond — but you should be compensated for the time.

Scenario 3: The "Everyone Answers" Culture

Your MSP says: "We don't have a formal on-call policy, but everyone chips in after hours when needed. It's part of the culture."

Your response: Culture is not a contract. Without a formal arrangement and compensation, you're not obligated to be available.

Scenario 4: Annual Leave Emergency

You're on leave and get called about a client issue.

Your response: You have the strongest possible protection here. Contact during approved leave is almost never reasonable unless you're literally the only person who can resolve a critical security incident.

What Smart MSPs Are Doing (vs What Bad Ones Do)

The Bottom Line

The right to disconnect is one of the most significant employment law changes in recent Australian history, and it directly targets the MSP industry's worst habits.

If you're an MSP employee:

• You can legally ignore non-urgent after-hours contact
• Your employer cannot penalise you for exercising this right
• On-call must be formalised and compensated
• "Culture" is not a legal justification for unpaid availability

If you're an MSP owner:

• Formalise your on-call arrangements
• Ensure after-hours work is compensated
• Build proper escalation and alerting systems
• Stop relying on "everyone chips in" — it's now legally risky

This article provides general information based on the Fair Work Act 2009 (Cth) as at June 2026. It does not constitute legal advice. For specific circumstances, consult an employment lawyer or the Fair Work Ombudsman.

Related: Fair Work and MSPs: Your Rights | Sham Contracting in IT | MSP Employee vs Contractor

Wage theft in the IT industry — and specifically in MSPs — is not a matter of a few bad apples. It's structural.

The business model of managed services creates built-in pressure on wages:

• Fixed-price contracts mean every hour you work beyond the estimate is a cost, not revenue
• "All-you-can-eat" service models create unlimited demand on limited staff
• After-hours work is baked into the model (maintenance windows, patching, on-call)
• Competition drives MSPs to cut costs, and labour is their biggest cost
• Billable hour targets create incentives to work longer without recording those hours

The result: a significant portion of MSP workers are being paid less than the law requires.

This isn't an accident. It's by design.

The 5 Most Common Ways MSPs Underpay Their Workers

1. The "Annual Salary Trap"

How it works: Your contract states your salary of $80,000-95,000 "includes all award entitlements." You work 45-55 hours a week with regular on-call. At award rates including overtime penalties, your actual entitlement is $95,000-120,000.

Why it works: Most employees don't track their hours or understand award rates. They see a salary of $85,000 and think it's fair.

How to check: Track your actual hours for 4 weeks. Calculate what the award requires (see Professional Employees Award Guide). Compare.

2. Off-the-Clock Work

How it works: You check emails at 9 PM, answer Slack messages on weekends, take a "quick call" about a client issue, do 30 minutes of documentation after your shift. None of it goes on your timesheet.

How much it adds up: 30 minutes a day = 2.5 hours a week = 120 hours a year. At time-and-a-half that's $5,000-8,000 in unpaid overtime per year.

The reality: In most MSPs, off-the-clock work is normalised. "Just check this one thing" is the most expensive phrase in the industry.

3. Wrong Award Classification

How it works: You're doing Level 3/4 work but classified as Level 1 or 2. The difference between Level 1 and Level 3 minimum rates is ~$300/week or ~$15,000/year.

Who it affects most: Junior-to-mid engineers who've been promoted in responsibility but not in classification. You're doing senior work at junior pay.

4. Unpaid On-Call and After-Hours

How it works: You're on the on-call roster but receive no allowance. Or you're told "we don't have a formal on-call policy" but get called 3-4 times a week.

The award requires: On-call allowance of approximately $30-50 per day or $200-350 per week depending on the level of availability. Plus actual time worked at overtime rates.

What happens instead: Zero. Nothing. "It's part of the role."

5. Unpaid Travel Time

How it works: You travel between client sites (say 30-60 minutes each way, 2-3 times a week). Your MSP doesn't count this as work time.

How much: 2 hours/week travel time × 48 weeks = 96 hours a year. At ordinary rates that's ~$4,000-5,000 additional unpaid work per year.

The law: Travel between work sites during the work day is work time. Only travel from home to your first site and last site to home can be excluded.

The Real Numbers: What MSPs Actually Cost vs What They Pay

Here's the dirty secret of the MSP industry:

Source: Industry analysis of Australian MSP billing rates vs salary costs. Worker rates inclusive of super and overheads.

The margins are enormous — and they rely on not paying you for all the hours you actually work.

If your MSP genuinely paid award rates for actual hours worked — including overtime, on-call, travel, and off-the-clock work — their margins would roughly halve.

How to Calculate If You're Being Underpaid

Step 1: Determine Your Classification

Use our Professional Employees Award Guide to identify your correct classification level.

Step 2: Track Actual Hours for 4 Weeks

Record: - Start and end time each day - Lunch breaks (actual, not scheduled) - After-hours calls and emails - Weekend work - On-call time - Travel time between sites - Any work-related communication outside hours

Step 3: Calculate Award Entitlements

For each week: - Ordinary hours (38) × award rate - Overtime hours × 1.5 or 2.0 award rate - On-call allowance (if applicable) - Travel time (if not counted in hours) - Weekend penalties - Shift loadings

Step 4: Compare to Your Actual Pay

Divide your weekly salary by actual hours worked to get your effective hourly rate. Compare this to the award rate for your classification.

Step 5: Calculate the Gap

Multiply the shortfall by the weeks you've worked. If this has been going on for years, the amount can be substantial.

Case Study: "Dave the L2 Engineer"

Dave works at a mid-sized MSP in Sydney. He earns $85,000 as an annual salary.

His actual week: - Mon-Fri: 8 AM - 5:30 PM (47.5 hrs, 9.5 hrs unpaid overtime) - 1 night/week on call (7 PM - 7 AM, Thursday) - Weekend rotation: 1 in 4 (2 hours actual work each weekend, plus availability) - Travel to client sites: 3 hours/week - After-hours emails/Teams: 30 mins/day average

His actual hours: ~55 hours/week average
Award entitlement for Level 3 (correct classification): ~$108,000
His salary: $85,000
Annual underpayment: ~$23,000 plus ~$2,600 super

Over 3 years: ~$77,000 plus interest.

This is not hypothetical. This is the standard MSP experience.

The Wage Theft Timeline: What's Happening Now

The trajectory is clear. The regulations are tightening, enforcement is increasing, and the MSP industry's labour practices are coming under scrutiny.

What to Do Next

If You Think You're Underpaid

1. Track your hours — 2-4 weeks of solid data is powerful evidence
2. Read your contract — does it reference an award? Does it have an annual salary arrangement clause?
3. Calculate the gap — use the award rates for your classification
4. Speak to an employment lawyer — many offer free initial consultations
5. Contact Fair Work Ombudsman — 13 13 94 or fairwork.gov.au
6. You can claim back-pay for up to 6 years

If You're an MSP Owner Reading This

The liability you're carrying by underpaying staff is enormous. Back-pay claims for 5-10 employees going back 6 years can easily exceed $500,000 — plus legal costs, penalties, and reputational damage.

A wage audit now is cheaper than a Fair Court claim later.

This article provides general information only. For specific circumstances, consult an employment lawyer or the Fair Work Ombudsman.

Related: Professional Employees Award Guide | Sham Contracting in IT | Right to Disconnect | MSP Salary Calculator | Fair Work and MSPs

The MSP Playbook provides information, analysis, and tools for Australian IT professionals navigating the managed services industry. All content is provided for general informational purposes only.

