What the 2026 HIPAA Changes Actually Mean for Your Practice

by Ellie Shaw | Jun 19, 2026 | Informational Articles

HIPAA is changing in 2026, but the picture is far more complicated than the urgent headlines suggest. Some changes are real, finalized, and have deadlines that have already passed. Other changes were widely covered last year, then quietly vacated by a federal court ruling that most articles still have not updated to reflect. The big Security Rule overhaul that everyone is talking about is still proposed and may never be finalized in its current form. Knowing the difference matters, because preparing for the wrong rule wastes money, and ignoring the right ones creates real liability. For healthcare practices in Central Illinois, the right response to 2026 is neither panic nor inaction. It is steady security work, accurate documentation, and a clear-eyed view of what is actually required versus what is being talked about.

At a glance: The February 16, 2026 deadline to update Notices of Privacy Practices is real, but the rule that survived is the substance use disorder (Part 2) alignment, not the reproductive health protections most articles still describe. The reproductive health portion of the 2024 HIPAA Privacy Rule was vacated by a federal court in June 2025 and is no longer enforceable. Practices that already updated their NPPs with reproductive health language should consider removing it. The major 2026 Security Rule update is still a proposed rule. The Notice of Proposed Rulemaking was published in late 2024, the comment period closed in March 2025, and HHS missed its May 2026 target for finalization. The most-cited HIPAA deficiency in OCR enforcement actions remains inadequate risk analysis. This has been true for many years and is not changing. The right preparation is steady, ongoing security practice that holds up under audit. It is not last-minute compliance theater for rules that may shift again.

If you run a healthcare practice in Central Illinois and you have been reading articles about the 2026 HIPAA changes, you are probably encountering a mix of urgent deadlines, vague timelines, partially obsolete information, and conflicting interpretations. This is what we have sorted out, and what we recommend to the practices we work with.

What Is Actually Required Right Now?

Before talking about what is changing, it helps to know what is already in effect, because the answer is different from what most articles describe.

The February 16, 2026 deadline for updating Notices of Privacy Practices (NPPs) is real and has passed. But the rule that actually survived to that deadline is not the one most articles still reference. Two separate 2024 rulemakings both pointed at the February 2026 NPP deadline: a reproductive health privacy rule and an alignment between HIPAA and 42 CFR Part 2 (the regulations governing substance use disorder treatment records).

In June 2025, the U.S. District Court for the Northern District of Texas vacated most of the reproductive health rule in Purl v. HHS. The reproductive health provisions, including the attestation requirement many practices started preparing for, are no longer enforceable. HHS confirmed in a follow-up press release that covered entities are not required to implement the vacated provisions. Practices that already updated their NPPs to include reproductive health language should remove it, because it now describes a requirement that no longer exists.

The Part 2 alignment update did survive and is what the February 16, 2026 NPP deadline actually applies to. Every HIPAA-covered entity must have updated their NPP to reflect the substance use disorder confidentiality framework changes. If your practice has not done this, that is an immediate compliance gap with no ambiguity.

The HIPAA Security Rule, which governs the technical and administrative safeguards around electronic protected health information (ePHI), is what most of the 2026 conversation is actually about. The Security Rule itself has not changed yet. The version currently being enforced is the same one that has been in place for years. Risk analysis remains the most-cited deficiency in OCR enforcement actions, and that has been true for more than a decade.

So as of mid-2026, the practical state of affairs is: NPPs needed to be updated for substance use disorder confidentiality by February 16 (not for the vacated reproductive health rule), Security Rule technical requirements are unchanged from prior years, and the dramatic Security Rule overhaul is still proposed but not finalized.

What Is Actually Being Proposed?

The big 2026 HIPAA conversation centers on the Notice of Proposed Rulemaking (NPRM) that HHS published on December 27, 2024. The proposed changes would represent the most substantial overhaul of HIPAA security requirements since the original rule.

The largest proposed changes include:

• Elimination of “addressable” controls. Currently, certain HIPAA safeguards are “addressable,” meaning your practice can document a reason for not implementing them. The proposed rule would eliminate this flexibility for most controls, making them mandatory across the board.
• Mandatory encryption of ePHI at rest and in transit, regardless of organization size.
• Mandatory multi-factor authentication (MFA) for all systems accessing ePHI.
• Annual risk assessments and compliance audits with documented methodology and remediation tracking.
• Network segmentation to isolate ePHI systems from general business networks.
• 72-hour incident response capability with documented procedures and rehearsed plans.
• Annual penetration testing by qualified third parties.
• Asset inventories and network mapping that are kept current rather than static.
• Stricter business associate oversight, including written attestations and enhanced documentation.

These are the changes that healthcare IT consultants have been writing about urgently. Most articles treat them as essentially inevitable, with compliance dates in late 2026 or early 2027.

Why You Should Be Careful About Trusting That Timeline

Here is the part most articles skip. As of June 2026, the final rule has not been published.

HHS originally targeted May 2026 for finalization. That window has passed. The comment period on the NPRM closed in March 2025, and the agency has been working through the feedback since then. A coalition of over 100 hospital and healthcare provider groups submitted formal requests asking HHS to withdraw the proposal entirely, citing implementation costs, technical complexity, and concerns about the timeline. The Trump administration’s regulatory priorities are different from the Biden administration that proposed the rule, which adds uncertainty about whether and when the rule will be finalized.

None of this means the proposed changes will not happen. They probably will, in some form, eventually. But the confident 2026 deadlines you see in some articles are not actually backed by a finalized rule. The compliance timeline that most articles cite assumes the rule is published soon, with a 180 to 240 day grace period after publication. As of right now, the clock has not started.

For practice owners, this creates a strange situation. You should not ignore the proposed changes, but you also should not invest heavily in compliance work for a rule that may be modified or withdrawn. The right approach is to do the security work that is valuable regardless of whether the rule is finalized, and to position your practice to be ready when the final rule actually publishes.

What Should You Actually Be Doing Right Now?

The honest answer is that most of the proposed changes are security practices that healthcare organizations should already be doing. The proposed Security Rule update is mostly codifying what reasonable healthcare security has looked like for years. If your practice has implemented these controls already, the eventual final rule will require documentation work but probably not major new implementation.

Here is what we actually recommend to healthcare clients in Central Illinois:

Verify your Notice of Privacy Practices is current. The February 16, 2026 deadline applied to the substance use disorder (Part 2) alignment update. If your NPP has not been updated to reflect those changes, that is an immediate gap. At the same time, if you updated your NPP in anticipation of the reproductive health rule (which was vacated by a federal court in June 2025), the reproductive health language should be removed. NPP accuracy matters more than NPP urgency.

Conduct or update your HIPAA Security Risk Assessment. Inadequate risk analysis is the single most-cited deficiency in OCR enforcement actions, and this has been true for years. This is not a checkbox exercise. It is a written evaluation of where ePHI lives in your practice, what threats it faces, what controls are in place, and what gaps still exist. The free OCR/ONC Security Risk Assessment tool helps with the structure. Professional risk assessments typically cost $5,000 to $30,000 depending on practice complexity, but they produce documentation that survives an audit. Either way, the assessment must exist, must be dated, and must be reviewed at least annually.

Implement multi-factor authentication on everything. This is going to be mandatory eventually, and even before then, MFA is one of the most effective security controls a practice can implement. If your EHR, email, and remote access systems do not have MFA, the eventual rule will require it and your insurance carrier probably already does.

Verify encryption of ePHI at rest and in transit. Modern systems handle this by default in most cases, but practices using older infrastructure sometimes have gaps. Verify rather than assume.

Build a real incident response plan. A documented plan that has been rehearsed at least once by the people who would actually execute it. The 72-hour response window in the proposed rule is aggressive, but practices that have an actual plan can meet it. Practices relying on improvisation cannot. The IBM 2025 Cost of a Data Breach Report puts the average healthcare breach at $11 million, which is the most expensive category they track. The financial gap between practices with rehearsed response plans and practices without is measured in millions.

Review your business associate agreements. Every vendor who touches ePHI needs a current BAA, and your practice needs documentation that you are verifying their compliance posture rather than just trusting it. This is a practical area where proposed and final rules align: vendor oversight is going to get stricter regardless.

Document everything. OCR enforcement actions reliably focus on what practices can prove they did, not what they actually did. Written policies, documented procedures, dated assessments, and incident response records are the difference between defensible compliance and confident-but-undocumented compliance.

Why DIY HIPAA Compliance Is Harder Than It Looks

Most small healthcare practices try to handle HIPAA compliance internally. The practice administrator becomes the de facto compliance officer. The IT person who runs the EHR becomes the technical security lead. Documentation lives in a binder somewhere or on a shared drive that nobody updates.

This works until it does not. The patterns we see when small practices fail HIPAA audits are similar. The risk assessment is several years old or was never done. Policies exist but were not updated when systems changed. The incident response plan is theoretical because nobody has rehearsed it. The encryption status of various systems is assumed but never verified. The business associate agreements are signed but not actively managed.

None of this is incompetence. It is just the reality of trying to manage compliance alongside running a healthcare practice. The administrator and IT person are doing their actual jobs full-time, and compliance gets the attention left over. When OCR shows up, that gap becomes visible.

The practices we work with that have the cleanest compliance posture have one of two things: a dedicated compliance officer (rare in practices under 100 employees), or an IT partner who handles the security and documentation work as part of an ongoing relationship. Either approach works. Trying to do it ad hoc rarely does.

How Does Facet Approach Healthcare IT and HIPAA?

Facet has supported Central Illinois businesses for over 30 years, and our healthcare client base includes medical practices, dental practices, chiropractors, med spas, and behavioral and mental health providers across the region. Our approach to HIPAA is built around a recognition that good security and HIPAA compliance are mostly the same project. Practices with real security postures generally pass audits. Practices that treat compliance as a separate documentation exercise generally do not.

We handle the technical implementation: encryption verification, MFA deployment, network segmentation where needed, endpoint protection, backup and recovery testing, and the ongoing patching that keeps systems current. For the formal compliance pieces (risk assessments, policy documentation, business associate agreement management, incident response planning), we partner with independent third-party auditors rather than serving as both the implementer and the auditor. This avoids the conflict of interest that comes with self-attesting and produces documentation that holds up under OCR scrutiny.

Our healthcare IT services cover the operational side of running a practice. For practices specifically focused on HIPAA compliance support, our HIPAA-compliant IT services page covers what is included. For the broader framework on evaluating IT providers, see 7 questions to ask before signing.

The honest conversation with any prospective healthcare client starts with where the practice currently is on compliance, not where the IT provider’s service tier sits. The right level of support depends on what gaps actually exist and what the practice is trying to protect.

Frequently Asked Questions

Ready to Talk About Where Your Practice Actually Stands?

