Incident Management Best Practices for MSPs

Incident response management is a structured process of identifying, analyzing, and resolving IT incidents as quickly as possible. Broadly speaking, when we talk about incidents in this case we are referring to any deviations from the norm in an IT network that impact operations, customer/user experience, and, as a consequence, business in general. This definition serves to differentiate incidents from technical alerts that can signal problems within a network infrastructure that may not yet have had an impact on the customer.

Handling disruptions as swiftly and effectively as possible is critical if MSPs are to maintain a positive customer experience. However, effective incident management can be a complex process for MSPs. While larger MSPs may have full access to a client’s infrastructure and be able to act quickly and independently during critical situations, smaller companies typically have access to only a portion of the services and tech stack. This makes it significantly more challenging to respond effectively during incidents.

In addition to this, MSPs regularly face other challenges in their pursuit of operational excellence, including:

• Multiple client environments: MSPs must manage diverse clients, each with unique SLAs that dictate specific response and resolution times.
• Remote management: Diagnosing and resolving issues without being physically present adds additional complexity.
• Varied environments: Each client potentially uses different software, hardware, and configurations.

Having an effective incident response management strategy is crucial for any MSP as it is central to helping them protect client systems, maintain trust, and safeguard their own reputation. A poorly handled incident can lead to a range of issues for both an MSP and its customers, these include: operational disruption, financial losses, client churn and loss of business, reputational damage, and even legal and regulatory penalties.

On the flip side of this, effective incident response management can provide real business value for MSPs. This comes in the shape of minimizing downtime (helping to meet SLAs and avoid penalties), building client trust, ensuring customers meet compliance and regulatory requirements (either for their industry requirements or for cyber insurance), reputation protection, and finally cost reduction (in areas such as recovery costs).

As cyber threats continue to evolve, the need for rapid, efficient, and well-coordinated responses to incidents is greater than ever. So how can you build out an effect incident response process?

ilert is a member of the N‑able Technology Alliance Program providing an advanced incident management platform that is easily integrated with N‑able N‑central. I spoke with Daria Yankevich, Partner Marketing Manager at ilert, about what the company sees from their experience of working with MSPs around as the core best practices for Incident Management for MSPs

The four stages of incident response management

“The incident lifecycle has four stages,” explains Daria. “Preparation, Response, Communication, and Learning.  Breaking down key recommendations on managing incidents by these four parts simplifies the work for teams and helps them clearly understand their stance in critical situations.”

Stage 1: Prepare for an Incident

Automate Incident Detection and Response

“Automation always goes hand in hand with tools,” says Daria. “We see there as being four key areas areas that experienced MSPs focus on to ensure they can identify and react to system issues as quickly as possible.”

1. Monitoring and observability
   Tools that oversee system performance, record data, and monitor application behavior offer real-time insight into your IT systems, allowing for the quick detection of potential incidents. Solutions like N‑able N‑central help monitor multi-tenant environments.
2. On-call management
   In a multi-client setting, it is challenging to manage on-call duty via calendars or sheets. Ensure that the on-call duty is properly distributed between clients and dedicated teams, the rotation is automatic, and engineers are always aware of when their shifts start. The best practice is also to have mobile access to the on-call management system to be able adjust schedules on the go.
3. Alerting
   Once an incident is detected, prompt and multi-channel notification of engineers is essential. Alerting tools ensure the right information gets to the right people at the right moment. Alerting platforms for MSPs can display and clearly split out alerts from multiple tenants, as well as building escalation policies that reflect the SLA requirements for different clients. Your alerting systems should be advanced enough to handle alerts from various sources and turn them into phone calls, SMS, push, and other types of notifications. While machine-detected alerts are pretty typical for MSPs, in many cases, clients report incidents directly via tickets or phone calls. For these two types, MSPs require additional tools.
4. Manual incident trigger mechanism
   MSPs’ clients require a quick, easy-to-use, and familiar way to report anomalies. One of those is call routing—a hotline that clients can use to call a dedicated phone number, and an alert can be created directly from this call. Another solution is a ticketing system. Depending on the SLA, you might choose between these or have both for different scenarios.

Implement a Structured Incident Response Plan

“A well-constructed response plan ensures that incidents are handled systematically,” Daria adds. “The best way to achieve this is not only having instructions on paper but conducting actual training sessions to simulate an incident. The training must target the following four objectives: Engineers are aware of the escalation procedures and have all notifications set up correctly; They clearly understand the client’s infrastructure and know how to access it; They receive hands-on training in containing and mitigating different types of IT incidents typical for a specific client; MSP engineers are exposed to realistic, high-stakes scenarios where they must prioritize tasks and allocate resources to develop strong decision-making skills.”