Not Legal Advice

Nothing on this site constitutes legal advice. Employment law, contract law, and Fair Work matters are complex and fact-specific. If you need legal advice, consult a qualified Australian employment lawyer.

Not Financial Advice

Salary data, pricing comparisons, and financial analysis on this site are based on publicly available data and crowd-sourced information. They are estimates and should not be relied upon as financial advice.

Accuracy

We strive for accuracy but make no guarantees. Data sources include Glassdoor, SEEK, company filings, and user-submitted reviews. Some data may be outdated or incomplete. We encourage readers to verify independently.

User-Generated Content

Anonymous MSP reviews are submitted by users. We moderate for spam and abuse but do not independently verify the accuracy of claims made in reviews. Reviews reflect the opinions of the submitter, not The MSP Playbook.

Intellectual Property

• Site content (articles, guides, analysis) is copyright The MSP Playbook.
• Tools and calculators are free to use but may not be reproduced or embedded elsewhere without permission.
• MSP profile data is compiled from public sources and may be used with attribution.

Acceptable Use

You agree not to: - Use the site for any unlawful purpose - Submit false, misleading, or defamatory reviews - Scrape or bulk-extract content without permission - Attempt to circumvent any security measures

Third-Party Content

The site links to external resources. We are not responsible for the content or practices of these third parties.

Modifications

We reserve the right to update these terms at any time. Changes will be noted in our changelog.

Contact

For questions about these terms: hello@mspplaybook.reviews

Last updated: June 2026.

Your firewall is patched. Your antivirus is updated. Your email filtering catches 99% of malicious messages. Then an employee clicks a link in a convincing phishing email and hands over their credentials.

The scenario plays out across Australian businesses every day. Despite billions invested in cybersecurity technology, human error remains the leading cause of security incidents. The solution is not more technology. It is better-trained people.

Cybersecurity awareness training is one of the most cost-effective security investments you can make. But doing it poorly — a once-a-year compliance exercise that nobody pays attention to — is almost as bad as not doing it at all.

Why Awareness Training Matters for MSP-Managed Environments

MSP-managed environments have unique security characteristics that make awareness training critical:

Shared access. MSP technicians access multiple client environments. A single compromised credential can cascade across organisations.

Diverse environments. Different clients have different security postures. The weakest link in any MSP's client base creates risk for all.

Compliance requirements. The Essential 8 framework explicitly requires security awareness training as a control. Australian Privacy Act obligations also require staff training on data handling.

Social engineering targets. MSP employees are high-value targets for attackers because compromising one MSP technician can provide access to dozens of client environments.

Building an Effective Training Programme

The Four Components

An effective cybersecurity awareness programme includes four elements:

1. Foundational Training (Annual) Comprehensive training covering core security concepts. Delivered to all staff, tracked for completion, and documented for compliance purposes.

2. Phishing Simulations (Quarterly) Realistic phishing emails sent to staff to test awareness. Click rates are tracked, and employees who fall for simulations receive immediate, constructive additional training.

3. Micro-Learning (Monthly) Short, focused security tips delivered via email, Slack, or Teams. Topics rotate monthly and reinforce key messages without requiring dedicated training time.

4. Incident Response Drills (Semi-Annual) Tabletop exercises that simulate security incidents. Staff practise recognising and reporting threats in a controlled environment.

Content by Role

Not everyone needs the same training. Tailor content to roles:

All Staff: - Phishing recognition and reporting - Password hygiene and MFA usage - Physical security (tailgating, clean desk) - Social engineering awareness - Incident reporting procedures

Finance and Accounts: - Business Email Compromise (BEC) attacks - Invoice fraud and payment redirection - Vendor impersonation scams - Authorisation procedures for payments

IT and Technical Staff: - Secure configuration practices - Vulnerability management awareness - Privileged access management - Security tool operation - Secure development practices

Management and Executives: - Whaling and CEO fraud - Data breach notification obligations - Cyber insurance requirements - Regulatory compliance responsibilities

Phishing Simulations: The Most Effective Tool

Designing Effective Simulations

Realism is key. Simulations should mimic real threats: - Use templates based on current Australian phishing campaigns - Include branding from services you actually use (Microsoft 365, ATO, banks) - Vary difficulty — easy simulations build confidence; harder ones test vigilance - Time them appropriately — quarterly simulations with variety in timing

Track meaningful metrics: - Click rate — percentage of recipients who clicked the link - Report rate — percentage who reported the phishing email (this is the behaviour you want to encourage) - Time to report — how quickly employees identified and reported the threat - Credential submission rate — percentage who entered credentials on the fake landing page

The Response Framework

When someone falls for a simulation:

1. Immediate feedback. Show them it was a simulation and explain what they missed
2. No punishment. Punishing people for falling for simulations creates a culture of hiding mistakes rather than reporting them
3. Additional training. Provide targeted micro-learning on the specific type of phishing they fell for
4. Track trends. If individuals repeatedly fall for simulations, they may need additional support or a different approach

Benchmarking

Industry benchmarks for phishing simulation performance:

The goal is to drive click rates down and report rates up over time.

Compliance Requirements

Essential 8 Alignment

The ACSC Essential 8 framework includes security awareness training as a key control:

• Maturity Level 1: Basic awareness training for all staff
• Maturity Level 2: Regular training with phishing simulations
• Maturity Level 3: Role-specific training with advanced threat awareness
• Maturity Level 4: Continuous training with real-time threat intelligence integration

Australian Privacy Act

The APPs require organisations to take reasonable steps to protect personal information. Staff training is a fundamental step. In the event of a data breach, the OAIC will ask whether staff received adequate training.

Industry-Specific Requirements

• APRA CPS 234 (financial services): Requires staff awareness of information security
• ISO 27001: Mandates security awareness education
• PCI DSS: Requires security awareness programme for all personnel

Measuring Training Effectiveness

Key Performance Indicators

Track these metrics to demonstrate training ROI:

Leading Indicators (predictive): - Training completion rates - Phishing simulation performance trends - Time to report suspicious emails - Security assessment scores

Lagging Indicators (outcome-based): - Number of security incidents caused by human error - Cost of security incidents attributed to human factors - Time to detect and respond to incidents - Compliance audit results

Reporting to Leadership

Present training effectiveness in business terms: - "Our phishing click rate has decreased from 12% to 3% over 12 months" - "We prevented an estimated $X in potential losses through early reporting" - "Staff compliance with security policies has improved from 65% to 92%" - "Our incident response time has decreased by 40%"

Common Training Programmes Failures

The annual compliance checkbox. One training session per year does not change behaviour. People forget 90% of what they learn within a week without reinforcement.

Punitive approaches. Publicly shaming people who fail simulations destroys trust and reduces reporting. The goal is to create a culture where people feel comfortable reporting mistakes.

Generic content. Training that does not reflect your actual environment, threats, or industry is less effective than tailored content. A healthcare business needs different training than a construction company.

No measurement. If you are not tracking metrics, you cannot demonstrate effectiveness or identify areas for improvement.

Executive exemption. Executives are often the highest-value targets for social attacks. They need training too — and in some cases, more intensive training than general staff.

