IT budgeting for small business: how much should you spend on IT

Short answer: Most SMBs should budget 3% to 7% of gross revenue on IT, with regulated industries (healthcare, legal, financial services, defense contractors) landing at 6% to 10%. A 30-person professional services firm doing $6M a year typically spends $180K to $420K across hardware, software, support, security, and backup. The number is less useful than the structure: a defensible IT budget covers six line items (support and labor, software and licensing, hardware refresh, security and compliance, backup and recovery, contingency) and accounts for the hidden costs most businesses miss – downtime, manual workarounds, shadow IT, and the internal time spent on IT work that never hits the IT line.

This is a budget-cycle planning article. If you are a CFO, owner, or operations leader getting ready for next year, it covers what the numbers should look like, how to translate industry benchmarks to your specific business, what the line items actually are, and what hidden costs tend to blow up budgets that looked reasonable on paper.

IT budget benchmarks at a glance

Industry benchmark data from Gartner, Deloitte, and Spiceworks converges on a rough range by industry:

Industry	IT spend as % of revenue (SMB range)
Professional services (legal, consulting, accounting)	6% to 8%
Financial services (banking, advisory, insurance)	7% to 11%
Healthcare	5% to 8%
Manufacturing	2% to 4%
Retail and hospitality	2% to 4%
Technology and software	10% to 15%
Nonprofit	2% to 4%
Construction and trades	1% to 3%
Education (private)	4% to 7%
Government contractors (defense, federal)	6% to 10%

These are reference points, not commandments. A 25-person law firm might be at 7%. A 25-person HVAC contractor might be at 2%. Both are defensible if the budget actually covers what the business needs.

Translate by revenue. For a 30-person professional services firm doing $6M a year at 6%, that is $360K total IT spend. Divide by 30 employees and it is $12K per user per year. That per-user number is a useful sanity check – for SMBs, annual IT spend per user tends to land between $4K and $20K depending on industry and company size.

Industry matters more than company size at the SMB level. A 50-person manufacturer and a 50-person law firm have very different IT budgets because regulation, data sensitivity, compliance obligations, and software complexity drive IT spend more than headcount does.

What the IT budget should cover

A defensible small business IT budget has six line items. Every budget has them whether they are named or not – “uncategorized IT” at 10% of the total usually means multiple of these are hiding inside it.

1. Support and labor

The people who keep IT working – whether they are employees, contractors, or a managed service provider.

If internal: fully-loaded cost of IT staff (salary + benefits + equipment + training + overhead). For a single IT person, this is typically $110K to $145K for an SMB mid-level hire.

If outsourced (MSP): monthly recurring fee, typically per-user or per-device. For a security-conscious SMB, $150 to $250 per user per month is a realistic range – $54K to $90K per year for a 30-person firm. The cost benchmark article breaks down what drives the range.

If hybrid: internal lead ($90K to $130K fully loaded) plus co-managed MSP ($80 to $150 per user per month). Common for businesses in the 75-to-150 employee range.

This is usually the single largest line item, making up 30% to 50% of the total IT budget.

2. Software and licensing

The recurring cost of the tools that run the business.

Productivity. Microsoft 365 or Google Workspace. Business Standard to Business Premium for most SMBs – $12.50 to $22 per user per month. For a 30-user firm, $4.5K to $8K per year.

Line-of-business applications. The EMR for healthcare, the legal practice management system for law firms, the CAD suite for engineering, the ERP for manufacturing. Often the single largest software cost. Budget what you pay today plus annual escalators (8% to 15% is common).

Collaboration and communication. Slack, Zoom, Teams (bundled with M365), dedicated phone systems. Usually $5 to $30 per user per month additional.

Specialized software. Accounting (QuickBooks, Sage, NetSuite), CRM (Salesforce, HubSpot), project management (Asana, Monday), design (Adobe Creative Cloud). Add them all. This is where “we only use a few things” turns into 15 subscriptions across the company.

Shadow IT. Software bought on individual credit cards without IT knowing. Estimate 10% to 25% of your total SaaS spend is shadow IT in an unmanaged environment. This is both a budget finding and a security finding.

Budget: 20% to 35% of total IT spend.

3. Hardware refresh

Devices have useful lives. Planning for replacement prevents emergency purchases at 20% markup when something dies.

Standard refresh cycles:

• Laptops and workstations: 3 to 4 years
• Servers: 5 to 7 years (or never if moving cloud-first – see how much does cloud migration cost for a small business for the budget alternative to a hardware refresh)
• Firewalls and switches: 5 to 7 years (the symptoms, vendor-support windows, and phased-refresh planning are in when to replace your business network equipment)
• Printers and peripherals: 4 to 6 years
• Monitors and docks: 5 to 7 years
• Mobile devices (if company-issued): 2 to 3 years

Annualized cost math. For 30 laptops at $1,800 each on a 3.5-year cycle, budget $15.4K per year for laptop refresh. Add docks, monitors, peripherals at roughly 30% of the laptop cost for a full setup. That is $20K per year in ongoing refresh for a 30-person business doing laptops only.

