The Hidden Costs of Cheap IT Support - A Hospitality Case Study

Every finance director I meet has, at some point, looked at their IT support invoice and thought: we could get this cheaper. And they’re usually right. There is always a cheaper quote. The market is full of generalist managed service providers who will cover a 7-site restaurant group for materially less than a hospitality specialist will charge. The pitch is simple: same scope, same SLAs, lower price. What’s not to like?

I want to walk through what actually happened to a composite client - a 7-site casual dining group in the South East, turnover around £14m, head office in Surrey - when they took that bet. The names and dates are fictionalised, but every incident in this post is drawn from real conversations with operators who switched to the cheapest quote and lived to regret it. The numbers are conservative.

This isn’t a piece about us being expensive. It’s a piece about how IT support pricing works in hospitality, and why the line item you see on the invoice is almost never the real cost.

The decision: £1,500 a month off the IT line

In early 2024, the group was paying around £4,800 a month for fully-managed IT support across seven sites and a small head office - roughly £700 a site, plus head office, with EPOS escalation, network monitoring, and a quarterly security review baked in. The provider was a hospitality specialist. Tickets got resolved, services held up, nothing exciting ever happened.

Their new FD ran a procurement exercise. Three quotes came back. The cheapest was a generalist MSP in the Thames Valley charging £3,300 a month for what looked, on the spec sheet, like the same scope. Same ticket SLAs. Same reactive cover. Cheaper per-device monitoring. The FD signed it off. £1,500 a month saved, £18,000 a year back into the P&L. On a 6.8% net margin business, that’s the equivalent of finding £265,000 of extra revenue. You can see why it got approved.

For the first twelve months, nothing went wrong.

Year 1: the silence that looked like success

This is the trap. Cheap IT support in hospitality almost always looks fine for the first year. The new MSP onboarded the group, took over the helpdesk, picked up password resets and printer queues and the usual day-to-day. Tickets closed within SLA. The FD got a quarterly report that said 94% first-time fix rate. The ops director stopped thinking about IT.

What was happening underneath was that the cheap MSP was doing exactly what they’d quoted for - reactive break-fix on standard office IT - and quietly not doing the things the hospitality specialist had been doing without anyone noticing. Firmware on the in-store network kit didn’t get updated. EPOS database backups weren’t being verified, just scheduled. Starter and leaver processes were processed as helpdesk tickets rather than run through a proper joiner-mover-leaver workflow. The PCI scope hadn’t been re-walked when the group added contactless tipping at two sites. None of this generated a ticket, so none of this got reported.

If you’re an FD reading this, here’s the uncomfortable bit: every quarterly report you saw in year one would have looked good.

Month 14: the Friday night

It was a Friday in April. Two sites in the same town centre were heading for £18k of combined covers that night. At 7:55pm, the EPOS at the larger of the two sites stopped sending tickets to the kitchen display system. Card payments still worked, the EPOS terminals still functioned, but the KDS had gone dark and the kitchen was suddenly running on shouted orders and printed dockets that weren’t printing.

The duty manager raised a P1 with the new MSP. The first-line engineer who picked it up had never seen a kitchen display system before. He spent forty minutes trying to ping the KDS controller from a remote tool that wasn’t installed on the right VLAN, then escalated to second line. Second line asked for the EPOS vendor’s support number, which nobody on shift had, because the previous MSP had owned that relationship and the contact details had never been transferred. The site manager eventually found an old email with the vendor’s number and called them direct. The vendor talked the duty manager through a service restart on a Windows box in the back office at 9:35pm. The KDS came back at 9:48pm.

Three hours and fifty-three minutes from first ticket to resolution. In hospitality terms, that’s a destroyed Friday service. Twenty-two covers walked. The kitchen was sixty minutes behind for the rest of the night. The site lost an estimated £4,200 in revenue that evening alone, plus a further £1,800 the following weekend in cancelled bookings from guests who’d had a bad experience and posted about it. Call it £6,000.

The root cause? The KDS was a model the cheap MSP had never deployed before, on a network they’d inherited but never properly mapped. A hospitality-literate provider would have had it fixed in twenty minutes - it’s a known issue with a known fix. We cover this kind of work in our hospitality IT support practice precisely because EPOS, KDS and payment integrations don’t behave like office IT.

Month 18: the PCI DSS failure

Four months later, the group’s acquiring bank ran a PCI DSS compliance check ahead of contract renewal. The group failed. Two of the seven sites had network segmentation issues that put the cardholder data environment on the same VLAN as guest WiFi. This had happened during the contactless tipping rollout the previous year - nobody had reviewed PCI scope when the new terminals were installed, because the cheap MSP didn’t know they needed to.

Remediation cost: a £6,500 emergency network re-segmentation across two sites, a £3,200 external QSA re-assessment, and three weeks of internal time from the operations director and FD chasing it. Call the total cost £12,000, conservatively, and that’s before you count the increased transaction fees the acquirer applied for the quarter the group was non-compliant - another £4,500. Total: £16,500.