Related Guides

• MSP Remote Work Security Guide — Security for distributed teams
• MSP Data Breach Response Plan — What happens when training fails
• MSP Compliance Framework Guide — Compliance requirements for training
• Cyber Insurance MSP Requirements — Insurance implications of training
• MSP Employee Onboarding Checklist — Include security training from day one

Your MSP sends you a monthly report. It is six pages of charts and numbers. You glance at it, see that "99.9% uptime" is highlighted, and file it away.

But are you actually measuring what matters? Uptime is important, but it is one metric among dozens. And frankly, it is the one MSPs are most likely to present because it is the one they are almost always meeting.

Effective MSP management requires a balanced set of metrics that cover responsiveness, quality, efficiency, and business value. Here is what to measure and why.

The Four Pillars of MSP Metrics

1. Responsiveness Metrics

How quickly does the MSP respond when you need them?

Key metrics:

Why it matters: Slow response times directly impact your business productivity. Every minute an employee cannot work due to an unresolved issue has a cost.

Watch for: Consistently meeting first response times but missing resolution times — this suggests the MSP acknowledges quickly but does not prioritise fixing.

2. Quality Metrics

How well does the MSP resolve issues?

Key metrics:

Why it matters: Quality metrics reveal whether issues are truly fixed or just temporarily patched. A high reopen rate or recurrence rate indicates systemic problems.

Watch for: High CSAT but high reopen rates — employees may be polite in surveys while issues persist.

3. Reliability Metrics

How stable is the environment the MSP manages?

Key metrics:

Why it matters: Reliability is the foundation of business continuity. Unplanned downtime directly impacts revenue, productivity, and customer satisfaction.

Watch for: Uptime measured differently than agreed — verify the measurement methodology matches your SLA definition.

4. Business Value Metrics

How does the MSP contribute to business outcomes?

Key metrics:

Why it matters: These metrics connect MSP performance to business outcomes. A good MSP reduces issues over time through proactive maintenance, not just reacts to problems.

Watch for: Decreasing ticket volume that correlates with increasing user complaints — issues may be going unreported rather than being resolved.

Building Your MSP Scorecard

Monthly Scorecard

Create a simple one-page scorecard for monthly reviews:

Status indicators: - Green: Meeting target - Amber: Within 10% of target - Red: Missing target by >10%

Quarterly Strategic Review

Expand the monthly review with strategic analysis:

• Trend analysis — are metrics improving, stable, or declining?
• Root cause analysis — why are targets being missed?
• Improvement initiatives — what is the MSP doing to improve?
• Business alignment — is the MSP supporting your business goals?
• Contract review — do SLAs and pricing reflect current needs?

Holding Your MSP Accountable

The Performance Conversation

When metrics are not met, follow this framework:

1. Present the data. Show the specific metrics that are missing targets.
2. Ask for explanation. What is causing the underperformance?
3. Request a remediation plan. Specific actions, owners, and deadlines.
4. Set a review date. Revisit in 30-60 days to assess improvement.
5. Document everything. Written records of performance issues and remediation commitments.

When Metrics Are Consistently Missed

If the MSP consistently fails to meet agreed metrics:

• Formal escalation — written notice of SLA breaches
• Service credits — invoke contractual penalties
• Remediation plan — require a formal improvement plan with milestones
• Contract review — consider whether the relationship is viable
• Exit planning — if performance does not improve, begin evaluating alternatives

What a Good MSP Looks Like

A well-performing MSP will:

• Proactively share metrics without being asked
• Explain variances before you ask
• Present improvement plans when metrics dip
• Celebrate improvements and achievements
• Welcome accountability as a partnership tool

A poor MSP will: - Resist sharing detailed metrics - Explain away every miss with excuses - Present metrics in ways that obscure problems - React defensively to accountability - Resist customised reporting

Related Guides

• MSP Service Level Management — Deep dive on SLAs
• MSP Account Management Best Practices — Building effective relationships
• MSP ROI for Clients — Measuring business value
• MSP Quality Management System — Quality frameworks
• MSP Health Score — Benchmark overall performance

Data loss is not a question of if, but when. Ransomware, hardware failure, human error, natural disasters, and malicious insiders all threaten your business data. Your MSP's backup and disaster recovery (BCDR) capability is arguably the most important service they provide — because when everything else fails, backups are what keep your business alive.

Why Backup Is Your Last Line of Defence

The Australian Cyber Security Centre (ACSC) reported that ransomware remains one of the top cybersecurity threats to Australian businesses. In 2025, the average ransom demand for Australian businesses exceeded $250,000, with total incident costs (including downtime, recovery, and reputational damage) averaging $1.5 million.

The only reliable defence against ransomware is tested, immutable backups. If your MSP cannot demonstrate that your backups are working and recoverable, you are one incident away from catastrophic data loss.

The BCDR Framework

Effective disaster recovery is not just about backing up files. It is a framework that covers four elements:

1. Backup Strategy

Your backup strategy defines what is backed up, how often, and where it is stored.

What to back up: - All servers (full image and file-level) - All critical databases - Microsoft 365 data (Exchange, SharePoint, OneDrive, Teams) - Line-of-business applications - Configuration files (firewalls, switches, routers) - Virtual machines

How often: | Data Type | Backup Frequency | Retention | |-----------|-----------------|-----------| | Critical servers | Every 4 hours (minimum) | 30 days daily + 12 months monthly | | Workstations | Daily | 30 days | | Microsoft 365 | Daily | 90 days | | Databases | Every 1–4 hours | 30 days with point-in-time recovery | | Configurations | Weekly | 12 months |

Where to store: - On-site: Fast recovery but vulnerable to physical disasters - Off-site: Protected from local disasters but slower recovery - Cloud: Scalable and geographically diverse - Immutable storage: Protected from ransomware and deletion

The ideal setup is a 3-2-1 strategy: 3 copies of data, on 2 different media types, with 1 off-site. In 2026, the recommendation is 3-2-1-1: add 1 immutable copy.

2. Recovery Point Objective (RPO)

RPO defines how much data you can afford to lose. It determines your backup frequency.

• RPO of 1 hour: Backups every hour. You lose at most 1 hour of data.
• RPO of 4 hours: Backups every 4 hours. You lose at most 4 hours of data.
• RPO of 24 hours: Daily backups. You lose at most 1 day of data.

Most Australian SMBs target an RPO of 4–24 hours for general systems and 1–4 hours for critical databases. The RPO you choose should be based on the business impact of data loss, not technical convenience.

3. Recovery Time Objective (RTO)

RTO defines how quickly you need to restore operations after a disaster. It determines your recovery infrastructure and processes.

Your RTO should account for: - Revenue impact of downtime - Staff costs during downtime (people still get paid) - Customer and reputational damage - Regulatory reporting requirements (some breaches require notification within 72 hours)

4. Disaster Recovery Plan

Your DR plan is the documented process for recovering your IT environment. It should include:

• Contact list: Who to call (MSP, vendors, key staff)
• Incident classification: What constitutes a disaster vs a major incident
• Recovery procedures: Step-by-step instructions for each system
• Communication plan: How to notify staff, customers, and stakeholders
• Testing schedule: When and how the DR plan is tested
• Provider responsibilities: What the MSP is responsible for vs your internal team

Common BCDR Solutions Used by Australian MSPs

The best solution depends on your environment, budget, and recovery requirements. Your MSP should be able to explain why they chose their BCDR platform and how it meets your needs.

The Microsoft 365 Backup Gap

Many Australian businesses assume Microsoft backs up their M365 data. They are wrong.

