Not vague "it depends" advice. Real numbers, real categories, and a practical framework you can actually use to build your IT budget.
If you've ever Googled "how much should I spend on IT," you probably got a lot of answers that boiled down to "it depends." Which is technically true but completely useless when you're trying to build a budget.
So let me give you something better. After 30+ years of helping small businesses with their technology, I'm going to break down what IT actually costs, category by category, with real numbers. These aren't pulled from some analyst report about Fortune 500 companies. They're based on what I see every day working with businesses that have 10 to 100 employees.
Here's the uncomfortable truth up front: good IT costs money. But bad IT costs more. The businesses that try to spend as little as possible on technology inevitably end up spending more — they just spend it in the worst possible ways: emergency repairs, data recovery, lost productivity, and the occasional disaster that could have been prevented for a fraction of the cost.
Let's break it down.
For most small businesses, total IT spending (everything included) falls somewhere between 3% and 7% of annual revenue. Where you land in that range depends on how technology-dependent your business is.
A construction company with 20 employees who mostly use email and a shared drive? Closer to 3%. A professional services firm with 50 employees who live in cloud applications, share sensitive client data, and need to be reachable 24/7? Closer to 6-7%.
In dollar terms, for a business doing $1 million to $5 million in annual revenue, you're typically looking at $50,000 to $200,000 per year in total IT spending. That covers hardware, software, support, security, backups, and internet — everything.
If that number feels high, keep reading. Once you see what's actually included, it usually makes sense. And if you're currently spending significantly less than that, it's worth asking yourself what you might be leaving exposed.
Hardware is the most visible IT cost, and it's the one most business owners think about first. But it's also the one where a lot of businesses make mistakes — either by buying too cheap and replacing things constantly, or by over-spending on equipment they don't need.
Employee workstations (laptops/desktops): Plan on $800 to $1,500 per machine for business-grade equipment. Consumer-grade laptops from big box stores are tempting because they're cheaper, but they're built to last 2-3 years. Business-grade machines from manufacturers like Dell, Lenovo, or HP typically last 4-5 years and come with better warranties and support. Do the math — the business-grade machine is almost always cheaper over its lifetime.
Servers: If you're running on-premises servers, plan for $3,000 to $10,000 per server, depending on specs. Servers should be replaced every 5-7 years. And remember, you can dramatically reduce software licensing costs here by using open source platforms like Proxmox VE instead of VMware or Windows Server. We've written about that in detail.
Networking equipment: Switches, firewalls, wireless access points, and cabling. A solid small business network setup runs $2,000 to $10,000 depending on the size of your office and how many people you have. This equipment lasts 5-8 years when properly maintained.
Budget rule of thumb: Set aside roughly $1,000 to $2,000 per employee per year for hardware lifecycle costs. This accounts for regular replacement cycles so you're never caught off guard by a wave of aging equipment all dying at once.
This is the category that's been growing the fastest and causing the most sticker shock. The shift to subscription-based software means you're paying monthly or annually for tools that you used to buy once.
Microsoft 365: The backbone of most small businesses. Plan for $12 to $22 per user per month (Business Basic through Business Premium). For a 25-person company, that's $3,600 to $6,600 per year just for Microsoft.
Line-of-business applications: Your industry-specific software — accounting (QuickBooks, Sage), CRM (Salesforce, HubSpot), project management, EHR systems, etc. These vary wildly, but most businesses spend $100 to $500 per user per year on these tools.
Server software licensing: If you're running VMware, Windows Server, or SQL Server, these licenses can be shockingly expensive. VMware alone can cost $5,000 to $20,000+ per year for a small business after Broadcom's price changes. This is an area where open source alternatives can save you a fortune.
The common mistake: Paying for software licenses you don't use. I can't tell you how many times I've audited a small business's software subscriptions and found thousands of dollars per year going to licenses for employees who left, tools nobody uses, or tiers that are way more than what's needed. Do a subscription audit at least once a year.