Servers and network gear. If you still have on-prem, amortize across useful life. A $25K server on a 6-year cycle is $4.2K per year. A $5K firewall on a 5-year cycle is $1K per year. These numbers are small but easy to forget in a budget cycle.

Hardware-as-a-service. Device-as-a-service models from vendors (Dell DaaS, Apple Business, HP DaaS) turn capex into opex and make budgeting more predictable. Worth considering if capital budget volatility is a problem.

Budget: 10% to 20% of total IT spend.

4. Security and compliance

Security is a separate line item, not a sub-category of other things. Budgets that do not have an explicit security line are underfunded security.

Baseline security spend:

• Endpoint protection (EDR): $5 to $12 per endpoint per month
• Email security (if beyond M365/Google defaults): $3 to $8 per user per month
• MFA platform (often bundled with identity provider)
• Backup and recovery tooling (listed separately below, but often bundled with security vendors)
• MDR or SOC services: $15 to $50 per user per month for managed detection and response
• Security awareness training: $2 to $6 per user per month
• Vulnerability scanning and penetration testing: $5K to $25K annually for SMBs

For a 30-user firm with a standard managed security stack, budget $45K to $75K per year in security tooling and services alone.

Compliance-specific spend.

• HIPAA-regulated businesses: add compliance audit/attestation ($10K to $30K annually depending on scope), BAA management, specialized training
• SOC 2: initial audit $25K to $75K depending on scope (Type I or Type II), annual recurring $15K to $40K
• PCI DSS: depends on merchant level; SAQ-only businesses often spend $5K to $15K annually, higher levels significantly more
• CMMC 2.0: initial assessment + remediation for defense contractors can run $50K to $250K one-time plus ongoing
• Cyber insurance: $5K to $50K annually for SMBs depending on revenue, industry, and controls

Budget: 15% to 30% of total IT spend, higher for regulated industries.

5. Backup and recovery

Separated from general security because it is operationally distinct and easy to underfund.

Cloud-first SMBs (M365/Google, no servers):

• Third-party M365 or Google backup: $3 to $6 per user per month
• For 30 users, $1.1K to $2.2K per year
• This is small – it gets cut from budgets and businesses regret it when a mass deletion happens

Businesses with on-prem infrastructure:

• Backup tooling licensing (Veeam, Datto, Acronis, Rubrik): $50 to $200 per protected VM or per TB
• Offsite/immutable storage: $0.02 to $0.05 per GB per month, with typical SMB storage needs of 1-10 TB
• Disaster recovery services (warm or hot standby): $500 to $5,000+ per month depending on RTO target

Testing. Backup testing is an operational line, not a capital line. Budget 5% to 10% of backup tooling cost in MSP or internal labor hours for quarterly restore tests. Untested backups are not really backups.

Budget: 2% to 8% of total IT spend. Smaller than other categories but unforgiving when underfunded.

6. Contingency and strategic

The budget line for the things you did not predict.

Unexpected hardware replacement. A failed server, a broken laptop not yet on refresh cycle, a firewall that needs replacing after a vendor sunset announcement. Budget 5% to 10% of the IT budget here.

Strategic projects. M365 tenant hardening, file server migration to SharePoint, moving an on-premises server to the cloud, rollout of a new line-of-business app, compliance remediation. These are one-time projects that sit outside the recurring budget. For a 30-person SMB, budget $20K to $50K per year for at least one strategic project annually.

Incident response. Even if you have cyber insurance, there are out-of-pocket costs in an incident – forensics gaps, deductibles, overtime, lost productivity. Budget $10K to $30K as a floor for incident-related spend for an SMB. If you never use it, it rolls to next year.

Budget: 5% to 15% of total IT spend.

A worked example: 30-person professional services firm

A law firm doing $6M annual revenue, 30 employees, no on-prem servers, M365, regulated data obligations. Budget at 7% of revenue, $420K.

Category	Annual	% of IT budget
MSP (security-first, $200/user/month)	$72K	17%
Microsoft 365 Business Premium	$8K	2%
Legal practice management software	$36K	9%
Other SaaS (CRM, document management, collaboration)	$18K	4%
Laptop refresh (3.5 year cycle)	$20K	5%
Peripherals and replacement budget	$6K	1%
Security tooling (EDR, MDR, email security bundled)	$54K	13%
Security awareness training	$2K	1%
Backup (M365 + document storage)	$3K	1%
Cyber insurance	$18K	4%
Compliance (penetration test + attestation)	$20K	5%
Strategic project budget (SharePoint migration, tenant hardening)	$30K	7%
Contingency	$30K	7%
Reserved / unallocated	$103K	25%
Total	$420K	100%

The unallocated line is a feature, not a bug. It absorbs surprises (software price increases, unplanned compliance work, hardware failures, opportunistic spend on improvements). A budget tight enough to have no unallocated line is a budget that fails on first contact with reality.