If you are a healthcare practice in Central Illinois trying to figure out what the 2026 HIPAA changes mean for you specifically, the right conversation starts with where you currently are. We can walk through your existing security posture, identify the gaps that matter most, and help you build a plan that does not depend on guessing about regulatory timelines.

(309) 689-3900 | Schedule a conversation | info@facettech.com

For broader background, see our Healthcare IT in Central Illinois guide and our 7 questions to ask before signing blog.

Facet Technologies has provided IT services to Central Illinois businesses for over 30 years. Based in Peoria, we serve healthcare, manufacturing, agriculture, professional services, and government organizations across the region.

If You Still Have an Exchange Server in Your Closet, Read This

by Ellie Shaw | Jun 17, 2026 | Informational Articles

Most businesses still running on-premises Microsoft Exchange in 2026 are not doing it for a strategic reason. They are doing it because nobody made the decision to stop. The server is still there because it has been there. Email still works because it always has. The patches mostly get installed. The backups mostly run. The IT person who was supposed to migrate this two years ago never quite got to it. And every month that the server stays in the closet, the business absorbs a little more risk that nobody is actively managing.

We have completed hundreds of email migrations for Central Illinois businesses, and the pattern is almost always the same. The Exchange server outlived the strategy. The business outgrew the setup. The right time to move was two years ago. The second best time is now.

At a glance: The reason most businesses still run on-premises Exchange in 2026 is rarely strategic. It is usually inertia. Running Exchange in 2026 carries real business risk that has nothing to do with Microsoft’s product roadmap and everything to do with how email actually works now. A properly planned migration takes 2 to 4 weeks of project time for a typical small business, with your team experiencing effectively no disruption. The migration project itself for most Central Illinois businesses runs $10,000 to $25,000, depending on size and complexity. This is one-time work.

Why Are You Still Running Exchange?

This is worth answering honestly before anything else.

The businesses we encounter still running on-premises Exchange in 2026 fall into a few buckets. The most common is the one where Exchange just kept working, so nobody touched it. The IT person who built the setup left years ago. The current IT support knows enough to keep it running but not enough to migrate it. Every few months someone says “we should really move to the cloud,” and every few months it gets bumped down the priority list because nothing is actively on fire.

The second bucket is businesses that tried to migrate at some point and got scared off. A bad vendor quote. A horror story from another business. An IT person who insisted it would be disruptive. The decision was made to wait, and then nobody revisited it.

The third bucket is businesses that genuinely had a reason at some point. Compliance concerns about cloud storage. Specific integrations with legacy line-of-business software. Custom transport rules that nobody wants to touch. In 2026, these reasons mostly do not hold up anymore. Microsoft 365 is HIPAA-eligible, supports nearly every modern integration, and has matured to the point where what used to be edge cases now have documented solutions.

None of these reasons are bad reasons. They are just not strategic reasons to still be running Exchange in 2026. Inertia is the actual reason, and inertia has been compounding into risk for a while now.

What Running Exchange Actually Costs You

The cost is not the licensing. Microsoft’s licensing for on-premises Exchange is not the expensive part of the equation.

The cost is what runs in the background and accumulates. Every month your server is on, it accumulates patches that need to be installed and tested. Every month, security advisories come out for Exchange that have to be evaluated. Every month, your backups need to run, and someone needs to verify they actually completed. Every month, somebody is supposed to be reviewing the security logs.

In the businesses we assess, this work is almost never being done. Patches are 6 to 18 months behind. Backup verification is theoretical. Security log review is nonexistent. The server is running, but nobody is actually managing it. This is the gap between “Exchange is working” and “Exchange is safe.”

The risk that accumulates in that gap is the actual cost. Unpatched Exchange servers have been the entry point for some of the most expensive ransomware events of the last several years. The 2021 ProxyLogon vulnerability alone gave attackers access to tens of thousands of unpatched Exchange servers worldwide. Most of those servers were not compromised because the IT teams were incompetent. They were compromised because the businesses had moved past the point where anyone was really paying attention to the server.

Modern email security capabilities that small businesses now need (advanced phishing detection, conditional access policies, encryption, retention policies, eDiscovery for compliance) are either difficult to implement on on-premises Exchange or simply not available. Microsoft 365 has these built in. Running Exchange in 2026 means accepting a security posture that is meaningfully behind the modern standard, regardless of how attentive your IT team is.

Add to this the operational drag: VPN setup for remote workers, the special procedures to access email from a phone, the disaster recovery plans that depend on the server room staying powered, the storage that fills up at the worst possible moment. None of these are catastrophic on their own. Together, they are a quiet tax on the business that competitors using modern email do not pay.

What a Migration Actually Looks Like When It Is Done Right

Most of the migration anxiety comes from people who have either seen a bad one or read about one online. A properly planned migration is genuinely boring from the user perspective.

Your team keeps working in their existing email throughout the project. The transition happens in waves rather than all at once. The cutover moment, when email officially switches over, happens outside business hours and takes a few hours rather than days. Users open their Outlook the next morning, it reconfigures itself once, and they go back to work. The whole experience for end users is closer to a software update than a major project.

The project around the cutover is where the real work happens. We document the existing environment, identify any mailboxes or configurations that need special handling, set up the Microsoft 365 tenant with appropriate security policies, coordinate the DNS changes that direct email to the right place, prepare end users for the small visible changes, and validate everything works before close-out. This is roughly 80% of the project. The actual mailbox migration is the simple part once the rest is in order.

For a typical small business in Central Illinois, this whole project runs about 2 to 4 weeks. Mid-sized organizations take 4 to 8 weeks. The leadership time required is usually under ten hours total, spread across the project. We have not had a client experience meaningful business disruption from a properly planned migration in years. The migrations that do go badly are almost always ones where someone tried to skip the planning work to save money or time.

Why You Should Not DIY This

Microsoft has built solid migration tools. The technical execution is well-documented. In theory, a capable IT person could run a migration themselves. We have seen this attempted many times, and we know how it usually goes.

The technical work is roughly 20% of the project. The other 80% is the planning, the security configuration, the communication with department heads, the coordination with the prior IT setup, the validation checklist, and the troubleshooting when something does not work the first time. The Microsoft migration wizard handles the 20%. It does not handle the 80%.

What goes wrong when businesses DIY is rarely the migration itself. It is usually one of the surrounding pieces. The MX records get set up wrong and email delays for two days. Multi-factor authentication gets turned on before users are prepared and the helpdesk gets flooded. A line-of-business application that depends on email integration stops working because nobody noticed it had specific configuration. Compliance retention policies do not get migrated and the next audit becomes a problem. None of these are technical limitations. They are planning limitations.

If your business is very small, very simple, and has someone with real IT experience who can dedicate proper time to the project, DIY is possible. For most businesses in the 25 to 250 employee range, the math on doing it yourself stops working pretty quickly once you factor in the value of leadership time and the risk of doing it wrong.

How Should You Think About the Timing?

There are a few real signals that the time to plan is now rather than in another year.

Microsoft has announced that Exchange Web Services protocols will be blocked in Exchange Online starting October 1, 2026. For businesses with hybrid setups or legacy connections, this creates a real deadline. The companies waiting until late 2026 to plan are going to compress their planning window in ways that make the project riskier than it needs to be.

Beyond the Microsoft deadline, the more practical signal is whether your Exchange server has gotten the attention it deserves. If it has been more than six months since anyone validated the backups, more than 18 months since the patches were current, or more than two years since anyone evaluated the security configuration, the server is no longer being managed. It is being tolerated. That is the moment to address it.

The third signal is harder to name but real: businesses that have grown past the size where a single-server setup made sense. If you have remote workers, multiple locations, compliance requirements, or anyone in your business who needs reliable email access outside the office, you are paying a tax to keep Exchange running that does not match what your business actually needs anymore.

How Does Facet Handle Migrations?

Facet has completed many email migrations for Central Illinois businesses, ranging from small offices to mid-sized organizations with serious compliance requirements. We do this work constantly. The approach is built around making the project feel boring to your team.

We start with an honest assessment of your current environment, not a generic quote based on user count. From there, we recommend the right migration approach for your situation, walk through the licensing options that fit your team, coordinate with whoever is currently managing your Exchange server, handle the technical execution, and validate everything works before close-out. For most businesses, the entire migration project requires less than ten hours of leadership time total, spread across several weeks.

After migration, our managed IT services include Microsoft 365 management as part of the ongoing relationship. For businesses that want strategic guidance on broader cloud and platform decisions, our strategic IT advisory service handles the platform roadmap.

For the broader framework on evaluating IT providers, see our 7 questions to ask before signing. For what an ongoing IT partnership looks like, see What an IT partnership looks like.

Frequently Asked Questions

Ready to Move Past the Exchange Server in Your Closet?

If you have been thinking about this migration for a while and never quite getting to it, that is the most common reason businesses end up calling us. We can walk through your specific situation, give you a realistic timeline, and help you make the decision you have probably already known you needed to make.

(309) 689-3900 | Schedule a conversation | info@facettech.com

For broader background, see our 7 questions to ask before signing and our What to Expect When Switching to a New Managed IT Provider guide.

Facet Technologies has provided IT services to Central Illinois businesses for over 30 years. Based in Peoria, we serve healthcare, manufacturing, agriculture, professional services, and government organizations across the region.

The “Accidental IT Person”: When Your Best Employee Becomes the IT Person (And Why That’s a Problem)

by Ellie Shaw | Jun 8, 2026 | Informational Articles

In most small businesses, the “IT person” was never hired to be the IT person. They are the office manager, the controller, the operations coordinator, or the most technically curious employee in the building. They got the WiFi password first, so people started asking them when the printer broke. Five years later, they are managing the firewall, troubleshooting Microsoft 365, and trying to figure out HIPAA compliance in their spare time. The business gets cheap IT support. The employee gets burned out and starts looking for a job that does not involve resetting passwords at 9 PM.

At a glance: Most small businesses (10 to 50 employees) have an “accidental IT person”, a non-IT employee who became the default technology resource over time. The hidden cost shows up in three places: the strain on that employee, the strategic decisions made without proper guidance, and the security gaps nobody is watching. Untrained people making confident IT decisions are often a higher cybersecurity risk than untrained people who are openly overwhelmed, because false confidence resists outside review. This is not a problem you solve by replacing the employee. It is a problem you solve by moving IT decisions to a provider qualified to make them, with the internal person remaining as the point of contact. Full managed IT services is usually the right answer for this pattern. Co-managed only fits when the internal person has actual technical training and current cybersecurity expertise. The right time to fix this is before the employee leaves, not after.

You probably know exactly who this is in your business. The person who handled the new laptop setup for the last three hires. The one who knows the password to the accounting software. The one everyone messages on Teams when the projector is not working. If your business is between 10 and 50 employees, there is a strong chance you have this person. They are usually excellent at their actual job. That is exactly the problem.

How Do You Know You Have an Accidental IT Person?

The pattern is hiding in plain sight once you know what to look for. Check whether any of the following sound like your business.