Microsoft's responsibility is the platform — keeping Exchange Online, SharePoint, and OneDrive running. Your responsibility is your data within those services.

Microsoft provides: - Geo-redundant storage (data is replicated across data centres) - Point-in-time recovery (up to 14 days for SharePoint, 30 days for OneDrive)

Microsoft does NOT provide: - Long-term backup retention - Granular point-in-time recovery beyond their default windows - Protection against accidental or malicious deletion beyond soft-delete - Compliance-grade backup for regulatory requirements

If your MSP manages your M365 environment, they should be implementing a third-party M365 backup solution. If they are not, you have a significant gap.

Ransomware Resilience

Modern ransomware specifically targets backups. Attackers know that if they can encrypt or delete your backups, you have no choice but to pay the ransom.

How to Protect Against Backup-Targeting Ransomware

1. Immutable storage: Backups that cannot be modified or deleted for a defined period, even by administrators.
2. Air-gapped backups: Physical separation from the network. Ransomware cannot encrypt what it cannot reach.
3. Separate credentials: Backup systems should use different admin accounts than your primary environment.
4. Monitoring: Alert on any changes to backup schedules, configurations, or data.
5. Regular restoration testing: If you have never tested restoring from backups, you do not have backups — you have hope.

Evaluating Your MSP's BCDR Capability

Ask your MSP these questions:

1. "What BCDR solution do you use, and why did you choose it?"
2. "When was the last time you tested a full restoration of our environment?"
3. "Are our backups stored in immutable storage?"
4. "What is our RPO and RTO, and how are they achieved?"
5. "Do we have a documented disaster recovery plan?"
6. "How do you protect our backups from ransomware?"
7. "Can you show me a backup success report for the past 30 days?"
8. "What happens to our backups if we change MSPs?"

If your MSP cannot answer these questions confidently, your backup posture needs immediate attention.

Related Guides

• Essential 8 Maturity Level 1 — Backup requirements under Essential 8
• MSP Cybersecurity Incident Response — What happens during a breach
• MSP Health Score — Benchmark your MSP's capability
• RMM Software Comparison — How RMM integrates with BCDR
• MSP Technical Documentation — What your MSP should document

DXC Technology is what happens when two struggling IT services companies merge and spend the next decade cutting costs. Formed from the merger of CSC and HP Enterprise Services in 2017, DXC has been in continuous restructuring since day one.

In Australia, DXC runs some of the most critical government IT infrastructure — including services for the Australian Tax Office, Department of Defence, and multiple state governments. The irony: a company that can't retain its own staff is trusted to run the nation's digital backbone.

The Numbers

Average salary (Australia): A$90,000-100,000 Revenue per employee: A$404K (suggests heavy offshoring)

Employee Experience: The Restructuring Treadmill

The Pattern

DXC's employee experience follows a predictable cycle:

1. Acquisition/merger → promises of synergy and growth
2. Integration → new management, new processes, new reporting lines
3. Restructuring → "redundancies" (layoffs) to achieve "efficiency"
4. Stabilisation → remaining staff absorb extra work
5. Repeat → another restructure, another round of cuts

This cycle has repeated since 2017. Every 18-24 months, DXC announces a "transformation" that results in layoffs. The remaining staff are expected to deliver more with less.

What Reviews Say

Constant uncertainty. "You never know if your job will exist next month." The restructuring treadmill creates a culture of anxiety where people focus on survival rather than innovation.

Below-market pay. DXC's average salary of A$90,000-100,000 is 20-25% below the Australian IT market median. The company justifies this with "stability" — but the constant restructuring undermines that claim.

Outsourcing pressure. DXC's business model is built on replacing Australian staff with cheaper offshore resources. Government clients are told they'll get "local delivery" but increasingly receive offshore teams.

Dead-end roles. "If you're not in management, there's nowhere to go." Technical career paths are limited, and promotion often requires moving into people management.

The Government Problem

DXC's government contracts create a unique dynamic. The company is locked into long-term agreements (5-10 years) with strict delivery requirements. But the margins on these contracts are thin, which means:

• Staff are underpaid to maintain profitability
• Offshoring is used to reduce costs
• Innovation is limited by fixed-scope contracts
• The best staff leave for better-paying roles

The government gets what it pays for: reliable but uninspired IT services.

How DXC Compares

What This Means for You

If you're considering DXC: - Ask about the specific team and contract — some are stable, others are on the chopping block - Negotiate salary hard — the initial offer is below market - The government practice offers project exposure but limited career growth - Expect restructuring every 18-24 months — plan accordingly

If you're already at DXC: - Your market value is almost certainly higher than your salary - Build relationships outside your team — internal transfers are possible - Document everything — restructuring decisions are often arbitrary - Have an exit strategy ready

Related Resources

• NTT Deep Dive — Compare DXC with another global IT services firm
• Telstra Purple Deep Dive — How Telstra's IT arm stacks up
• Wage Theft in MSPs — Know your salary rights
• Salary Benchmark Guide — See how DXC salaries compare to market
• Restructuring Playbook — Understand the perpetual restructuring cycle
• PE Strip for Parts — How private equity extracts value from MSPs

Based on Glassdoor (800+ Australian reviews), PayScale, IBISWorld, and public reporting.

Stock options are becoming a more common part of compensation packages in the Australian MSP industry, particularly as private equity firms acquire MSPs and use equity to retain key staff. But options are not free money — they come with complexity, risk, and tax implications that many MSP employees do not fully understand.

Here is what you need to know before accepting stock options as part of your MSP compensation.

What Are Employee Stock Options?

An employee stock option gives you the right — but not the obligation — to purchase shares in the company at a predetermined price (the "exercise price" or "strike price"). If the company's value increases above that price, you can exercise your options and buy shares at a discount, pocketing the difference.

The catch: options have no value if the company's value never exceeds the exercise price, or if you leave before they vest, or if the company never has a liquidity event.

How ESOPs Work in Australian MSPs

An Employee Stock Option Plan (ESOP) is the formal framework through which a company grants options to employees. In the MSP context, ESOPs are used for several reasons:

• Retention — options vest over time, giving employees a financial reason to stay
• Attracting talent — in a competitive MSP labour market, equity is a differentiator
• Alignment — employees who hold equity are theoretically more invested in company success
• Private equity play — PE firms often structure ESOPs to hit performance targets before exit

Common MSP ESOP Structures

Vesting Schedules Explained

Vesting determines when your options actually become exercisable. The standard Australian pattern is:

Four-year vest with one-year cliff: - Year 1 (cliff): 25% of options vest after 12 months - Years 2-4: Remaining options vest monthly or quarterly - Total: 100% vested after 4 years

Vesting Variations in MSPs

Some MSPs deviate from the standard:

• Immediate vesting — rare, usually only for C-suite hires
• Two-year cliff — less common, ties you in longer
• Performance-based vesting — tied to revenue targets, client growth, or EBITDA milestones (common in PE-backed MSPs)
• Accelerated vesting — triggers on acquisition, redundancy, or change of control

Watch out for: accelerated vesting clauses that only trigger on "good leaver" scenarios. If you are classified as a "bad leaver," you may lose unvested options entirely.

Tax Implications in Australia

The Australian Taxation Office (ATO) treats employee stock options in a specific way:

Tax Point: Exercise, Not Grant

Unlike some jurisdictions, Australia generally taxes options at the point of exercise — when you convert them to shares. At that moment, the difference between the exercise price and the market value of the shares is treated as ordinary income and taxed at your marginal tax rate.