The hidden IT costs that blow up budgets

The numbers above cover what shows up on the IT line. The hidden costs are larger than most business owners realize, and they are where budgets miss the target.

Downtime cost

When the file server is down, 30 people cannot work. Even a one-hour outage at $80-per-hour average fully-loaded labor cost is $2,400 in lost productivity alone, before counting missed work, client impact, or revenue hits.

Annual downtime for unmanaged SMB IT commonly runs 20 to 60 hours per year. For a 30-person firm at $80-per-hour, that is $48K to $144K in hidden productivity loss that does not appear on any invoice but represents real cost.

Managed IT cuts this materially. A reasonable target for managed SMBs is under 10 hours of unplanned downtime per year.

Shadow IT

SaaS purchased without IT oversight. Usually 10% to 25% of total SaaS spend in an unmanaged environment – so for $100K of visible SaaS, another $10K to $25K of unknown SaaS.

Why it matters: shadow IT is not just a cost issue. It is a security issue (no MFA, no data loss prevention, no offboarding when someone leaves), a compliance issue (customer data in unknown places), and a budget issue (duplicate subscriptions for similar tools).

IT budget cleanup projects regularly find 30% to 50% consolidation opportunities when shadow IT is audited. The money saved on consolidation usually funds the security tooling that prevents future shadow IT.

Manual workarounds

The accounting person who spends 2 hours every Tuesday reconciling data between two systems because there is no integration. The project manager who rebuilds a client report in Excel because the project tool does not produce it. The receptionist who manually copies appointments between systems.

These workarounds are invisible on the IT budget but represent real labor cost that should show up in IT spend planning. A good rule: for every hour-per-week of manual workaround, budget 20% of an hour of integration or automation investment per year to eliminate it. Most workarounds pay back within 6 months.

The cost of one IT person doing everything

A single internal IT hire cannot cover helpdesk, security, networking, compliance, and strategy simultaneously. Something will be neglected. The neglected work either never happens (creating risk) or creates additional external cost later (emergency consulting, incident response, compliance remediation).

The fully-loaded cost of a single IT hire for an SMB is $110K to $145K. If only 60% of what needs to happen is actually happening, the real operational cost (including the gaps) is often higher than a $100K MSP retainer that covers everything. This is the in-house vs MSP math in detail.

Emergency spend at crisis rates

Hardware bought same-day is 20% to 40% more expensive than planned purchases. Emergency consulting during an incident can run $400 to $800 per hour. Compliance remediation after a failed audit costs 2x to 4x what proactive compliance work would have cost.

Budgeting for planned IT work at $X almost always beats budgeting for reactive IT work at $0.5X plus incidents. The total cost of reactive IT, including the crisis spending and hidden costs, tends to be higher than well-structured managed IT.

How managed IT simplifies budgeting

One of the most underrated benefits of managed IT is budget predictability. For a CFO trying to plan a 12-month IT budget, the difference between “variable based on what breaks” and “known monthly recurring fee plus a defined project budget” is material.

What managed IT turns into predictable:

• Helpdesk and support (flat monthly fee)
• Endpoint protection and security tooling (per-user or bundled)
• Patch management and proactive maintenance (included)
• Monitoring and alerting (included)
• Basic backup and backup verification (included or separately priced)
• Most routine security work (included)

What still lives outside predictable:

• Hardware refresh (capital, planned quarterly or annually)
• Software licensing (recurring but owned by you)
• Strategic projects (quoted and scheduled separately)
• Line-of-business application costs (direct with vendor)
• Major infrastructure upgrades (project work)
• Compliance audits (usually annual, known timing)

For a 30-person SMB, about 50% to 60% of the IT budget becomes flat monthly recurring under a well-structured managed IT engagement. The remaining 40% to 50% is either planned (hardware refresh, compliance, licensing) or scheduled projects. Very little is truly unplanned, which is what CFOs actually want.

The pricing models article breaks down which MSP pricing models give the most predictable budget vs the most flexible.

Building an IT budget from scratch

If you are doing this for the first time, or rebuilding a budget after years of ad-hoc spending, work through these steps in order.