If two or more of these describe your business, you have an accidental IT person. The question is whether you address it now, while they are still with you, or later, after they have left and taken every password and vendor relationship with them.

What Is the Real Cost of the Accidental IT Person Model?

The cost is rarely measured because it does not show up on an invoice. It shows up in three places: the employee, the business decisions, and the security posture.

The employee cost is the most visible. Someone who was hired to do operations, accounting, or office management is now spending 15 to 30% of their week on IT work they have no formal training for. They are problem-solving alone, often outside business hours, often under pressure. The work is invisible to leadership because it does not produce a tangible deliverable. Over time, this is one of the most common reasons high-performing employees in small businesses quit. They leave for a role where they get to focus on the work they were actually hired to do.

The business decision cost is harder to see but more expensive. When the person making IT decisions does not have time to research them or expertise to evaluate them, the decisions get made under pressure with incomplete information. A firewall gets purchased because a vendor cold-called at the right moment. A backup solution gets selected because it was the cheapest option that came up in a Google search. A software platform gets chosen because the salesperson was persistent. None of these decisions are bad in isolation. Together, they produce a technology environment that nobody designed and nobody fully understands.

The security cost is the one that becomes existential when something goes wrong. A 2025 Verizon Data Breach Investigations Report found that small and medium-sized businesses experience ransomware data breaches at more than double the rate of large enterprises, 88% versus 39%. The reason is rarely technical sophistication. It is that smaller businesses do not have anyone whose actual job is to watch their network, and the accidental IT person cannot do that job on top of their real one. By the time a problem surfaces, the attacker has been in the network for an average of nine months, according to IBM’s 2025 Cost of a Data Breach Report.

Why Does This Pattern Keep Happening?

This is a structural problem, not a personal one. Three forces push businesses into the accidental IT person model.

The first is cost perception. Hiring a dedicated IT employee feels expensive. The average fully loaded cost runs $130,000 to $150,000 per year, and the work does not always look like a full-time job at smaller sizes. So businesses do not hire. They distribute the work to whoever is willing to absorb it.

The second is availability. The person who knows the most about technology is usually the most willing to help. They get a reputation for being good with computers, and the requests start coming. Saying no requires constant social friction with coworkers who genuinely need help. Most people stop saying no and absorb the role by default.

The third is invisibility. Because IT work does not produce a discrete deliverable, leadership rarely sees how much of it is happening. The office manager who spent four hours on Tuesday troubleshooting a printer and three hours on Wednesday updating a server has no manager noticing that those hours came out of their actual job. The work is invisible until the person doing it quits.

What Does the Right Answer Look Like?

The right answer almost always involves giving the IT work to someone whose actual job is to do it. There are two clean ways to get there.

The first, and usually the better fit, is full managed IT services. The accidental IT person stops being responsible for IT and becomes the single point of contact between the business and the provider. They get to return to the job they were hired for, whether that is operations, accounting, or office management. The provider absorbs everything: helpdesk, monitoring, security, vendor management, compliance, strategic planning. The internal person still has institutional knowledge of the business and the people, which is genuinely useful, but they do not need to be the one fixing the printer or managing the firewall. They just need to be the person who picks up the phone and connects the right conversation.

The second option is co-managed IT, but this fits a much narrower set of situations than most people assume. The decision is not whether the internal person wants to keep doing IT. The decision is whether they are qualified to keep doing IT. Those are different questions, and conflating them is a common cybersecurity risk.

An untrained person who enjoys being the IT person but lacks formal training is often more exposed than one who is openly overwhelmed. They tend to be confident in decisions that should be reviewed by someone with security expertise. They configure firewalls based on what they read online. They set up cloud services without understanding identity and access management. They install software without checking dependencies or vendor reputation. They believe their security posture is fine because nothing has gone wrong yet. The false confidence is the risk. An accidental IT person who is honest about the limits of their expertise is usually safer than one who has convinced themselves they have it covered.

Co-managed IT only fits when the internal person has actual technical training, current certifications, and genuine cybersecurity expertise. If they are a credentialed IT professional working part-time on IT alongside other duties, co-managed lets them keep that work while getting backup for what they cannot cover alone. For everyone else, including most office managers, controllers, and operations leads who got handed the IT role by default, the safer answer is to move the strategic and security decisions to a provider whose job is to make them. The internal person remains the helpful point of contact. The technical judgment lives with someone qualified to exercise it.

The honest reading is this: full managed services usually makes more sense for the accidental IT person pattern, regardless of how much the internal person wants to stay involved. The cybersecurity exposure of an untrained person making security decisions is the most expensive part of this whole problem, and it is the part most businesses do not see until something goes wrong.

Either way, the institutional knowledge stays in the building. The relationships stay in place. The provider absorbs the work that should not have been absorbed by an untrained person in the first place.

How Should You Think About Making the Change?

There are three signals that the change should happen now rather than next year.

The first is when the accidental IT person starts talking about being overwhelmed. By the time someone says this out loud in a small business, they have usually been feeling it for six months. The conversation is a warning, not an opening complaint.

The second is when a security incident, audit failure, or compliance scare puts the business in a position where IT decisions cannot wait anymore. These moments tend to be expensive. Addressing the underlying staffing problem before the incident is meaningfully cheaper than addressing it after.

The third is when the business grows past 20 employees. This is the rough threshold where the accidental IT person model stops being a stretch and starts being a structural risk. The technology footprint at that size is too large for someone to manage on the side. The security exposure is too real to leave to part-time attention.

Most businesses delay the change too long because there is never a convenient moment. The IT person is too busy to switch models. The leadership team is focused on growth. The budget conversation gets pushed to next quarter. The result is that the change happens after a crisis rather than before one.

How Does Facet Approach This?

When Facet engages with businesses that have an accidental IT person, the first conversation is usually with that person. They have done a remarkable job under conditions they should never have been asked to manage. The right model depends less on what they want to do and more on what they are qualified to do.

For most businesses in this pattern, our full managed IT services are the better fit. The accidental IT person stops being responsible for IT and becomes the point of contact between the business and our team. We absorb the technology work, document the environment thoroughly, and free up that employee to return to the job they were originally hired for. The strategic and security decisions move to our team, where they belong. The internal person remains a valuable connection to the business without carrying decisions they were never trained to make.

For businesses where the internal person genuinely is a credentialed IT employee with technical training, our co-managed IT model provides specialized depth alongside their existing role. This fits a different and much narrower set of situations than the accidental IT person pattern, and we are honest with prospects about which side of the line their business falls on.

The honest conversation is about what model fits the business now and what makes the work sustainable for the people involved. For the broader framework on evaluating IT providers, see our 7 questions to ask before signing and What an IT partnership looks like blog.

Frequently Asked Questions

Ready to Talk About Your Current Setup?

If you recognize the accidental IT person pattern in your business, the right time to address it is before the person leaves or before something breaks. We can walk through what the right model looks like for your specific situation, with the goal of moving the IT work to a team whose actual job is to handle it.

(309) 689-3900 | Schedule a conversation | info@facettech.com

For broader background, see our Is a managed IT provider worth the cost? blog and our 7 questions to ask before signing guide.

Facet Technologies has provided IT services to Central Illinois businesses for over 30 years. Based in Peoria, we serve healthcare, manufacturing, agriculture, professional services, and government organizations across the region.

What an IT Partnership Looks Like (And When You’re Ready for One)

by Ellie Shaw | May 29, 2026 | Informational Articles

A managed IT partnership is a long-term relationship where an external team takes responsibility for the technology side of your business, working alongside leadership rather than waiting to be called. The right partnership looks less like buying a service and more like adding a department. The signals that tell you you’re ready usually show up in your business before you start looking for the language to describe them.

At a glance:

• A managed IT partnership—often delivered by a Managed Service Provider (MSP)—combines day-to-day support with strategic planning, vendor management, and risk reduction across a multi-year horizon.
• Industry research from BETSOL found that organizations working with a strategic IT partner report 40% improvements in IT efficiency and 25% reductions in technology-related risk.
• The transition from reactive IT support to a partnership model typically happens when a business hits a complexity threshold—whether that’s 5 employees handling sensitive data, a 15-person team with strict compliance obligations, or simply a growing company that can no longer afford downtime.
• A partnership is not the same as a vendor relationship. The provider is invested in your direction, not just your problems.
• The signals that tell you you’re ready are usually visible in how your team works around technology problems rather than solving them.

This piece walks through what a managed IT partnership actually looks like when it’s working, the signals that suggest your business is ready for one, and the honest comparison between a partnership model and the more transactional support models that come before it. It’s a framework, not a sales pitch. The goal is to give you the language to recognize what you’re already experiencing.

What Does an IT Partnership Actually Look Like Day to Day?

A real IT partnership operates on two tracks at once. The first track is the day-to-day support: helpdesk, monitoring, security tools, and the things that make technology work when your team needs it. The second track is the strategic conversation: where your business is going, what technology decisions need to happen in the next 12 to 36 months, and how the operational side connects to leadership goals.

What this means in practice is that the relationship is not just transactional. You have one accountable team that knows your network, your vendors, your business model, and the people who use the technology. The same team that resolves a help desk ticket on Monday is the team that meets with you quarterly to walk through the technology roadmap. Documentation lives with the provider, not in one person’s head. Vendor contracts get reviewed, negotiated, and managed as part of the relationship. Security and compliance are ongoing functions, not one-time projects.

The result is a relationship where you stop thinking about IT as a problem to manage and start thinking about it as an area of the business where someone has it covered. That shift is what most business owners are actually looking for when they start evaluating providers, even if the conversation starts with cost.

The “Break-Fix” Freelancer vs. The Managed IT Partnership

This is the distinction most buyers do not have language for yet. The model that comes before a partnership is usually called “break-fix”—something breaks, you call a freelancer or vendor, they fix it, and they bill you for the time. Here is how the break-fix model compares to an MSP partnership.

A break-fix relationship is fine for businesses that genuinely just need someone to call when something breaks. A partnership is what businesses need when technology has become integrated enough into operations that “wait until it breaks” is too expensive a strategy.

What Are the Signals That You’re Ready for a Partnership?

The signals show up in patterns of behavior, not in single events. If two or more of the following describe your business, the partnership conversation is worth having.