This is the kind of work that sits inside a proper managed network service. Segmentation, scope reviews, change control on the network when new payment kit goes in. None of it is glamorous. All of it is the difference between passing PCI on a Tuesday morning and not.

Month 20: the offboarding that never happened

A general manager left site three in October. HR raised a leaver ticket. The cheap MSP disabled the user’s Microsoft 365 login. They did not - because their offboarding runbook was generic and didn’t include hospitality-specific systems - remove the GM’s access to the rota platform, the supplier ordering portal, or the shared head office mailbox he had delegated access to. They also didn’t disable mail forwarding rules.

Three weeks later, an attacker phished the former GM’s personal email and harvested credentials. Because mail forwarding from his old work mailbox was still active, the attacker saw a £14,200 supplier invoice from a drinks distributor, spoofed a follow-up email asking the AP team to update bank details, and walked away with the payment. The group recovered roughly £4,000 through their cyber insurance policy after a £2,500 excess. Net loss: around £12,700, plus the legal and forensic time to work out what had happened. Call it £15,000 all-in.

A hospitality MSP would have had a leaver checklist that covered every system the GM touched, not just the email account. This is the unglamorous core of cyber security in hospitality - joiner-mover-leaver, MFA enforcement, conditional access, mailbox forwarding rules. It’s not exciting. It’s the stuff that stops £15,000 walking out the door.

Month 24: the new site that opened three weeks late

The group had been planning their eighth site, in a Kent market town, for most of 2025. Fit-out began in November. The IT brief was standard: structured cabling, EPOS install, KDS, guest WiFi, payment terminals, back office, CCTV, music system, integration with the central booking platform.

The cheap MSP had never project-managed a hospitality opening. They quoted for the work, then subcontracted the cabling to a generalist data installer who didn’t understand the timeline pressures of a soft launch. The cabling slipped by ten days. The EPOS install got pushed because the network wasn’t ready. The payment terminals arrived but couldn’t be commissioned because the merchant ID wasn’t linked to the new VLAN, which didn’t exist yet. The site missed its planned opening date by three weeks.

Three weeks of lost trade in a 90-cover site at projected £11k/week of contribution: £33,000. Plus £8,000 of marketing spend that had been booked against the original opening date and largely wasted. Call it £40,000. The opening was a story the ops director told me through gritted teeth.

The real maths

Let me lay the whole thing out.

The saving: £1,500/month x 24 months = £36,000.

The costs:

• Friday night EPOS/KDS outage: £6,000
• PCI DSS remediation and acquirer penalty: £16,500
• Phishing loss from incomplete offboarding: £15,000
• New site opening delayed three weeks: £40,000
• Internal time across operations, FD, HR (conservative): £8,000

Total real cost: £85,500.

Net position after two years of “saving £1,500 a month”: down £49,500.

And that’s before you count the things I haven’t put a number on - the brand damage from the walked Friday service, the staff churn at the site that opened late, the FD’s relationship with the MD after she had to explain the PCI fail to the board. In the conversations I’ve had with operators who lived through versions of this story, the all-in true cost typically lands somewhere between £100k and £150k over two years. The £36k saving is real. It’s just dwarfed by the costs it created.

The lesson FDs need to hear

Cheap IT support is rarely cheap in hospitality. The cost lives in the incidents you didn’t have, the PCI scope reviews that happened quietly, the leaver checklists that ran without anyone noticing, the new site that opened on time because the network was ready on Tuesday morning instead of the following Monday. None of that shows up on an invoice. All of it shows up the moment it stops happening.

If you’re an FD or ops director benchmarking your IT spend, here’s the question to ask: not what am I paying per site, but what am I getting that I don’t see. The hospitality specialist who costs £1,500 a month more is, on the evidence of every conversation I have, almost certainly saving you several multiples of that in incidents that never happened.

IT support in a multi-site hospitality group isn’t a cost to minimise. It’s a risk mitigation function and a growth enabler. When you treat it as the former, you make better decisions. When you treat it as the latter, you back the wrong horse.

How we think about pricing

We try to be transparent about this. Our pricing is published, our scopes are written in plain English, and we don’t pretend that every group needs the same level of cover. A 3-site group that’s not opening anything new and runs a single EPOS vendor needs less than a 12-site group with three brands and an aggressive expansion plan. What we do insist on is that whatever level of cover you buy, it’s the level that makes the maths work - not the level that makes a procurement spreadsheet look good in month one.

If you’re rethinking your IT support contract, or you’ve just signed one and you’re starting to wonder what’s underneath the headline number, talk to us about hospitality IT support. We’ll happily walk through the maths on your specific estate. Sometimes the answer is that you’re paying about right. Sometimes it isn’t. Either way, you’ll know - and that’s worth more than any line item on a P&L.