Capital Gains Tax

After exercising, any subsequent gain (or loss) on the shares is subject to capital gains tax. If you hold the shares for more than 12 months, you may qualify for the 50% CGT discount.

Example

You are granted 10,000 options with a $2.00 exercise price. Three years later, the shares are worth $5.00 each. You exercise all options:

• Income tax: ($5.00 - $2.00) × 10,000 = $30,000 taxable income
• If shares are worth $8.00 when you sell after 12 months: ($8.00 - $5.00) × 10,000 × 50% = $15,000 taxable capital gain

Tax on Forfeited or Expired Options

If options expire worthless or are forfeited when you leave, you generally cannot claim a tax deduction. This is one of the key risks of employee stock options.

Red Flags in MSP Stock Option Agreements

Not all ESOPs are created equal. Watch for these warning signs:

1. No Liquidity Mechanism

If the MSP is privately held and there is no clear path to a liquidity event (sale, IPO, or buyback), your options may never be convertible to cash. Ask: "What is the expected exit timeline?"

2. Aggressive Good Leaver / Bad Leaver Definitions

Some MSPs define "bad leaver" broadly enough that most departures — including redundancies — trigger forfeiture of unvested options. Read the leaver provisions carefully.

3. Anti-Dilution Clauses

New funding rounds or share issuances can dilute your option pool. Check whether your options are protected against dilution.

4. Exercise Windows

Some plans give you only 30-90 days to exercise options after leaving. If you cannot afford the exercise price, you lose them. Negotiate for extended exercise windows.

5. No Vesting Acceleration on Change of Control

If the MSP is acquired, do your options vest immediately? Without acceleration, a new owner could restructure and leave you with worthless options.

How to Evaluate MSP Stock Options

Before accepting options, ask these questions:

1. What is the current share price and exercise price? If the exercise price equals or exceeds current value, the options are "underwater" and worthless today.
2. How many total shares/options exist? Your percentage ownership matters more than the raw number.
3. What is the expected exit timeline? PE-backed MSPs typically exit in 3-5 years.
4. What happens to my options if I leave? Get this in writing.
5. Are there any tax rulings or private binding agreements? Some companies seek ATO private rulings on their ESOP structure.

Should You Value Stock Options in Your Salary Negotiation?

When comparing MSP job offers, options can significantly change the total compensation picture — but only if they are likely to pay out. A practical approach:

• Assign zero value to unvested options in your base comparison
• Assign partial value (10-30% of theoretical maximum) to options in a PE-backed MSP with a clear exit plan
• Negotiate your base salary first, then treat options as upside

Our MSP Salary Negotiation guide covers how to structure total compensation discussions including equity components.

Alternatives to Traditional Stock Options

Some Australian MSPs offer alternative equity mechanisms:

• Employee Share Schemes (ESS) — taxed under Division 83A of the ITAA 1997, potentially with tax deferrals
• Profit sharing — cash bonuses tied to company performance, simpler and more predictable
• Phantom equity — mimics share ownership without actual shares, pays out in cash
• Share purchase plans — you buy shares at a discount, reducing risk

Our MSP Employee Equity Programs guide covers these alternatives in more detail.

The Bottom Line

Stock options in an Australian MSP can be valuable, but they are not guaranteed money. The MSP industry's rapid consolidation means many employees hold options in companies that are frequently acquired, restructured, or wound down.

Treat options as potential upside, not guaranteed income. Negotiate your base salary to a level you are comfortable with, and treat any eventual option payoff as a bonus.

Before signing anything, have the ESOP documentation reviewed by a tax adviser who understands employee share schemes. The cost of professional advice is negligible compared to the potential tax bill if you get it wrong.

Use our MSP Contract Grader to check whether your MSP employment contract includes fair stock option terms, or our Salary Calculator to benchmark your total compensation including equity.

The first 30 days with a new client define the relationship. Get onboarding right, and you build trust, reduce churn, and set the stage for years of productive partnership. Get it wrong, and you're fighting fires from day one.

Most MSPs treat onboarding as a technical exercise — audit the environment, migrate the data, set up monitoring. But onboarding is primarily a relationship exercise. The technical work matters, but how you communicate, set expectations, and demonstrate competence matters more.

If you're reviewing an MSP's onboarding process, our MSP client onboarding process provides an independent evaluation framework.

Why Onboarding Matters

The data is clear: client churn is most likely in the first 90 days. If a client is going to leave, it usually happens early. The reasons:

• Misaligned expectations. What the sales team promised vs. what the service team delivers.
• Communication gaps. The client doesn't know who to contact, how, or when.
• Undocumented environments. The previous MSP's documentation is incomplete or wrong.
• Trust hasn't been built. The client is nervous about the change and looking for reasons to regret it.

Good onboarding addresses all four. It's not just about getting the technical environment right — it's about making the client feel confident they made the right choice.

The Onboarding Framework

Phase 1: Pre-Onboarding (Week Before Start)

Internal preparation:

• [ ] Assign an onboarding lead (one person owns the process)
• [ ] Review the sales handover (what was promised, client expectations)
• [ ] Prepare the onboarding checklist (customise per client)
• [ ] Set up internal project tracking (PSA or project tool)
• [ ] Brief the team on the new client (industry, size, key concerns)

Client preparation:

• [ ] Send a welcome pack (introduction, key contacts, what to expect)
• [ ] Schedule the kick-off meeting
• [ ] Request initial documentation (network diagrams, credentials, existing contracts)
• [ ] Identify client-side stakeholders (IT contact, decision makers, end users)
• [ ] Confirm communication channels (email, portal, phone)

Phase 2: Discovery & Audit (Week 1)

The discovery phase is about understanding what you're inheriting. Never assume the previous MSP's documentation is accurate.

Technical discovery:

• [ ] Full network audit (switches, firewalls, wireless, cabling)
• [ ] Server inventory (physical and virtual, including cloud)
• [ ] M365/Azure tenant audit (licensing, security, configuration)
• [ ] Backup verification (is it working? when was it last tested?)
• [ ] RMM deployment and monitoring verification
• [ ] Security assessment (firewall rules, antivirus, MFA status)
• [ ] Documentation review (what exists, what's missing, what's wrong)

Business discovery:

• [ ] Understand the client's business (what they do, who their customers are)
• [ ] Identify critical systems (what can't go down?)
• [ ] Understand compliance requirements (Essential 8, Privacy Act, industry-specific)
• [ ] Map stakeholders (who makes decisions, who's the day-to-day contact)
• [ ] Understand pain points (why did they leave their previous MSP?)

Document everything. Create an environment baseline that's accurate, comprehensive, and accessible. This documentation is your foundation.

Phase 3: Expectation Setting (Week 1-2)

This is the most critical phase. Get this wrong and nothing else matters.

The kick-off meeting agenda:

1. Introductions. Who's who, roles, how to reach them.
2. Scope review. Walk through the agreement line by line. What's included, what isn't.
3. SLA review. Response times, resolution targets, escalation paths.
4. Communication plan. How often you'll meet, what reports they'll receive, who to call for what.
5. Transition timeline. What's happening when, who's responsible, what they need to do.
6. Known issues. Be honest about what you found during discovery and your plan to address it.
7. Questions. Let them ask everything. Answer honestly.