• You are making technology decisions under pressure. Hardware fails and you scramble to replace it. A software vendor calls and you make a decision without much research. A compliance requirement surfaces and you address it reactively. The decisions get made, but they get made without context.
• Your team is working around problems instead of solving them. Recurring printer issues. Recurring login problems. Recurring network slowness. The workarounds become the way work happens, and the underlying issue never gets fixed because nobody has time to dig into it.
• Nobody owns the technology strategy. When you think about where IT should be a year from now, the answer is “we’ll see.” Hardware refreshes are reactive. Cloud strategy is whatever happens when a server fails. Cybersecurity is whatever the cyber insurance application forced you to put in place.
• A single person carries too much. This might be your accidental IT person, the office manager or controller who became the IT person by default. The business has a single point of failure that nobody planned to create.
• The freelancer’s availability is your bottleneck. When your “IT guy” goes on vacation, gets sick, or takes on another full-time job, your business is left exposed. The break-fix model relies on a single individual’s schedule, whereas a partnership relies on a fully staffed team that guarantees coverage.
• Compliance or insurance requirements are getting harder to meet. HIPAA, PCI, CMMC, and cyber insurance applications are all becoming more demanding. If you are addressing these by checking boxes rather than by maintaining a posture, the gap between what is required and what you have in place is growing.
• You have outgrown the support model that worked when you were smaller. The freelancer who handled IT when you were 8 employees cannot handle IT for 35 employees the same way. The break-fix shop that fixed things when something broke does not have the depth your business now requires. The model that worked then is not the same model that works now.
• Leadership spends time on IT that should not be leadership time. If you, as the owner or executive, are the person making vendor calls, evaluating quotes, or troubleshooting things that should be solved at a different level, the support model has outgrown its appropriate scope.

None of these signals are catastrophic on their own. They become problems when they are persistent. They become urgent when they start to compound.

What Does a Partnership Actually Cost?

The financial reality of a partnership is straightforward, and it should not be the headline of the decision. Managed IT services in the Central Illinois market typically run $100 to $200 per workstation per month, depending on what is included in the base rate. The flat monthly fee replaces the variable cost of hourly support, the gaps in proactive monitoring, the unbudgeted projects, and the cost exposure of incidents that proactive support would have prevented.

For most businesses moving from a reactive support model into a partnership, the line-item cost goes up. The total cost of running the business goes down, because incidents become rarer, decisions get made with proper context, and the time leadership spends on technology returns to the business. Industry research from ITIC puts the average small or mid-sized business loss at $25,000 or more per hour during an IT outage. A partnership that prevents two preventable incidents in a year typically more than offsets the difference between reactive and proactive support models.

The conversation that matters is not “what does the monthly fee cost?” It is “what is the total cost of running my business under each model, including the things that cost money when nobody is paying attention?” That question rarely produces a clear answer that favors reactive support for any business past the very smallest sizes.

When Is a Partnership Not the Right Answer?

Honest framing requires naming the cases where a partnership is not what a business needs.

• Very small businesses (under 5 employees) with simple technology, no compliance obligations, and no remote workers can often operate on a freelancer or break/fix model for years. The cost of a partnership is more than the situation requires, and the time horizon of strategic planning matters less when the business is not navigating growth or change. That said, even very small businesses still need basic cybersecurity (firewall, MFA, endpoint protection, backups), so “no partnership” does not mean “no security.”
• Businesses that are still figuring out what they want technology to do also may not be ready. A partnership works best when there are business goals to align technology against. If the business is in a transitional period where direction is unclear, a partnership may be premature, and a more transactional relationship may serve until the direction settles.
• Businesses looking for the lowest possible monthly cost will not find a fit in a partnership model. Partnerships are priced on the relationship, not on individual tasks. If price is the deciding factor rather than fit, the partnership model probably is not what the business is looking for.

How Does Facet Approach the Partnership Model?

When Facet engages with a business, the first conversation is rarely about what is in the service tier. It is about the business itself. What does the next 12 to 36 months look like? What does your team experience around technology that frustrates them? What decisions are getting deferred because nobody has time to make them properly? Once we understand the business, the question of which service model fits becomes much easier to answer.

Our managed IT services are built around the partnership model: quarterly business reviews, a 12 to 36 month technology roadmap, vendor management, ongoing security and compliance posture, and a single accountable team that knows your environment. Our co-managed IT model extends the partnership to businesses that already have internal IT, providing specialized depth alongside the existing team. Our strategic IT advisory service is the partnership component for organizations whose day-to-day operations are already handled but whose strategic technology leadership is not.

For the broader framework on evaluating any IT provider, see our 7 questions to ask before signing blog. For the experience of switching to a new provider, see What to Expect When Switching to a New Managed IT Provider.

The right partnership for your business is the one where the conversation feels like a conversation, not a sale. If you recognize your business in the signals above, that is usually a sign the conversation is worth having.

Frequently Asked Questions

Ready to Talk About What This Could Look Like for Your Business?

If you recognize your business in the signals above, the right conversation starts with what you are experiencing, not with what we offer. We are happy to walk through your situation and help you figure out whether a partnership model fits, even if the answer is that you should stay where you are for now.

(309) 689-3900 | Schedule a conversation

For broader background, see our 7 questions to ask before signing and our What to Expect When Switching guide.

Facet Technologies has provided IT services to Central Illinois businesses for over 30 years. Based in Peoria, we serve healthcare, manufacturing, agriculture, professional services, and government organizations across the region.

7 Questions to Ask Before Signing With a Managed IT Provider

by Ellie Shaw | May 20, 2026 | Informational Articles

Before you sign with a managed IT provider, ask seven questions: how the helpdesk is staffed, what’s actually included in the monthly fee, how contracts and renewals work, how the provider plans for projects and budget, how they handle compliance, what response times they commit to in writing, and how their contract terms and renewal process work. The right answers tell you whether you’re buying a partner or buying a problem.

At a glance: Managed IT services in the Peoria area typically run $100 to $200 (can be higher for risk-heavy or highly regulated industries) per workstation per month, with the range often driven by what’s included rather than provider quality. A trustworthy MSP can explain exactly what’s in the monthly fee, what triggers additional billing, and what happens if you need to leave. Most disputes between businesses and their IT providers come from unclear contracts, vague SLAs, or unspecified scope, not from technical failures. Industry research consistently shows that unclear contract terms and undefined scope drive the majority of unexpected IT costs in the first year of a managed services relationship. The seven questions in this guide work as a framework for evaluating any managed IT provider, not just Facet.

A managed service provider, or MSP, is a company that takes responsibility for some or all of your IT environment on a flat monthly fee. The right provider becomes a long-term strategic partner. The wrong one becomes an expensive lesson. The difference usually comes down to what you ask before signing, not what you discover after.

This guide walks through seven strategic questions any business owner should ask. For the deeper, line-by-line evaluation, our 11 Questions guide covers tactical details like firewall replacement cycles, trip charges, email migration fees, and hardware repair policies.

What Should You Look For When Evaluating an MSP?

Use this table as a quick reference while you’re talking to providers. Either column can describe a real, professional MSP. The red flags are the ones to walk away from.

1. How Is Your Helpdesk Staffed and Where Is It Located?

This question reveals more about an MSP than almost any other. Your helpdesk is the day-to-day relationship. If the people answering the phone don’t know your network, your team, or your business, every support ticket starts from zero.

A reassuring answer describes a specific team. Where they sit, how many technicians, whether they’re employees or contractors, and what happens when you call after hours. The best providers maintain documentation on each client environment so the technician who answers already knows your setup. An offshore call center reading from a generic script, or a ticketing system with no human contact, is a different product entirely. Industry research from CompTIA consistently identifies first-call resolution as a top predictor of customer satisfaction in managed services. Ask whether your prospective provider tracks this metric and what the number is.

At Facet, our helpdesk is 100% in-house in our Peoria office. Live answer during business hours, on-call technician access 24/7/365, average response time under 15 minutes. The technicians know your network because they have direct documentation on it.

2. What Is Actually Included in the Monthly Fee?

This question separates transparent providers from ones who count on confusion. The monthly fee should map to a specific list of services. Anything not on that list is an additional cost, and you should know what triggers those costs before signing.

A reassuring answer comes in writing. Specific services included: helpdesk, monitoring, patching, security software, backup, and so on. Specific services excluded: typically remediation projects, hardware purchases, major migrations, after-hours emergency work beyond what’s in the SLA. A red flag answer treats the question as if you’re being difficult for asking it. The harder a provider works to avoid itemizing what’s included, the more likely you are to see surprise charges later.

Managed IT services in the Peoria area typically cost $100 to $200 per workstation per month. The range exists because providers bundle different things into that price. Always compare what’s included, not just the headline number. The 11 Questions guide walks through 10 specific line items that buyers often overlook in MSP quotes.

3. How Do Your Contracts Actually Work?

Contract structure is where most disputes between businesses and their MSPs originate. The question is not whether the provider uses contracts. Everyone uses contracts. The question is how they’re structured and whether the terms are clear.

A reassuring answer explains the agreement structure plainly. Most professional MSPs use separate agreements for different services: a managed services agreement with its own term and renewal, a separate voice or phone services agreement if applicable, and individual statements of work for project engagements. This separation protects both parties. You know exactly what each service costs and what changes when one piece of the relationship shifts. A red flag answer involves vague verbal commitments, a single master contract that bundles everything together without itemized pricing, or unclear scope that creates room for surprise charges down the road.

The strongest providers structure their agreements around accountability rather than control. You have one accountable team and one point of contact, but the underlying agreements stay clearly separated so each service can be evaluated on its own terms. That structure is more transparent for the client and more sustainable for the provider, which is why serious MSPs use it.

4. How Do You Plan and Budget for Projects?

A managed service plan covers day-to-day operations, monitoring, and support. Projects, server replacements, network upgrades, cloud migrations, major security implementations, are almost always priced separately. The question is whether the provider plans these in advance or hits you with them as surprises.

A reassuring answer describes an annual IT roadmap. Your provider walks your environment at least once a year, identifies infrastructure that will need to be replaced or upgraded in the next 12 to 36 months, and gives you a budgetary forecast so you can plan for it. Quarterly business reviews keep that roadmap current. A red flag answer involves no forward planning at all. Projects appear when something breaks, quotes show up with no budget context, and “essential” work gets discovered six weeks into the relationship because there was no real assessment before you signed.

Facet’s strategic IT advisory services include annual roadmapping and quarterly business reviews so projects are planned and budgeted in advance. We do not promise “no projects,” because that would be dishonest. Every IT environment needs projects. The promise is that they are planned, not surprises.

5. How Do You Handle Compliance Requirements?

If you operate in healthcare, defense contracting, financial services, payment processing, or any other regulated industry, this question is essential. Compliance is rarely included in a base managed services agreement. It almost always requires additional scoping, specialized expertise, and sometimes third-party validation.

A reassuring answer names specific frameworks the provider supports: HIPAA, PCI DSS, CMMC, SOC 2, NIST, and so on. It distinguishes between compliance support (helping you meet the requirements) and compliance auditing (independent validation that you do). The best providers partner with separate auditing organizations rather than serving as both the provider and the auditor, which avoids conflicts of interest. A red flag answer claims “we’re compliant” without explaining what that means, or offers to provide both the implementation and the audit, which is not how compliance frameworks are supposed to work.