1. Audit current spend. Pull 12 months of IT-related expenses from the accounting system. Include the obvious (MSP, software subscriptions, hardware) and the less obvious (consulting, incident response, emergency purchases). Categorize into the six line items above. This is usually eye-opening – most SMBs find they are spending 20% to 40% more than they thought because spend is scattered across categories.

2. Add the hidden costs. Estimate downtime hours, manual workaround hours, and shadow IT spend. Add them to the picture. These do not go in the budget directly, but they tell you where investments pay back.

3. Benchmark against industry. Compare your total to the industry percentage of revenue. If you are materially under, you probably have gaps. If you are materially over, you probably have duplication or inefficient sourcing.

4. Identify the gaps. For every line item, ask: is this getting funded? Are patches actually happening? Is backup tested? Is security real or theoretical? Gap items need budget allocated even if they were not in last year’s spend.

5. Build next year’s plan. For each category, project what next year’s spend needs to be. Account for headcount changes, known price increases, retiring hardware, planned projects, and contingency.

6. Pressure-test the budget. What happens if revenue comes in 20% below plan? What happens if a major incident hits in Q2? A budget that only works under perfect conditions is not a real budget. A defensible budget has some flex.

7. Map the budget to outcomes. For each category, what does this spend buy? “Security tooling: $60K” is less defensible than “Security tooling: $60K – EDR on all endpoints, MDR 24/7, email security, required for cyber insurance policy and HIPAA compliance.” Outcome-mapped budgets survive CFO scrutiny.

Common IT budget mistakes

Budgeting only for visible spend. Missing the hidden costs (downtime, workarounds, shadow IT) produces a budget that looks complete but actually underfunds reality.

Treating security as a subcategory. Security rolled into “general IT” is security that gets cut first when budgets tighten. Give it its own line.

Assuming the IT budget is fixed because last year’s was fixed. Microsoft raises licensing prices. Cyber insurance hardens. Hardware inflation is real. A flat IT budget year over year is almost always a real-terms cut.

Not funding backup testing. Backups are a budget line. Backup testing is an operational line. Untested backups are effectively unbudgeted recovery.

Deferring hardware refresh “one more year.” Each deferred year increases emergency replacement risk and creates a larger capital hit when replacement finally happens. Refresh cycles are cheaper than replacement cycles.

Under-funding contingency. Incidents happen. Projects overrun. Vendors raise prices mid-year. A 5% to 10% contingency line absorbs these without forcing mid-year reforecasting.

Budgeting for growth without IT growth. If headcount is growing 20%, IT spend is growing more than 20% (new hires need laptops, licenses, security tooling, and onboarding). Planning a flat IT budget against a growth year is a bad forecast.

Not distinguishing capital from recurring. Hardware capital and software recurring have very different budget dynamics. Mixing them makes the budget harder to evaluate and harder to adjust.

Budgeting triggers that signal a structural review

Sometimes the budget problem is not a budget problem – it is a structure problem. Signals that your IT spend needs a structural review, not just a line-item adjustment:

• IT spend is growing faster than revenue for three years running with no clear value increase
• Incident frequency is rising and “security” keeps asking for more money without visible outcome improvement
• Hardware refresh is being deferred year after year
• The business is growing but IT support is not scaling (same person, same MSP, same tooling)
• Compliance obligations are expanding faster than the security program
• Shadow IT is material and IT does not know what is running
• Backups are unverified, disaster recovery untested
• The MSP relationship has not produced measurable outcomes in 12 months

If the structural review conclusion is “wrong MSP,” the switching playbook covers the next steps. If the conclusion is “wrong structure – we need co-managed or in-house or something else,” that is a different conversation. If the structural review conclusion is “we do not actually know what we have,” a network assessment is usually the cheapest first step – it produces the inventory and findings list the next 12 to 24 months of budget should be planned against.

How Sequentur approaches IT budgeting with clients

Sequentur is a security-first MSP / MSSP for small and mid-sized businesses across the 15-to-250-employee range, including both general SMBs and regulated industries like healthcare, legal, financial services, and defense contractors. IT budgeting is a standing QBR topic with every client, and for multi-year engagements we help build the rolling 12-month budget during annual planning.

For existing clients, we provide what we do for a known monthly fee, plus a forward-looking project roadmap with quoted scope and cost for strategic initiatives. Hardware refresh is tracked against your asset inventory and flagged 6 to 12 months before devices age out. Compliance spend is planned against the specific framework timelines. Security tooling costs are transparent at the line item level – no bundled-opaque “everything is $X” surprises.

If you are working on next year’s IT budget and want a structured walk-through, schedule a call. We will work through your six line items, identify the hidden-cost exposure, and benchmark your total against industry norms. No obligation, no pitch deck. If the conclusion is that your current setup is adequately budgeted and the right move is fine-tuning rather than restructuring, we will tell you that too.