The golden rule of expectation setting: Underpromise and overdeliver. If you think it'll take two weeks, say three. If you think it'll cost $5,000, quote $6,000. The client will be delighted when you come in under. They'll be furious when you go over.

Phase 4: Implementation (Weeks 2-4)

Technical implementation:

• [ ] Deploy RMM agent to all workstations
• [ ] Set up monitoring and alerting
• [ ] Verify backup schedules and test restores
• [ ] Implement security baseline (MFA, patching, AV)
• [ ] Configure email filtering and security
• [ ] Set up documentation and knowledge base
• [ ] Create standard operating procedures for the client

Process implementation:

• [ ] Train client on support portal (how to log tickets)
• [ ] Establish regular meeting cadence (weekly, monthly, quarterly)
• [ ] Set up reporting (ticket summaries, SLA performance, security metrics)
• [ ] Define escalation paths (who to call for what severity)
• [ ] Create a client-specific runbook

Phase 5: Handover & Stabilisation (Week 4+)

Transition to BAU:

• [ ] Handover from onboarding team to service team
• [ ] Introduce the client to their regular technicians
• [ ] Confirm all monitoring is active and alerting correctly
• [ ] Review outstanding issues and action plan
• [ ] Schedule 30-day review meeting
• [ ] Update client health score

The 30-day review:

• How has the transition gone?
• Any outstanding issues?
• Feedback on communication and response times?
• Adjustments needed to scope or processes?
• Confirm next steps and ongoing meeting cadence

Common Onboarding Mistakes

Skipping Discovery

"We'll figure it out as we go" is the fastest path to problems. Thorough discovery prevents surprises that damage trust.

Over-Promising During Sales

If the sales team promised something the service team can't deliver, the client will feel deceived. Align sales and service before signing.

Poor Documentation

"Where's the password for the firewall?" shouldn't require a scavenger hunt. Complete, accurate, accessible documentation is non-negotiable.

No Single Owner

If no one owns the onboarding process, it falls through the cracks. Assign one person who's accountable for the client's transition experience.

Rushing

Pressure to "get them live" fast leads to mistakes, missed items, and poor first impressions. Quality onboarding takes time. Protect that time.

Not Asking for Feedback

Don't assume the client is happy. Ask. Regularly. Silence doesn't mean satisfaction — it often means the client has already decided to leave.

Measuring Onboarding Success

Track these metrics:

• Time to full deployment. How quickly did you get the client fully onboarded?
• First-ticket satisfaction. How did the client experience their first support interaction?
• 30-day satisfaction score. Survey the client at 30 days.
• Outstanding issues at 30 days. How many unresolved items remain?
• Client health score trend. Is the client's health improving or declining?

See our MSP health score for a structured evaluation framework.

Related Resources

• MSP Client Onboarding Process — Independent evaluation framework
• MSP Contract Checklist — Define scope properly
• MSP Client Management Tips — Ongoing relationship management
• MSP Client Retention Strategy — Keep clients long-term
• MSP SLA Guide — Set realistic expectations

The Essential Eight isn't optional anymore. The Australian government now requires all non-corporate Commonwealth entities to implement it. If you serve government clients, you need to comply. If you serve private clients, you need to understand it — because they're increasingly asking about it.

This guide covers what the Essential Eight is, how to implement it across your MSP, and how to help your clients reach compliance.

What Is the Essential Eight?

The Essential Eight is a set of eight mitigation strategies published by the Australian Signals Directorate (ASD). Each strategy is designed to prevent a specific class of cyber attack. Together, they form the baseline for cyber security in Australian government agencies.

The Eight Strategies

Maturity Levels

The framework has four maturity levels:

• Maturity Level Zero: Not meeting the intent of the mitigation strategy
• Maturity Level One: Partly aligned with the intent
• Maturity Level Two: Mostly aligned with the intent
• Maturity Level Three: Fully aligned with the intent

Most organisations start at Level Zero and work toward Level One. Level Two takes 6-12 months. Level Three is a multi-year journey.

Implementation Guide for MSPs

Phase 1: Assessment (Weeks 1-2)

1. Inventory your environment. Before you can implement anything, you need to know what you have: - List all endpoints (workstations, servers, mobile devices) - Catalog all applications (including versions) - Map your network topology - Document your current security controls

2. Identify gaps. For each of the eight strategies, assess your current state: - Are you running application control? - Are all applications patched within 48 hours (critical) or 2 weeks (other)? - Are macros configured to block untrusted macros? - Are browsers configured to block Flash, Java, and web ads? - Are admin privileges restricted to the minimum necessary? - Are operating systems patched within 48 hours (critical) or 2 weeks (other)? - Is MFA enabled on all external-facing services? - Are backups performed daily and tested monthly?

3. Prioritise. Start with the strategies that have the highest impact for the lowest effort: - User Application Hardening (quick win) - Macro Settings (quick win) - Regular Backups (quick win) - Multi-Factor Authentication (medium effort, high impact)

Phase 2: Quick Wins (Weeks 3-6)

Application Hardening. Configure browsers to block: - Flash content - Java from the internet - Web advertisements - PowerShell in Office applications - Windows Script Host

Macro Settings. For most organisations: - Block macros from the internet - Block VBA macros in Office files from unknown sources - Allow only digitally signed macros from trusted publishers

Backups. - Perform daily backups of critical data - Store backups offline or in a separate environment - Test restoration monthly - Maintain at least 3 months of backup history

Multi-Factor Authentication. Enable MFA on: - All VPN and remote access solutions - Email (Exchange, Office 365, Gmail) - Cloud management consoles (Azure, AWS, Google Cloud) - RMM and PSA tools - Privileged accounts (domain admin, service accounts)

Phase 3: Medium-Term (Weeks 7-16)

Application Control. This is the most complex strategy. You need to: - Create a whitelist of approved applications - Block all other applications from executing - Test thoroughly before deploying - Maintain the whitelist as applications change

Tools like Microsoft Defender Application Control (WDAC) or AppLocker can help.

Patch Applications. Establish a patching cadence: - Critical vulnerabilities: patch within 48 hours - High vulnerabilities: patch within 2 weeks - Medium/Low: patch within 1 month

Use your RMM tool to automate patching and reporting. For a detailed comparison of RMM platforms and their patch management capabilities, see our RMM Tool Comparison 2026.

Restrict Administrative Privileges. - Implement least privilege access - Separate admin accounts from daily-use accounts - Use Privileged Access Workstations (PAWs) for admin tasks - Log and audit all admin actions

Phase 4: Long-Term (Months 4-12)

Patch Operating Systems. - Same cadence as application patching - Test patches before deploying to production - Maintain a rollback plan for failed patches

Continuous Monitoring. - Monitor for compliance drift - Review logs for policy violations - Conduct regular penetration testing - Update policies as the threat landscape changes

Common Pitfalls

1. Trying to do everything at once. Start with quick wins and build momentum. The Essential Eight is a journey, not a project.

2. Ignoring the exceptions. Some applications can't be patched or controlled. Document exceptions formally and review them quarterly.

3. Treating it as a one-time project. The Essential Eight requires ongoing maintenance. Build it into your operational processes.

4. Not testing. A backup that's never tested isn't a backup. Test restoration quarterly at minimum.

5. Forgetting the people. Technical controls fail when users find workarounds. Train your staff and clients on why these controls matter.