Facet provides compliance support across HIPAA, PCI, CMMC, NIST, ISO 27001, and FedRAMP. For independent validation, we work with third-party auditing partners so the organization implementing your security is not also serving as your auditor. Compliance remediation, when an audit finds gaps, is always scoped as a separate project.

6. What Response Times Do You Commit To, In Writing?

A service level agreement, or SLA, defines the response and resolution times your provider commits to. The phrase “24/7 support” means nothing without numbers behind it. Ask to see the SLA before signing, not after.

A reassuring answer describes tiered response commitments. A complete system outage should have a faster guaranteed response than a single user password reset. The SLA should include specific timeframes for acknowledgment, troubleshooting, and resolution by severity level, and the provider should be willing to share data on how often they meet those targets. A red flag answer uses vague language like “best effort” or “promptly,” gives no severity tiers, or excludes after-hours work from the response commitments entirely.

Industry benchmarks for high-priority issues call for acknowledgment within one hour and resolution within four hours, though the right targets depend on your business. Facet publishes response time commitments and reports on actual performance through quarterly business reviews. Our 24/7 support and SLA clarity blog walks through what to look for in an SLA in more detail.

7. How Do Your Contract Terms and Renewal Work?

This is the question most buyers skip, then regret later. Not because exit terms are inherently scary, but because misunderstanding them creates friction down the road. Term contracts, auto-renewal clauses, and early termination fees are standard practice across the MSP industry. The question is whether your provider explains them clearly up front.

A reassuring answer walks through the contract structure plainly. Typical term lengths in the industry run one to three years, with three years being the most common and often the best-priced option. Auto-renewal is standard at the end of term, usually for an additional year. Early termination clauses commonly require 30 to 90 days notice and a fee that reflects the provider’s investment in the relationship. A red flag answer is not the existence of these terms. The red flag is a provider who refuses to discuss them, hides them in fine print, withholds data or credentials during a transition, or makes the transition deliberately difficult to punish departing clients.

The right framing for this question is not “how easy is it to leave?” The right framing is “are the terms clear, fair, and disclosed?” A provider who answers contract questions plainly, explains the renewal process up front, and commits to cooperation during a future transition is showing you how the relationship will work. That’s the signal worth looking for, regardless of which provider you choose.

How Should You Use These Questions?

Bring this list to your conversations with prospective IT providers. Ask the same questions of each one. Compare answers side by side rather than letting the polished presentation of any single provider become the standard.

The right MSP for your business is the one that gives you clear, specific, defensible answers to all seven questions, not the one with the lowest monthly price. Cost matters, but unclear scope, vague contracts, and undefined SLAs cost more than any line item on a quote. Businesses that document their MSP requirements before signing tend to encounter fewer surprise costs and operational issues in the first year compared to those who choose based on price alone.

If you want the deeper tactical breakdown, our 11 Questions guide covers ten more specific line items including firewall replacement, hardware repair, email migration, on-site visit charges, and how to interpret a managed services quote line by line.

Frequently Asked Questions

Ready to Talk About What an MSP Partnership Should Look Like?

We do not expect this guide to convince you to choose Facet. We expect it to help you choose the right partner, whether that’s us or someone else. If you want a conversation about your IT environment, your current setup, and what a good partnership would look like, we’re here.

(309) 689-3900 | Schedule a conversation | info@facettech.com

For the deeper tactical breakdown, download the 11 Questions guide covering the line items most buyers overlook in MSP quotes.

Facet Technologies has provided IT services to Central Illinois businesses for over 30 years. Based in Peoria, we serve healthcare, manufacturing, agriculture, professional services, and government organizations across the region.

Can a Managed IT Provider Replace Your In-House IT Person?

by Ellie Shaw | May 12, 2026 | Informational Articles

A managed IT provider can replace, augment, or complement an in-house IT employee. Whether replacement is the right move depends on the size of your business, the workload your IT person carries, and what you actually need from technology going forward. For most growing businesses in Central Illinois, the better question is not “replace or keep” but “what model gives my team the most coverage, expertise, and resilience for the budget I have?”

At a glance: The average IT salary in the United States is $109,707 per year (ZipRecruiter, April 2026), with the Bureau of Labor Statistics reporting median wages of $105,990 for computer and IT occupations. The fully loaded cost of an employee, including benefits and payroll taxes, runs 1.25 to 1.4 times base salary, putting a typical mid-level IT hire at $137,000 to $154,000 per year. 65% of organizations report a shortage of skilled cybersecurity and compliance staff (Linux Foundation 2025), with qualified hires hard to find. Co-managed IT, where an MSP works alongside an existing IT person, has emerged as the preferred model for organizations that already have internal staff but need broader coverage. Replacing an in-house IT person is usually the wrong frame. The right question is whether your current IT model gives you the right mix of generalist coverage, specialized expertise, and resilience.

What Does a Single In-House IT Person Actually Cost?

Before comparing models, it helps to know what an in-house IT employee really costs your business. The number is almost always higher than the salary alone.

According to ZipRecruiter as of April 2026, the average annual pay for an IT professional in the United States is $109,707, with the typical pay range falling between $95,000 and $116,500. The Bureau of Labor Statistics reports a median wage of $105,990 for computer and IT occupations.

But salary is the start, not the end. The fully loaded cost of an employee, which includes payroll taxes, benefits, paid time off, training, and overhead, runs 1.25 to 1.4 times the base salary. The U.S. Bureau of Labor Statistics’ Employer Costs for Employee Compensation report puts benefits at roughly 31% of total compensation, averaging $15.03 per hour for civilian workers as of June 2025.

Run the math on a mid-level IT hire at $110,000 base salary: the fully loaded cost lands somewhere between $137,500 and $154,000 per year. That’s before equipment, software licenses, recruiting costs, and the three-to-six months of training time before they’re fully productive.

Then there’s turnover. The total cost of replacing an employee, including recruitment, productivity loss, and training, ranges from 30% to 200% of annual salary depending on the role’s specialization. With Robert Half’s 2026 Salary Guide projecting tech salaries to jump 8 to 10% this year, retention costs are climbing too.

For a Central Illinois business considering its first IT hire, the realistic budget conversation starts at $130,000 to $150,000 per year for a mid-level generalist. Senior or specialized roles, especially in cybersecurity or cloud, run higher.

What Does an In-House IT Person Actually Cover?

This is the question that gets skipped most often, and it’s where the case for or against in-house IT really gets made.

A single IT person in a 30 to 100-employee company is almost always a generalist. They handle help desk tickets, manage user accounts, troubleshoot printers and email, support the network, deal with vendors, and try to keep things running. What they typically don’t do, because there isn’t time, is dedicated cybersecurity monitoring, compliance documentation, strategic technology planning, after-hours emergency response, deep cloud architecture work, or 24/7 threat detection.

Modern IT is not one discipline anymore. It’s cybersecurity, cloud management, endpoint protection, compliance, identity management, networking, backup architecture, and strategic planning. Expecting one person to master every domain while also responding to daily user requests is unrealistic.

The Linux Foundation’s 2025 State of Tech Talent report found that 65% of organizations face a shortage of skilled resources in cybersecurity and compliance, with 59% reporting the same shortage in cloud computing. Even when the in-house IT lead is strong, no operating model can scale under that strain.

The result is a familiar pattern: the IT person is competent and works hard, but security monitoring is reactive instead of proactive, documentation lags, strategic projects get delayed, and the business operates in maintenance mode instead of growth mode.

What Are the Risks of Relying on a Single IT Person?

This isn’t a criticism of any individual employee. It’s a structural risk that exists in any organization where essential knowledge or responsibility sits with one person. The technical term is a single point of failure.

When one person owns all the institutional IT knowledge, the network architecture, the vendor contracts, the administrative credentials, the backup systems, the compliance documentation, the entire organization is exposed if that person is unavailable. The Mercer Marsh Benefits 2023 study found that most respondents expected to lose a key person within three years, with a majority predicting a high operational impact. With tech unemployment at a historic low of 2.8% in 2025, qualified IT professionals have negotiating power and often leave for higher-paying roles.

Burnout is the other risk. Harvard Business Review reports that 77% of professionals have experienced burnout at their current job, and IT roles see this even more acutely. A solo IT person responsible for everything from password resets to ransomware response is operating at sustained high stress.

Cybersecurity is where the risk gets most expensive. The IBM 2025 Cost of a Data Breach Report puts the average data breach cost at $4.88 million globally, and healthcare breaches at $9.8 million. Strong security practices benefit from layered review: access rights audited regularly, backup restoration tested, incident response plans rehearsed. In a single-person model, there is rarely a second set of eyes.

When Does Replacement Make Sense, and When Does Co-Managed?

Most of the time, the better conversation is augmentation, not replacement. Co-managed IT, where a managed services provider works alongside your existing IT staff, has emerged as one of the fastest-growing models in IT services. For most businesses with an existing IT person, this is the better answer than replacement.

Here’s the core economic argument: hiring a second IT employee costs roughly $130,000 to $150,000 fully loaded per year. That money buys you one additional generalist who will be subject to the same single-point-of-failure and burnout risks as your first one. Alternatively, that same budget covers a co-managed IT engagement that gives your existing IT person backup coverage, after-hours support, specialized cybersecurity expertise, compliance documentation help, vendor management assistance, and strategic technology planning. The second option produces more capability per dollar in almost every scenario.

That said, full replacement is sometimes the right move:

• The IT person is leaving and you can’t justify replacing them. For businesses with 20 to 75 employees and moderate technology complexity, the fully loaded cost of a replacement hire often exceeds what a managed IT provider would charge for the same scope.
• Your IT needs have outgrown what one person can deliver. When compliance, cybersecurity, cloud architecture, and strategic planning all need attention at the same time, a generalist can’t keep up. A managed IT provider gives you access to multiple specialists for less than the cost of hiring even one of them.
• The business is in stabilization mode. If your current IT setup is in chronic firefighting mode, transitioning to a managed model can reset the environment with documented processes, tested backups, and proactive monitoring.
• Compliance requirements demand more than one person can sustain. Regulated industries like healthcare, defense contracting, and financial services require documented controls, regular audits, and specialized expertise that almost no solo IT employee can maintain alongside daily support work.

Co-managed IT, on the other hand, fits when:

• You have a strong internal IT lead who is overworked. Adding an MSP layer takes the routine help desk burden off your internal person so they can focus on strategic projects, vendor relationships, and the business-specific work only they can do.
• You need specialized expertise your internal person doesn’t have. Cybersecurity, cloud architecture, compliance frameworks, and disaster recovery planning are areas where most internal IT generalists are stretched thin.
• You want resilience without doubling headcount. A co-managed engagement means your business is no longer dependent on one person being available.
• You’re considering adding a second IT hire. Before you spend $130,000 plus on a second employee, consider that a co-managed engagement at a fraction of that cost typically delivers more total capability across more domains.

How Should You Decide Which Model Fits Your Business?