Stage 2: Response

Daria continues: “In the response stage of incident management, two critical factors determine the success of an MSP’s approach: how quickly the MSP acknowledges the incident, and how effectively they prioritize resolution when multiple incidents coincide across different clients.

“Speed of acknowledgment is vital, as a quick response reassures clients that the issue is being addressed and reduces potential downtime. Meanwhile, prioritization becomes essential when multiple incidents arise.

“MSPs should base their prioritization decisions on the SLA commitments and the impact each incident has on the clients’ operations. For example, a critical server outage affecting a client’s entire business should take precedence over a minor application issue for another.”

Stage 3: Communicate

As with any customer interaction, good communication is critical. “There are several ways to keep customers informed,” says Daria. “One is to manually deliver updates via phone calls or messages conducted by an MSP account manager. This approach is not scalable and can lead to communication errors and misinterpretations. We recommend establishing a status page that clients can subscribe to.”

Daria recommends that MSPs should set up separate status pages for each client, which is typically a good fit for smaller companies. However, this approach becomes more costly as the number of clients grows. For larger providers, it’s highly recommended to adopt audience-specific pages that display only relevant data based on the user parameters. This not only reduces costs but also minimizes the number of pages that need to be maintained.

She also highlights four things it’s important to not forget:

• Timeliness. Quick communication helps manage client expectations and reduce anxiety.
• Cadence. Share updates on incident resolution at regular, predictable intervals—typically every 30 to 45 minutes.
• Realistic expectations. Provide realistic timelines for resolution, and inform clients if temporary workarounds are available. If the situation changes, adjust expectations and communicate promptly.
• Clarity. Avoid overwhelming clients with technical jargon; provide clear, simple explanations to reduce frustration.

Stage 4: Learn from your experience

Finally, Daria points to two metrics—MTTA (Mean Time to Acknowledgment) and MTTR (Mean Time to Resolution)—that are critical in measuring the effectiveness of incident response. These metrics can be calculated manually using the formulas provided below, or you can delegate the task to your incident management platform, which should be able to automatically track and calculate them.

• MTTA = (total time between alert and acknowledgment) / number of incidents for a specific client
• MTTR = (total time between alert and resolution) / number of incidents for a specific client

“Don’t forget to keep track of the incidents you deal with and combine the learnings in post-mortem documents,” Daria concludes. “This will help you reduce MTTR and MTTA in the future and simplify the onboarding of new engineers and account managers.”

ilert and N‑central: Improve Incident Management with RMM Integration

As Daria mentions above Remote Monitoring and Management (RMM) solutions like N‑central form a critical component of an effective incident response plan for MSPs. They enable MSPs to monitor their clients’ systems in real-time, providing early detection of potential issues such as system failures, network vulnerabilities, or unusual activity that could signal a cyberattack. Early detection is key to containing incidents before they escalate, minimizing downtime, and reducing the impact on client operations.

However, by integrating ilert into their N‑central platform MSPs can significantly enhance their effectiveness in a number of ways, and take their incident response to the next level. When a N‑central identifies an issue, ilert can immediately trigger multi-channel alerts through SMS, email, phone, or mobile app, ensuring that the right team members are notified promptly, reducing response times. This multi-channel approach guarantees that no critical alert is missed, even during off-hours.

ilert’s automatic on-call rotation feature ensures that there is always someone available to respond, improving the MSP’s ability to maintain 24/7 support without manual intervention. This streamlined process helps prevent incidents from escalating due to delayed responses.

The platform’s audience-specific status pages enable MSPs to keep clients informed in real time during an incident, improving communication and transparency. By managing expectations and providing real-time updates, MSPs build trust and reduce customer frustration.

Integrating N‑central with ilert allows MSPs to respond faster, automate alerting and on-call management, and improve client communication, leading to more effective incident resolution and stronger client relationships.

ilert is an incident management platform that provides advanced incident response features like multi-channel actionable alerting, automatic on-call rotation, audience-specific status pages, and much more. ilert has a proven track record with MSPs around the world, and has developed and maintains an integration with N‑able N‑sight and N‑able N‑central via close collaboration with N‑able’s Technology Alliance Program. You can find out more about TAP by visiting www.n-able.com/partnerships/technology-alliance-program.