How to Sell This to Clients

The Essential Eight isn't just a compliance checkbox — it's a sales opportunity:

For government clients: - Essential Eight compliance is mandatory - You can offer compliance consulting + ongoing managed compliance - The framework provides a clear scope for engagements

For private clients: - "Are you Essential Eight compliant?" is a question that creates urgency - Insurance companies are increasingly requiring Essential Eight compliance (though watch for MSP client lock-in traps baked into compliance packages) - The framework provides a roadmap for security improvement

Pricing: - Initial assessment: A$5,000-15,000 (depending on size) - Implementation: A$15,000-50,000 - Ongoing compliance: A$2,000-5,000/month (managed service) — but ensure your team structure can sustain it, as restructuring cycles can derail compliance continuity

Related Resources

• RMM Tool Comparison 2026
• MSP Client Lock-In: How They Make It Impossible to Leave
• The Restructuring Playbook
• The PE Playbook: How Private Equity Strips MSPs for Parts
• The MSP Profit Machine

This guide is based on the Australian Signals Directorate's Essential Eight Maturity Model (updated July 2023) and practical implementation experience across Australian MSP environments.

Your service desk is where your clients experience your MSP. Every interaction — every ticket, every phone call, every email — shapes their perception of your business. A well-run service desk delivers consistent, efficient support. A poorly run one drives churn.

Structuring Your Service Desk

The Tiered Model

The standard MSP service desk uses a tiered support model:

Level 0 — Self-Service - Knowledge base articles - FAQ and troubleshooting guides - Automated password resets - Client portal for ticket submission and status checks

Level 1 — Front-Line Support - Initial ticket triage and categorisation - Common issue resolution (password resets, software issues, access requests) - Remote troubleshooting - Ticket documentation and escalation when needed

Level 2 — Advanced Support - Complex technical issues - Server and infrastructure troubleshooting - Network issues - Application-specific problems

Level 3 — Specialist / Escalation - Vendor escalation management - Security incidents - Infrastructure design and architecture - Project-related technical support

When to Add Tiers

As your MSP grows, consider adding:

• Dedicated queue managers. Someone responsible for monitoring ticket flow and ensuring nothing falls through the cracks.
• Technical specialists. Dedicated resources for specific platforms (Microsoft 365, security, networking).
• After-hours team. Dedicated overnight or weekend support.

Service Desk Processes

Incident Management

The primary function — restoring service as quickly as possible:

• Acknowledge quickly. Every ticket gets an acknowledgement within the defined SLA.
• Triage accurately. Correctly categorise and prioritise based on impact and urgency.
• Resolve efficiently. Use knowledge base, runbooks, and team collaboration to resolve.
• Communicate clearly. Keep clients informed throughout the resolution process.
• Document thoroughly. Record the issue, actions taken, and resolution for future reference.

Service Request Management

Handling routine requests efficiently:

• Standardise common requests. Create templates for new user setup, software installation, access changes, and hardware requests.
• Automate where possible. Automated provisioning, self-service portals, and workflow automation reduce manual effort.
• Track and report. Service request metrics reveal workload patterns and automation opportunities.

Problem Management

Address root causes to prevent recurring incidents:

• Identify patterns. Analyse ticket data to find recurring issues.
• Root cause analysis. Investigate why issues recur and address the underlying cause.
• Known error database. Document known issues and their workarounds for faster resolution.
• Proactive fixes. Implement permanent fixes for recurring problems.

Change Management

Control changes to client environments:

• Change requests. Document and approve all non-routine changes.
• Impact assessment. Evaluate the risk of changes before implementation.
• Rollback plans. Have a plan to reverse changes if they cause issues.
• Post-implementation review. Verify changes achieved their intended outcome.

Optimising Service Desk Performance

1. Set Clear SLAs

Define response and resolution targets for each priority level:

• P1 (Critical). 15-minute response, 1-hour resolution target
• P2 (High). 1-hour response, 4-hour resolution target
• P3 (Medium). 4-hour response, 1-business-day resolution target
• P4 (Low). 1-business-day response, 3-business-day resolution target

Track SLA compliance and address breaches immediately.

2. Invest in Training

Technician capability directly impacts service quality:

• Onboarding training. Ensure new technicians understand your tools, processes, and client environments.
• Ongoing development. Regular training on new technologies and updated procedures.
• Soft skills. Communication, empathy, and client management skills matter as much as technical ability.
• Cross-training. Ensure coverage across team members and reduce key-person dependencies.

Our MSP Employee Training Programs guide covers building training programmes.

3. Leverage Knowledge Management

A well-maintained knowledge base accelerates resolution:

• Create articles from resolved tickets. Every non-trivial resolution is a knowledge base candidate.
• Tag and categorise. Make articles easy to find through search and categorisation.
• Review and update. Keep articles current and remove outdated content.
• Measure usage. Track which articles are used and which are not.

4. Automate Repetitive Work

Automate to reduce ticket volume and resolution time:

• Automated password resets. Self-service or automated workflows.
• Automated provisioning. Template-based account creation.
• Automated monitoring alerts. Catch issues before users report them.
• Chatbots. Handle simple queries and ticket creation.

5. Monitor and Improve

Continuous improvement requires measurement:

• Weekly metrics review. Review key metrics with the team.
• Monthly trend analysis. Identify patterns and address systemic issues.
• Quarterly process review. Evaluate and improve processes based on data.
• Client feedback. Collect and act on client satisfaction feedback.

Common Service Desk Mistakes

• No triage. Tickets sit in a general queue without prioritisation.
• Poor documentation. Tickets without adequate notes make escalation and handover difficult.
• No follow-up. Resolved tickets without client confirmation leave issues incomplete.
• Ignoring metrics. Data without action is just noise.
• Understaffing. Chronic understaffing creates a vicious cycle of burnout and turnover.

Related Guides

• MSP Ticketing System Guide — Platform selection and configuration
• MSP Employee Training Programs — Training programmes
• MSP Client Communication Tips — Communication during support
• MSP Capacity Planning Guide — Workload management
• MSP Quality Assurance Processes — Quality metrics

Your MSP manages your clients' IT environments. But who manages yours? Every vendor, tool, and subcontractor in your stack is a potential point of failure — and the trend toward supply chain attacks means third-party risk is no longer theoretical.

The Third-Party Risk Landscape for MSPs

MSPs typically depend on a significant number of third parties:

• RMM/PSA platforms — ConnectWise, Datto, NinjaRMM, N-sight
• Backup vendors — Veeam, Acronis, Datto, StorageCraft
• Security tools — SentinelOne, CrowdStrike, Huntress, Sophos
• Cloud platforms — Microsoft 365, Azure, AWS, Google Workspace
• Communication tools — Teams, Slack, Zoom
• Hardware vendors — Dell, HP, Lenovo
• Subcontractors — NOC services, helpdesk outsourcing, project resources

Each of these represents a risk. The 2021 Kaseya VSA attack compromised approximately 1,500 businesses through a single vendor vulnerability. The 2024 ConnectWise ScreenConnect vulnerabilities demonstrated that even major platforms are not immune.