The decision depends on three factors: the size of your operation, the complexity of your technology environment, and what you actually need from IT going forward.

• Under 25 employees: A managed IT provider almost always makes more sense than hiring. The cost-to-coverage math doesn’t work for an in-house generalist at this size.
• 25 to 75 employees with no internal IT: Managed IT is typically the right model. You get full coverage, security, compliance support, and strategic planning for less than the cost of hiring one mid-level employee.
• 25 to 75 employees with one internal IT person: This is the classic co-managed scenario. Keep your internal person for the institutional knowledge they bring. Add a managed services layer for everything they can’t realistically cover alone.
• 75 to 250 employees with one or two internal IT staff: Co-managed almost always wins. Your internal team handles strategy, vendor relationships, and business-specific work. The MSP handles after-hours support, cybersecurity monitoring, compliance documentation, and specialized projects.
• 250+ employees with a multi-person IT team: A managed services partner becomes a specialist resource for what your team doesn’t cover internally, often security, compliance, or specialized infrastructure projects.

The conversation should never start with “should we replace this person.” It should start with “what does our business actually need from IT in the next two years, and what’s the best mix of internal and external resources to deliver it.” For a deeper cost comparison between models, our managed IT vs in-house guide walks through the math in detail.

How Does Facet Technologies Approach This Decision?

Facet Technologies has worked with Central Illinois businesses across every variation of this conversation for over 30 years. We support organizations with no IT staff, organizations with one overworked generalist, and organizations transitioning between models.

Our managed IT services cover businesses that need full IT support without internal staff. Our co-managed IT model is designed to work alongside existing internal IT teams, providing the depth and specialization that generalists rarely have time for. Our strategic IT advisory services bring vCIO-level planning to organizations that have operations covered but lack technology leadership.

What we don’t do is push businesses toward replacement when augmentation is the better answer. If you have a strong internal IT person, that person is an asset. The question is how to give them the support they need so they’re not a single point of failure or constantly in firefighting mode.

Our in-house helpdesk in Peoria answers calls live during business hours, with on-call technician access 24/7/365 and average response time under 15 minutes. Our cybersecurity services, compliance partnership approach, and backup architecture are designed to integrate with internal IT teams or operate independently, depending on what the client needs.

Frequently Asked Questions

How do I get started? Call us at (309) 689-3900, email info@facettech.com, or schedule a conversation online. The first conversation is straightforward: we’ll talk about your current setup, your team, and what you’re trying to accomplish.

What Should Manufacturers in Central Illinois Look for in an IT Partner?

by Brian Ford | May 6, 2026 | Informational Articles

Manufacturing IT is its own discipline. The combination of production networks, operational technology, supply chain connectivity, and intellectual property protection creates an environment that general-purpose IT providers are not built to support. For manufacturers across Central Illinois, choosing the wrong IT partner means risking production downtime, compliance failures, and exposure to a threat environment that has only gotten worse.

Manufacturing has been the most targeted industry for cyberattacks four years running, according to IBM’s X-Force Threat Intelligence Index. Ransomware attacks targeting manufacturers rose 56% in 2025 compared to the previous year, with the sector absorbing one in four of all documented ransomware incidents globally. Central Illinois manufacturers face the same threats as manufacturers everywhere, but with the added reality that most operations in this region have 50 to 500 employees, tighter IT budgets, and fewer dedicated security resources than Fortune 500 plants.

This blog explains what makes manufacturing IT different, where the risks are highest, and what to look for in a technology partner who can protect both your production floor and your front office.

At a glance: Manufacturing has been the #1 most targeted industry for cyberattacks for four consecutive years (IBM X-Force 2025). Ransomware attacks on manufacturers rose 56% in 2025, with 62% of victims paying the ransom (Check Point Manufacturing Threat Landscape 2026). 96% of operational technology (OT) incidents in 2025 were traced back to IT system compromises (TXOne Networks), which means protecting your office network protects your production floor. 22% of organizations with OT systems reported a cybersecurity incident in the past year, with 40% of those incidents causing production disruption (SANS Institute 2025). Facet Technologies has served manufacturers across Central Illinois for over 30 years, with specific experience in production network security, CMMC compliance, and IT/OT environments. One Central Illinois manufacturer reduced support tickets by 70% within six months of partnering with Facet, after we identified and resolved recurring infrastructure issues that had been disrupting operations.

Why Is Manufacturing IT Different From Standard Business IT?

In most businesses, when the network goes down, people can’t check email for a few hours. In a manufacturing facility, when the network goes down, the production line stops. Orders don’t ship. Raw materials sit idle. Depending on the process, a network outage can damage equipment, spoil product, or create safety hazards.

That’s the core difference. Manufacturing IT exists to keep production running, and every technology decision has to be evaluated through that lens.

Operational technology (OT) is the category of systems that directly controls or monitors physical processes: programmable logic controllers (PLCs), SCADA systems, human-machine interfaces (HMIs), and industrial control systems. These systems were originally designed to operate in isolation, but modern manufacturing increasingly connects OT to IT networks for data collection, reporting, and supply chain integration. That connectivity creates the security gap that attackers are targeting.

Your IT partner needs to understand this environment. They need to know which systems can be patched on a Tuesday afternoon and which ones require a maintenance window during a scheduled shutdown. They need to know that rebooting a server connected to a PLC could halt a production line. They need to understand the difference between a help desk ticket from accounting and an alert from a sensor on the manufacturing floor.

What Are the Biggest Cybersecurity Risks for Manufacturers Right Now?

Three overlapping risk categories are hitting manufacturers harder than any other industry.

Ransomware is the most expensive threat. According to cybersecurity insurer Resilience, ransomware accounted for 90% of all financial losses in the manufacturing sector between March 2021 and February 2026. Manufacturers are targeted specifically because attackers know that production downtime is so costly that companies are more likely to pay. The data confirms it: 62% of manufacturers who experienced ransomware in 2025 paid the ransom.

IT/OT convergence is expanding the attack surface. The connection between office IT systems and production OT systems is where most breaches start. TXOne Networks reported that 96% of OT incidents in 2025 were traced back to IT system compromises. That means an attacker who gets into your email server or a workstation in the front office can, in many environments, reach the systems that run your production floor.

Supply chain attacks are accelerating. Supply chain compromises nearly doubled in 2025, rising from 154 incidents to 297 in the manufacturing sector. Attackers target smaller vendors, managed service providers, or software platforms to gain indirect access to their manufacturing clients. Your security posture is only as strong as the weakest link in your supply chain.

For Central Illinois manufacturers, these risks are compounded by the reality that many facilities still run legacy systems, older PLCs, and aging network infrastructure that cannot be easily replaced without impacting production schedules.

What Should a Manufacturing IT Provider Be Able to Do?

Not every IT company understands manufacturing. Here’s what separates a provider who can support a manufacturing environment from one who is guessing.

Understand the IT/OT boundary. Your provider should be able to explain how your office network connects to your production network, where the segmentation points are (or should be), and what happens if a threat crosses from one side to the other. If your IT partner has never discussed network segmentation with you, that’s a gap.

Protect without disrupting production. Security patches, firmware updates, and system changes in a manufacturing environment have to be scheduled around production. A provider who pushes updates during operating hours without understanding the consequences is a liability, not a partner.

Support compliance requirements. If your company bids on Department of Defense contracts, CMMC compliance is now required. If you handle payment card data, PCI DSS applies. If you work with food production, FDA and FSMA requirements may affect how you manage and protect data. Your IT partner should know which frameworks apply to your business and help you maintain compliance, not discover requirements after an audit fails.

Provide layered security. Manufacturing environments need endpoint detection and response on every managed device, managed firewall protection with hardware replaced on a regular cycle, email security that catches phishing before it reaches your team, multi-factor authentication, dark web monitoring for compromised credentials, and 24/7 security monitoring that can detect and contain threats before they reach production systems.

Plan and budget proactively. Manufacturing IT is not just about keeping things running today. It’s about knowing when your firewall is due for replacement, when your servers are approaching end of life, when your backup infrastructure needs to be tested, and what the budget looks like for the next 12 months. Your provider should lead that conversation through quarterly business reviews, not wait for something to fail.

Maintain tested backups with real recovery times. The SANS Institute’s 2025 survey found that only 22% of OT incidents were remediated within 48 hours. For a manufacturer, that kind of delay can mean days of lost production. Your backup and disaster recovery strategy should include hybrid approaches that combine on-site and cloud backup for instant recovery when it matters most. Facet’s backup architecture is designed so that when a server or system fails, we can spin up a working copy immediately rather than waiting hours or days for a traditional restore.

How Does Facet Technologies Support Manufacturers?

Facet Technologies has served manufacturers across Central Illinois for over 30 years. Our team has specific experience with production environments, IT/OT networks, and the compliance requirements that affect manufacturers in this region, including CMMC, PCI DSS, and cyber insurance readiness.

We know that manufacturing doesn’t stop at 5 PM. Our in-house helpdesk in Peoria answers calls live during business hours, and an on-call technician is available 24/7/365. Our average response time is under 15 minutes, because when a system connected to your production line has a problem, every minute counts.

Our approach starts with understanding your production environment before recommending anything. We assess your network, your OT exposure, your compliance requirements, and the way your team works on the floor and in the front office. From there, we build a security and support strategy specific to your operation, not a generic IT plan borrowed from an accounting firm.

We’ve helped Central Illinois manufacturers stabilize aging infrastructure, pass compliance audits, defend against ransomware, and plan technology investments that align with business growth. One manufacturer saw a 70% reduction in support tickets within the first six months of working with us, driven by identifying and resolving recurring issues that had been costing them time and money for years. You can see another example of this work in our manufacturer IT stabilization case study.

Frequently Asked Questions

What Should Healthcare Organizations in Central Illinois Look for in an IT Partner?

by Ellie Shaw | Apr 24, 2026 | Informational Articles

Healthcare IT is not the same as general business IT. Medical practices, clinics, dental offices, behavioral health groups, and specialty care facilities in Central Illinois face a specific set of demands that most IT providers are not equipped to handle. Between HIPAA compliance, electronic health records, medical device connectivity, and the reality that a network outage can mean patients don’t get care, healthcare organizations need an IT partner who understands how clinical workflows depend on technology, not just how to reset a password.

At a glance: Healthcare data breaches cost an average of $9.8 million per incident in the United States, the highest of any industry for 14 consecutive years. The proposed HIPAA Security Rule update, expected to be finalized by mid-2026, would make encryption, multi-factor authentication, and annual penetration testing mandatory rather than optional. Medical practices in Central Illinois with 20 to 250 employees are the most common targets for ransomware because they hold high-value patient data and typically have smaller security budgets than hospital systems. A managed IT provider with healthcare experience should be able to support HIPAA compliance, protect EHR systems, and respond to issues without disrupting patient care. Facet Technologies has served healthcare organizations across Central Illinois for over 30 years, with specific experience in HIPAA compliance, secure cloud infrastructure, and medical office IT support.

