There's a CEO we talked to a few years ago who was paying $12,000 a month for IT support for a 35-person company. He thought that was normal. It wasn't — he was getting ripped off, and the service still wasn't great. Then there's the business owner we talked to last year who had 40 employees, no managed IT, and was relying on her nephew "who's good with computers" to handle everything. Three months later, ransomware.
IT spending is one of the areas where both "too much" and "too little" are genuinely common — and both have real costs. Here's how to think about it clearly.
The Benchmark Numbers
Gartner and Forrester both track IT spending across industries. For small and mid-sized businesses, the common benchmarks are:
| Industry | Typical IT Spend (% of Revenue) | Notes |
|---|---|---|
| Professional Services | 3–6% | Higher due to data sensitivity |
| Healthcare | 4–7% | HIPAA compliance adds cost |
| Manufacturing | 1–3% | Lower, but rising due to OT security |
| Retail | 2–4% | POS and PCI requirements |
| Financial Services | 6–10% | Highest compliance burden |
| General Business | 2–4% | Varies widely |
If you're spending significantly less than your industry average, you're likely under-protected. If you're spending significantly more, it's worth asking what you're getting for the premium.
The Per-User Model Is More Useful
Percentage of revenue is great for benchmarking, but it doesn't help you build a budget. Per-user monthly cost is more practical.
For a business in the 20–100 employee range, here's a realistic breakdown of what full managed IT services should cost:
| Service Component | Typical Per-User/Month |
|---|---|
| Managed IT (help desk, monitoring, patching) | $80 – $150 |
| EDR + Antivirus | $10 – $25 |
| 24/7 SOC monitoring | $15 – $40 (often included in managed IT) |
| Email security (Inky or equivalent) | $8 – $15 |
| Dark web monitoring | $3 – $8 |
| SaaS backup (M365/Google) | $5 – $12 |
| Compliance management | $10 – $30 (if needed) |
A fully-stacked managed IT and security program for a 50-person business typically runs $130–$250 per user per month, depending on your industry and compliance requirements. For 50 users, that's $6,500–$12,500/month.
That sounds like a lot until you look at what you're getting: 24/7 help desk, security monitoring, endpoint protection, email security, backup, and compliance management. The alternative — a full-time IT employee — runs $70,000–$110,000/year in salary alone, and doesn't include after-hours coverage, security tools, or specialty expertise.
The Hidden Costs of Under-Spending
This is where budget conversations get interesting. Businesses that under-invest in IT often don't realize the cost until something goes wrong. But there are quieter costs too:
- Lost productivity — if your team spends 20 minutes a day waiting for slow systems or dealing with IT issues, that's 87 hours of lost productivity per employee per year
- Shadow IT — when IT doesn't provide good tools, employees buy their own (Dropbox, personal Gmail, random apps) and you lose data visibility and control
- Technical debt — skipping updates and upgrades to save money creates compounding problems that cost more to fix later
- Breach costs — the average SMB data breach costs $4.45 million globally (IBM Cost of a Data Breach 2024); even a modest breach at a 50-person company can easily run $200,000–$500,000
What to Ask Your Current IT Provider
If you're already paying for managed IT and want to know if you're getting value, here are the questions worth asking:
- What is your average ticket response time, and can you show me the data?
- Do I have EDR deployed on 100% of my endpoints — and who's monitoring the alerts?
- What would happen to my Microsoft 365 data if I accidentally deleted a whole mailbox right now?
- When were my backups last tested with an actual restoration?
- What does my security posture look like against a typical cyber insurance application?
Good IT partners answer these questions immediately and with specifics. "We have that covered" is not a specific answer.
One More Thing: IT Budgets Should Be Planned, Not Reactive
The most expensive IT events are always the unplanned ones. Hardware failures, emergency migrations, ransomware remediation — these costs hit hard because they weren't budgeted for. A good IT partner helps you build a technology roadmap so you know what's coming: when workstations need to be replaced, when server warranties expire, when software licenses are up.
If your IT budget is currently "whatever it costs when something breaks," that's worth changing. We help clients build proper IT budgets every year as part of our vCIO service — and the first time most of them see a real roadmap, they're genuinely surprised by how much clarity it provides.