Building a Third-Party Risk Management Program

Step 1: Inventory Your Vendors

Create a comprehensive register of all third parties that access your systems, handle your data, or provide critical services. For each vendor, record:

• What service they provide
• What data they access or process
• What systems they connect to
• What level of access they have
• What the impact would be if they failed

Step 2: Assess Risk

Not all vendors carry equal risk. Assess each based on:

• Access level. A vendor with administrative access to your RMM platform carries far more risk than one providing office supplies.
• Data sensitivity. Vendors handling personal information or financial data carry higher risk.
• Criticality. What happens if this vendor's service fails? Can you operate without it?
• Security maturity. Does the vendor demonstrate strong security practices?

Step 3: Require Security Evidence

For high-risk vendors, request and review:

• SOC 2 Type II report — Independent audit of security controls
• ISO 27001 certificate — Formal information security management
• Penetration test results — Evidence of vulnerability testing
• Insurance certificates — Cyber liability and professional indemnity coverage
• Incident history — Any breaches or significant outages in the past 3 years

Step 4: Include Risk Requirements in Contracts

Your vendor contracts should include:

• Security requirements and standards
• Notification obligations for incidents or vulnerabilities
• Data handling and sovereignty requirements
• Right to audit provisions
• Termination and data return provisions
• Service level agreements with remedies for non-performance

Our MSP Contract Checklist provides a comprehensive framework for vendor agreements.

Step 5: Monitor Ongoing Risk

Third-party risk is not a one-time assessment:

• Annual reviews. Reassess vendor risk annually and after any significant incident.
• Continuous monitoring. Use threat intelligence feeds to track vendor vulnerabilities.
• Incident response integration. Ensure your incident response plan accounts for vendor-related incidents.
• Exit planning. For every critical vendor, have a documented exit strategy in case the relationship ends.

Common Third-Party Risk Scenarios

Vendor Data Breach

A vendor you use is breached, exposing your data or your clients' data. Your obligations under the Privacy Act and NDB scheme may require notification even though the breach occurred at the vendor level.

Vendor Service Failure

A critical vendor experiences an extended outage that affects your ability to deliver service. Your clients hold you responsible, not your vendor.

Vendor Vulnerability

A security vulnerability is discovered in a tool you use. You must patch or mitigate quickly while the vendor works on a fix.

Subcontractor Incident

A subcontractor you use for NOC or helpdesk services causes an incident through negligence. Your contracts and oversight processes determine your liability.

Related Guides

• MSP Vendor Management Guide — Operational vendor management
• MSP Risk Management Framework — Comprehensive risk assessment
• MSP Contract Checklist — Contract risk provisions
• Cyber Insurance MSP Requirements — Insurance requirements for vendors
• Essential 8 Implementation Checklist — Security controls including third-party management

You cannot improve what you do not measure. For MSPs, client satisfaction is the ultimate metric — but it is notoriously difficult to measure well. Here is how to design a measurement framework that actually drives improvement.

Why Measurement Matters

Most MSPs believe they know how satisfied their clients are. Most are wrong. Without structured measurement, you are relying on anecdotes — the angry client who complains loudly, or the quiet client who leaves without warning.

Structured measurement reveals:

• Silent dissatisfaction — clients who are unhappy but not vocal
• Emerging trends — declining satisfaction before it becomes churn
• Team performance — which engineers and teams are delivering value
• Service gaps — where your service falls short of expectations
• Competitive position — how you compare to alternatives

The MSP Satisfaction Scorecard

Quantitative Metrics

These are measurable, objective indicators:

Qualitative Metrics

These capture subjective experience:

Designing Effective Surveys

Transaction-Level Surveys

Sent after each support interaction:

CSAT Question: "How satisfied were you with the support you received today?"

Scale: Very dissatisfied (1) to Very satisfied (5)

CES Question: "How easy was it to get the help you needed?"

Scale: Very difficult (1) to Very easy (7)

Keep it short. Two questions maximum. Response rates drop dramatically with longer surveys.

Relationship Surveys

Sent quarterly or semi-annually to gauge overall relationship health:

Key Questions:

1. How would you rate the overall value our services provide? (1-10)
2. How likely are you to recommend us to a colleague? (0-10 NPS)
3. What is the most important thing we could improve?
4. What do we do better than anyone else?
5. Is there anything we should stop doing?

Response target: 30%+ of clients. Below that, the data is not statistically meaningful.

The NPS Question

"How likely are you to recommend [MSP name] to a colleague or business contact?"

Scale: 0 (not at all likely) to 10 (extremely likely)

• Promoters (9-10): Loyal enthusiasts who drive growth
• Passives (7-8): Satisfied but vulnerable to competitors
• Detractors (0-6): Unhappy clients who can damage your brand

NPS = % Promoters - % Detractors

Interpreting NPS in Context

NPS is useful for tracking trends, not absolute values. A single NPS score means little — the trend over time is what matters.

From Data to Action

Close the Loop

The most important step in client satisfaction measurement is closing the loop — responding to feedback and acting on it.

For Detractors: - Respond within 24 hours - Acknowledge the issue - Explain what you will do - Follow up after resolution

For Promoters: - Thank them - Ask for a testimonial or referral - Understand what you did right

For Everyone: - Share aggregated feedback with your team - Identify patterns and address systemic issues - Communicate changes you have made based on feedback

The Feedback-to-Action Framework

1. Collect — gather data through surveys, tickets, and conversations
2. Analyse — identify trends, patterns, and outliers
3. Prioritise — focus on issues with the highest impact
4. Act — implement specific improvements
5. Communicate — tell clients what changed because of their feedback
6. Measure — verify that the change improved satisfaction

Common Measurement Mistakes

Surveying Too Infrequently

Annual surveys are too infrequent. By the time you collect and act on data, client sentiment has shifted. Quarterly relationship surveys and continuous transaction surveys provide better insight.

Not Acting on Data

Collecting satisfaction data without acting on it is worse than not collecting it. Clients who provide feedback and see no change become more dissatisfied, not less.

Measuring Only Happy Clients

If you only survey clients who respond, you are likely measuring only the most engaged (positive or negative) clients. Push for broad participation to get a representative sample.

Confusing Activity with Outcomes

Ticket volume, response times, and SLA compliance are activity metrics. They measure what you do, not how clients feel about it. Balance activity metrics with satisfaction metrics.

Ignoring Silent Churn

The clients who leave without warning are often the ones who were never asked for feedback. Proactive measurement catches dissatisfaction before it becomes churn.

Building a Client Satisfaction Program

Phase 1: Foundation (Month 1-2)

• Implement transaction-level CSAT surveys after every ticket
• Establish baseline metrics (current SLA performance, ticket volumes)
• Create a simple client satisfaction dashboard

Phase 2: Relationship Measurement (Month 3-4)

• Launch quarterly NPS surveys to all clients
• Establish feedback collection processes
• Train team on interpreting and responding to feedback

Phase 3: Action and Improvement (Month 5-6)

• Analyse first full quarter of NPS data
• Identify top improvement priorities
• Implement changes and communicate to clients

Phase 4: Optimisation (Ongoing)

• Refine survey questions based on response rates
• Tie satisfaction metrics to team performance reviews
• Benchmark against industry standards

The Bottom Line

Client satisfaction measurement is not a nice-to-have — it is an operational necessity. MSPs that measure satisfaction systematically, act on the data, and communicate changes to clients retain more revenue and win more referrals than those that rely on gut feel.

Start simple. Two transaction questions and one quarterly survey will give you more insight than you currently have. Then build from there.

Use our MSP Health Score to benchmark your client satisfaction against industry standards, or our MSP Client Retention Strategy guide for retention-focused improvements.