Why Is Healthcare IT Different From Regular Business IT?

The short answer: the stakes are higher, the rules are stricter, and the tolerance for disruption is close to zero.

When a retail company’s email goes down for an hour, it’s an inconvenience. When a medical practice loses access to its EHR system for an hour, patients may not receive the right medications, lab results may not reach providers in time, and the practice may fall behind on appointments for the rest of the day. In some cases, delayed access to medical records creates genuine patient safety risks.

Electronic health records, or EHR systems, are the backbone of modern medical practice operations. An EHR system is the digital record of a patient’s medical history, diagnoses, medications, treatment plans, and lab results, accessed by providers and staff throughout the day. These systems require consistent network performance, reliable backups, and security protections that go well beyond what a standard office network needs.

On top of that, healthcare organizations are subject to the Health Insurance Portability and Accountability Act, known as HIPAA. HIPAA is a federal law that sets standards for protecting sensitive patient health information, called electronic protected health information (ePHI). Noncompliance can result in fines ranging from $100 per violation to over $2 million per category per year, depending on the level of negligence, according to the U.S. Department of Health and Human Services.

Your IT partner needs to understand all of this, not just the technology, but how it connects to patient care, compliance, and the daily rhythm of a clinical environment.

What Makes Healthcare a Top Target for Cyber Attacks?

Healthcare organizations are targeted more frequently and more aggressively than businesses in almost any other industry. There are three reasons.

First, medical records are worth more on the black market than credit card numbers. A stolen credit card can be canceled and reissued. A medical record contains a person’s Social Security number, insurance information, medication history, and personal demographics, none of which can be changed. That makes each record more useful to criminals and more damaging to the patient.

Second, healthcare organizations often run on older systems. Legacy medical devices, outdated EHR platforms, and aging network infrastructure create gaps that attackers know how to find. Many practices have equipment that cannot be easily updated or replaced because it’s tied to a specific clinical function.

Third, the consequences of an outage are so severe that healthcare organizations have historically been more likely to pay ransoms to restore access to patient data. Attackers know this.

The numbers reflect it. According to the 2025 IBM Cost of a Data Breach Report, the average cost of a healthcare data breach in the United States reached $9.8 million, the highest of any industry for the fourteenth consecutive year. Healthcare breaches also take longer to identify and contain, averaging 279 days compared to 241 days across all industries. That means an attacker who gets into a healthcare network has, on average, more than nine months before being detected.

For medical practices in Central Illinois, the risk is not theoretical. Practices with 20 to 250 employees are particularly exposed because they hold the same high-value patient data as larger hospital systems but typically have smaller IT budgets and fewer dedicated security resources.

What Is Changing With HIPAA in 2026?

The biggest update to the HIPAA Security Rule since 2013 is expected to be finalized by mid-2026. Healthcare organizations across Central Illinois need to understand what’s coming, because the compliance bar is about to get much higher.

The proposed rule, published by the HHS Office for Civil Rights in January 2025, eliminates the long-standing distinction between “required” and “addressable” safeguards. Under the current rule, certain security measures like encryption and multi-factor authentication are technically optional if an organization documents why they chose not to implement them. The updated rule would make those protections mandatory, with limited exceptions.

Here’s what the proposed changes include:

• Mandatory encryption of all ePHI at rest and in transit
• Multi-factor authentication required for all system access, not just remote connections
• Annual penetration testing and biannual vulnerability scans
• 72-hour incident response and restoration requirements for core systems
• Written verification from business associates confirming they’ve implemented required safeguards (a signed business associate agreement alone would no longer be sufficient)
• Comprehensive asset inventories tracking all systems, devices, and software with access to ePHI
• Network segmentation to limit lateral movement during a breach

Once finalized, organizations will have approximately 180 days to comply. That means practices that are still treating security controls as optional or checkbox exercises will need to make real changes before the end of 2026 or early 2027.

The takeaway for Central Illinois healthcare organizations: if your IT provider hasn’t started talking to you about these changes, that’s a red flag.

What Should a Healthcare IT Provider Actually Do for Your Practice?

Not every managed IT provider is equipped to serve healthcare. Here’s what to look for:

HIPAA compliance support. Your IT partner should understand HIPAA requirements, help you implement the technical safeguards, and assist with documentation for risk assessments and audits. This means more than just saying “we’re HIPAA compliant.” It means actively managing the controls that keep your practice compliant: encryption, access management, audit logging, backup testing, and employee training.

EHR system support. Your provider should have experience supporting the EHR platforms used in your practice. They need to understand how EHR performance depends on network speed, server health, and proper configuration, and they need to be able to troubleshoot issues without disrupting clinical workflows.

Security that matches the threat level. Healthcare organizations need endpoint detection and response on every device, managed firewall protection, email security with phishing filtering, dark web monitoring for compromised credentials, and 24/7 security monitoring. A basic antivirus subscription is not sufficient for a healthcare environment.

Backup and disaster recovery built for healthcare. Your backup strategy needs to account for the fact that losing access to patient data, even temporarily, creates patient safety and compliance risks. That means tested backups with verified recovery times, not just a backup that runs every night and has never been tested.

A team that respects clinical workflows. IT work in a medical practice has to be scheduled around patient care. Your provider should understand that rebooting a server at 10 AM on a Tuesday is not acceptable when patients are in exam rooms. Maintenance windows, update schedules, and project work all need to account for the clinical calendar.

How Does Facet Technologies Support Healthcare Organizations?

Facet Technologies has served healthcare organizations across Central Illinois for over 30 years. Our team has specific experience with medical practices, dental offices, behavioral health groups, and specialty care facilities ranging from single-provider offices to multi-location practice groups.

Our approach to healthcare IT starts with understanding that your technology exists to support patient care, and everything we do is designed around that priority.

We provide HIPAA compliance support that includes technical safeguard implementation, risk assessment assistance, and ongoing compliance monitoring. We work with third-party auditing partners when your practice needs independent validation, because we believe the organization providing your IT should not also serve as your auditor.

Our cybersecurity protections include endpoint detection and response, managed firewall with hardware replacement on a three-year cycle, email filtering, dark web monitoring, multi-factor authentication, and phishing simulation training for your staff. For practices that need 24/7 security monitoring, our managed detection and response service provides a security operations center with threats resolved in minutes, not hours.

Every client gets an in-house helpdesk team in Peoria that answers calls live during business hours and provides on-call technician access 24/7/365. Our average response time is under 15 minutes. When your front desk can’t pull up a patient chart, that speed matters.

We also provide strategic IT advisory for healthcare organizations that need help planning for growth, managing compliance across multiple locations, or preparing for the upcoming HIPAA Security Rule changes.

Frequently Asked Questions

Cybersecurity for Agriculture: Why Farms and Processors Are Targets

by Ellie Shaw | Apr 8, 2026 | Informational Articles

Why Are Agriculture Businesses a Growing Target for Cyberattacks?

Agriculture is now one of the fastest-growing targets for cybercriminals. Ransomware attacks on food and agriculture companies more than doubled in early 2025, with 84 incidents reported in the first quarter alone, according to the Food and Ag-ISAC. For Central Illinois ag businesses, from grain operations and food processors to equipment dealers and seed companies, the threat is no longer hypothetical. Here is what is driving these attacks and what you can do to protect your operation.

At a glance: Ransomware attacks on food and agriculture businesses doubled in the first quarter of 2025 compared to the same period in 2024. CISA classifies food and agriculture as one of the 16 sectors of U.S. critical infrastructure. The Food and Ag-ISAC recorded 265 ransomware incidents targeting the sector in 2025, up from 212 in 2024. Most attacks enter through phishing emails, unpatched software, and unsecured remote access, all of which are preventable. A single ransomware event can shut down processing lines, delay shipments, and cost hundreds of thousands of dollars in lost production.

Why Is Agriculture Suddenly a Target for Cyberattacks?

Agriculture was not always on the radar for cybercriminals. But the sector has gone through a rapid technology shift over the past decade. Automated irrigation, GPS-guided equipment, IoT sensors, cloud-based farm management platforms, ERP systems in processing plants, and connected supply chain tools have all expanded the number of entry points attackers can use.

At the same time, many ag operations invest less in cybersecurity than comparably sized businesses in other industries. That gap between technology adoption and security readiness is exactly what ransomware groups look for. The FBI has identified four major threat categories facing U.S. agriculture: ransomware attacks, foreign malware, data and intellectual property theft, and bioterrorism.

A ransomware group is a criminal organization that deploys malicious software to lock a company’s files and systems, then demands payment to restore access. These groups increasingly target industries where every hour of lost production creates pressure to pay quickly.

How Bad Is the Problem Right Now?

The numbers are stark. According to a 2025 Check Point Research report, agriculture experienced a 101% year-over-year increase in cyberattacks globally, the largest jump of any industry. In the United States, attacks on the sector rose 38%.

The Food and Ag-ISAC’s 2025 ransomware report tracked 265 attacks on food and agriculture companies over the year. That is up from 212 in 2024 and 167 in 2023. In total, ransomware now accounts for 53% of all known cyber threats facing the industry.

These are not just attacks on massive corporations. Iowa State University’s Center for Cybersecurity Innovation has noted that small and mid-size agricultural operations are being hit regularly. As one researcher put it, a $5,000 theft from a family farm does not make national news, but it still devastates the business.

What Makes Ag Operations Especially Vulnerable?

Several factors make agricultural businesses more exposed than the average office-based company.

Legacy equipment and mixed technology. Many ag businesses run a combination of modern cloud platforms alongside older systems that were never designed with security in mind. A processing plant might have PLC-controlled equipment from the early 2000s sharing a network with a brand-new ERP system. That mix creates gaps.

Flat networks with no segmentation. In a flat network, everything from the front office computers to the plant floor controls to the security cameras sits on the same network. If an attacker gets into one system, they can move laterally to everything else. Network segmentation is the practice of dividing a network into separate zones so that a breach in one area cannot spread to another.

Remote vendor access. Equipment vendors, software providers, and service technicians often have remote access to systems inside your operation. Without proper controls, those connections become open doors.

Seasonal urgency. During planting, harvest, and peak processing seasons, ag businesses cannot afford to be offline. Attackers know this. They time their demands to moments when the pressure to pay and get back to work is highest.

Limited IT staffing. Many ag companies in Central Illinois do not have a dedicated IT team. The person managing technology might also be managing operations, which means security monitoring, patching, and backup testing often fall behind.

What Does a Cyberattack Actually Look Like for an Ag Business?

It does not always start with a dramatic ransom note. Many attacks begin with a phishing email that looks like a routine invoice, a shipping notification, or a message from a vendor. An employee clicks a link, enters credentials on a fake login page, and the attacker is inside the network.

