Most managed IT advice assumes your whole company sits in one office. A construction or trades business doesn't work that way. You're running two operations at once: an office with email, accounting, and project files, and a mobile field operation with crews, tablets, trucks, and job sites that change every week. Generic IT providers are optimized for the office half and often overlook the field half, which is exactly where contractors get hurt. This guide walks through what actually matters, in plain terms, for an owner or operations lead in Northern Virginia.
Construction companies don't fail security reviews because they don't care about security. They fail because the technology grew one project at a time: the office runs one system, the field another, somebody bought tablets at Costco, someone else uses a personal phone, and nobody ever stepped back to manage it all together.
Verizon's Data Breach Investigations Report has consistently found stolen credentials and phishing among the most common ways attackers first get in, with stolen credentials involved in roughly a quarter of breaches in its 2024 report. (Verizon DBIR)
The office and the field are two different IT problems
In the office, your risks look like any small business: email compromise, weak passwords, backups nobody has tested. In the field, the risks are physical and constant: a tablet left in a truck, a superintendent's laptop lost on a site, dispatch software going down mid-morning with every crew already rolling. A provider that only knows the office will patch your servers and never think about the forty devices that leave the building every day. The whole point of construction-aware IT is treating both halves as one managed system.
The five things that actually go wrong
1. Dispatch or field-service software goes down. When ServiceTitan, Procore, Housecall Pro, or your scheduling board loses connectivity, the trucks are blind and your coordinator is on the phone instead of dispatching. Uptime monitoring and managed connectivity keep the field moving.
2. Field devices aren't really managed. Tablets and phones get dropped, handed off, and occasionally walk off a job. Without mobile device management, a missing device is a data exposure. Here's how field and job-site device management should work, and what actually happens when a superintendent loses a laptop.
3. Wire fraud and payment-change scams. Construction is one of the most-targeted industries for business email compromise, because large payments move between owners, GCs, subs, and suppliers all the time. This is why your company keeps getting phishing and wire-fraud emails, and what stops it.
4. Job files scattered everywhere. Plans on a personal Dropbox, photos buried in a phone, PDFs emailed back and forth. Consolidating to a structured Microsoft 365 / SharePoint setup with access by crew and project turns that into something you actually control.
5. Documentation gaps. Larger general contractors and your cyber insurer increasingly want proof of specific controls. Here's what GCs want for prequalification, and what your cyber insurance renewal is really asking for.
What good managed IT covers for a contractor
A serious managed IT plan for a construction or trades company should include all of this in one number, not as add-ons: endpoint detection and response (EDR) on every computer, email security that filters phishing and business email compromise, mobile device management for field tablets and phones, Microsoft 365 administration with MFA enforced, monitored backups with tested restores, structured onboarding and offboarding, full environment documentation, and unlimited remote helpdesk. The test of a good provider isn't the feature list; it's whether they think about your field devices and your dispatch uptime without being asked.
How much should you budget?
Full-stack managed IT for a small contractor generally runs on a per-user, per-month basis, and what's included matters more than the headline number. We wrote a separate, honest breakdown of the market: what managed IT actually costs in Northern Virginia. A rough rule for a construction firm: budget for every office user plus your field crew's devices, and expect the security stack (EDR, email security, backup) to be included rather than billed separately.
How to choose a provider
Ask a prospective MSP four questions: How do you manage devices that leave the building? What's your guaranteed response time when dispatch goes down? What can you hand my cyber insurer or a GC's prequalification team as evidence of our controls? And what happens, step by step, when an employee is let go on a Friday afternoon? A provider who answers those in specifics understands construction. Vague answers mean they'll treat you like an office that happens to own trucks.
If you want a documented, field-ready IT operation instead of a patchwork, Sentry runs a free assessment of your current setup and tells you exactly where the gaps are. See how we support construction and trades, or book a no-obligation assessment.