From there, the attacker may sit quietly for days or weeks, mapping the network and identifying the most damaging systems to lock down. When the ransomware deploys, it can encrypt everything from accounting files and customer records to the software that runs processing lines and inventory management.

JBS Foods, the world’s largest meat processor, was forced to shut down all U.S. beef plants after a ransomware attack in 2021. The company paid $11 million to restore operations. Americold Logistics, one of the largest cold storage companies in the country, was hit twice, once in 2020 and again in 2023, with attacks that disrupted phone systems, email, inventory management, and order fulfillment.

These are large companies with dedicated security teams. For a 50-person food processor or a regional grain operation, the impact of a similar attack would be proportionally devastating.

What Can Central Illinois Ag Businesses Do Right Now?

You do not need a massive budget or a full-time security staff to make meaningful improvements. Start with the items that close the most common attack pathways.

Turn on multi-factor authentication (MFA) everywhere. MFA is a login method that requires a second verification step, like a code sent to your phone, in addition to your password. It stops the vast majority of credential-based attacks. Every email account, remote access tool, and cloud application your business uses should have MFA turned on.

Test your backups. Having backups is not enough. You need to verify that you can actually restore from them and know how long that process takes. If your recovery time is measured in weeks instead of hours, that is a gap you need to close now. Facet Technologies offers backup and instant recovery services that are built around getting businesses back online fast.

Segment your network. Separate your office systems from your plant floor, your guest Wi-Fi from your production network, and your vendor access from your internal systems. This limits how far an attacker can move if they get in.

Review who has remote access. Make a list of every vendor, technician, and employee who can connect to your systems remotely. Remove access for anyone who no longer needs it. Require MFA for everyone who does.

Train your people. Most attacks start with a human mistake. Regular phishing simulations and security awareness training turn your team from a vulnerability into a line of defense.

Patch your systems. Ransomware groups routinely target known software vulnerabilities that already have available fixes. Keeping operating systems, firewalls, and applications up to date closes those doors.

How Does Facet Technologies Help Agriculture Businesses?

Facet Technologies has provided IT and cybersecurity services to Central Illinois businesses for over 35 years, including clients in agriculture, food processing, and manufacturing. We understand the specific challenges ag operations face: mixed legacy environments, multi-site connectivity, seasonal production demands, and the need for technology that works reliably without a full-time IT department on staff.

Our approach starts with a cybersecurity risk assessment that maps your current exposure, from network architecture and backup readiness to vendor access and endpoint protection. From there, we build a plan based on what actually matters for your operation, not a one-size-fits-all checklist.

Facet’s managed detection and response (MDR) service provides 24/7 monitoring through an external security operations center, with threats addressed in minutes. Combined with endpoint detection and response, email security, dark web monitoring, and employee training, we build layered protection that covers the ways attackers actually get in.

We also work with ag businesses that already have internal IT staff through our co-managed IT program, adding security architecture, cloud migration support, and strategic planning without replacing the people who already know your operation.

Is the Government Doing Anything About Agriculture Cybersecurity?

Yes, and the federal response is accelerating. CISA classifies food and agriculture as one of 16 critical infrastructure sectors and has published a sector-specific cybersecurity checklist with free resources.

The Farm and Food Cybersecurity Act, reintroduced in Congress, would direct USDA to invest in cybersecurity research and crisis simulation exercises specific to agriculture. Additional legislation would establish regional cybersecurity research centers at universities with dedicated funding for ag-focused security training and workforce development.

The American Farm Bureau Federation has also partnered with the Food and Ag-ISAC to strengthen cyber awareness across the sector. These are positive steps, but they are primarily research and awareness programs. The actual work of securing your business still falls on you and the partners you choose to work with.

Frequently Asked Questions

If you are running an ag business in Central Illinois and want to understand where your operation stands, we are happy to walk through it with you. No pressure, just a clear picture of your current risk and the practical steps to address it. Call us at (309) 689-3900 or reach out at facettech.com/contact-us.

How Are Central Illinois Businesses Meeting Cyber Insurance Requirements in 2026?

by Ellie Shaw | Mar 18, 2026 | Informational Articles

Cyber insurance carriers now require documented proof of specific security controls before they will issue or renew a policy. For Central Illinois businesses, meeting these requirements means having multi-factor authentication, endpoint detection and response, tested backups, email security, and an incident response plan in place, and being able to prove it. The days of checking boxes on a questionnaire and moving on are over. Here is what carriers are asking for in 2026, what happens if you fall short, and how to get your business into a position where insurance works for you instead of against you.

At a glance: Cyber insurance renewals in 2026 require documented proof of security controls, not just yes/no answers on a questionnaire. The eight controls carriers most commonly require are MFA, EDR, email security, tested backups, an incident response plan, employee training, privileged access management, and patch management. According to Marsh McLennan’s 2025 Cyber Insurance Market Report, 99% of cyber insurance applications now include specific questions about MFA implementation. Small business cyber insurance premiums typically range from $1,000 to $7,500 annually for $1 million in coverage, depending on industry and security posture. Facet Technologies helps Central Illinois businesses meet cyber insurance requirements through managed security services that include the controls carriers demand.

Why Have Cyber Insurance Requirements Gotten Stricter?

The short answer is money. Carriers lost billions on preventable claims over the past several years, and they responded by raising their standards.

Ransomware claim costs alone are projected to reach $265 billion annually by 2031. The average cost of a data breach hit $4.88 million globally in 2024, according to IBM’s Cost of a Data Breach Report. Carriers looked at the claims data and found a pattern: the vast majority of successful attacks exploited gaps that should have been addressed, missing MFA, untested backups, outdated antivirus, and employees who had never received security training.

So insurers did what any business would do when it keeps paying for the same preventable problem. They started requiring their customers to fix it. Policies that were once treated like routine paperwork have become structured assessments of cybersecurity maturity. Renewals are more rigorous, questionnaires are longer, and carriers increasingly want documentation, not just answers.

What Security Controls Do Cyber Insurance Carriers Require in 2026?

While every carrier’s questionnaire is slightly different, the industry has converged on a core set of controls that are now expected across the board. Missing any of these can result in higher premiums, reduced coverage, or denial.

• Multi-factor authentication (MFA). MFA is a login method that requires a second form of verification beyond a password. Carriers expect MFA enforced on email, VPN connections, remote access, cloud platforms, and all administrative accounts. Having MFA “available” is not enough. It must be enforced and documented. According to Marsh McLennan’s 2025 report, 99% of applications now include specific MFA questions, and Coalition’s 2024 data shows 82% of denied claims involved organizations without MFA.
• Endpoint detection and response (EDR). Traditional antivirus is no longer sufficient. Carriers require EDR, which monitors devices for suspicious behavior and can respond to threats automatically. They will ask who monitors alerts, how quickly your team responds, and whether you can document your response process. Facet Technologies deploys autonomous endpoint protection across all managed client devices.
• Email security. Phishing remains the top attack vector for insurance claims. Carriers expect dedicated email filtering that scans for spoofed senders, malicious links, weaponized attachments, and business email compromise attempts. A basic spam filter does not meet this requirement.
• Tested, isolated backups. Carriers have learned that untested backups fail when they are needed most. They now ask whether your backups are tested regularly, whether backup copies are stored offline or isolated from your production network, and how quickly you can recover critical systems. Backup isolation prevents ransomware from encrypting your recovery data along with everything else.
• Incident response plan. Insurers want a written plan that defines roles, escalation procedures, communication protocols, and recovery steps. They want evidence that the plan has been reviewed and tested, not just that a document exists somewhere on a shared drive.
• Employee security training. Regular training and phishing simulations are now standard requirements. Carriers want to see a documented program with measurable results, such as phishing simulation click rates tracked over time.
• Privileged access management. Shared administrative accounts are a red flag for underwriters. Carriers want individual credentials for every privileged user, with the ability to track and audit access. Automatic password rotation for administrative accounts adds another layer of documentation.
• Patch management. Vulnerability exploits account for over 30% of ransomware attacks, according to the Sophos State of Ransomware 2025 report. Carriers expect documented evidence that operating systems and applications are patched on a regular schedule.

What Happens If You Cannot Meet These Requirements?

The consequences are real and immediate. Carriers are not bluffing.

If you cannot demonstrate the required controls, your insurer may increase your premiums significantly, sometimes 30% to 50% over the previous year. They may exclude ransomware coverage entirely, which removes the single most common and most expensive type of claim. In some cases, they will deny renewal altogether, leaving your business uninsured until you can demonstrate compliance.

There is also the claim denial risk. If you experience a breach and your insurer finds that your actual security posture did not match what you represented on your application, they can deny the claim. A January 2026 case involved a mid-size accounting firm whose ransomware claim was denied because the controls they reported on their application were not actually in place when the attack occurred. The firm faced over $300,000 in recovery costs with no insurance payout.

Honest reporting matters. Carriers would rather see a business that is transparent about its current gaps and actively working to close them than one that overstates its readiness and gets caught in a claim investigation.

How Can Your IT Provider Help You Meet Cyber Insurance Requirements?

This is where the relationship between your IT provider and your insurance coverage becomes direct. The controls carriers require are the same protections a good managed IT provider should already have in place for you.

If your IT provider is not proactively discussing your cyber insurance requirements, that is a gap worth addressing. Your provider should be able to help you in several concrete ways:

• Review your carrier’s questionnaire with you and provide accurate answers based on your actual environment
• Produce documentation that proves your controls are in place (MFA enforcement logs, backup test records, EDR deployment reports, training completion records)
• Identify gaps between your current security posture and what your carrier requires
• Build a remediation timeline for any controls that are missing
• Participate in conversations with your insurance broker when technical details need clarification

Facet Technologies works with clients across Central Illinois to prepare for cyber insurance renewals. Because the security controls carriers require, MFA, EDR, email filtering, tested backups, employee training, and managed detection and response, are already included in our managed services agreements, most of our clients are in a strong position before renewal conversations begin.

For businesses that are not yet fully meeting carrier requirements, we conduct a cybersecurity risk assessment to identify exactly where the gaps are and build a prioritized plan to close them.

How Does Cyber Insurance Fit Into a Broader Cybersecurity Strategy?

Cyber insurance is not a replacement for cybersecurity. It is one layer in a broader risk management strategy. The businesses that get the most value from their coverage treat the insurance requirements as a baseline, not a ceiling.

Think of it this way: meeting the carrier’s requirements gets you insured. Going beyond them, with 24/7 SOC monitoring, regular penetration testing, compliance consulting, and structured quarterly reviews, reduces the likelihood that you will ever need to file a claim.

The best outcome is not a successful insurance claim. It is never needing one.

For Central Illinois businesses navigating HIPAA, PCI DSS, CMMC, or other compliance frameworks, there is significant overlap between compliance requirements and insurance requirements. Meeting one often satisfies much of the other. A managed IT partner who understands both can help you avoid duplicating effort and spending.

Frequently Asked Questions