Budget rule of thumb: Plan for $150 to $400 per employee per month in total software costs, including Microsoft 365, security tools, and line-of-business applications.
This is the cost of having someone actually manage, maintain, and fix your technology. There are a few models:
Break-fix (hourly): You call someone when things break. Typical rates are $100 to $200 per hour. This feels cheaper because you're not paying a monthly fee, but it's almost always more expensive in practice because you only call when there's already a problem — and problems that could have been prevented end up costing you in both repair bills and downtime.
Managed IT services (monthly): You pay a flat monthly fee and your IT provider handles everything proactively — monitoring, maintenance, help desk, security patching, and strategic planning. Typical pricing is $100 to $250 per employee per month for a comprehensive managed service. For a 25-person company, that's $2,500 to $6,250 per month.
Internal IT staff: Hiring your own IT person typically costs $50,000 to $80,000+ per year in salary, plus benefits, training, and tools. This makes sense at a certain size (usually 50+ employees), but for smaller businesses, a managed service provider gives you a full team's worth of expertise for less than the cost of one full-time employee.
The common mistake: Choosing break-fix because it looks cheaper on paper. The math almost never works out. Proactive management prevents expensive emergencies, and the downtime avoided more than pays for the monthly fee. I've seen businesses lose more in a single day of downtime than they would have spent on managed IT for an entire year.
This is the category where businesses consistently under-spend, and it's the one that can hurt you the most. The average cost of a data breach for a small business is over $150,000 — and that's if you survive it. Many don't.
Endpoint protection (antivirus/EDR): $3 to $10 per device per month. This is non-negotiable. Every computer and server needs proper security software, and the free stuff isn't sufficient for a business environment.
Email security: $2 to $5 per user per month for advanced threat protection, phishing filtering, and email encryption beyond what Microsoft includes. Email is the number one attack vector for small businesses.
Firewall: A proper business-grade firewall costs $500 to $3,000 for the hardware, plus $200 to $1,000 per year for security subscription updates (threat intelligence, content filtering, etc.). Your home router doesn't count.
Backup (including M365 backup): $3 to $10 per user per month for cloud backup services. On-premises backup solutions vary but budget $2,000 to $5,000 for hardware and software. This overlaps with the next category, but I'm including it here because backups are fundamentally a security measure.
Security awareness training: $2 to $5 per user per month. Teaches your employees to recognize phishing, social engineering, and other attacks. This is one of the highest-ROI security investments you can make, because most breaches start with a human clicking something they shouldn't have.
Dark web monitoring and incident response planning: $1 to $3 per user per month for monitoring. Incident response planning is usually included in a managed IT relationship or available as a one-time engagement.
Budget rule of thumb: Plan for $15 to $40 per employee per month for a solid security stack. If you're in a regulated industry (healthcare, finance, legal), plan for the higher end.
I listed some backup costs under security, but disaster recovery is broader than just "do we have a copy of our files." It's about how quickly you can get back to business after something goes wrong.
Local backup: An on-site backup appliance or NAS device typically costs $2,000 to $8,000, plus ongoing storage costs. This gets you fast restores for everyday issues.
Offsite/cloud backup: $100 to $500+ per month depending on how much data you have. This protects you against physical disasters (fire, flood, theft) that would destroy both your servers and your local backups.
Microsoft 365 backup: $2 to $7 per user per month. As I've written about in detail, Microsoft does not back up your data. You need a separate solution for this.
Disaster recovery planning and testing: This is often included in a managed IT relationship. If you're paying for it separately, expect $1,000 to $5,000 for initial planning and $500 to $2,000 annually for testing.
The common mistake: Having backups but never testing them. I've seen businesses that religiously ran backups for years, only to discover during an actual disaster that the backups were corrupt, incomplete, or couldn't be restored in a reasonable timeframe. If you're not testing your restores at least quarterly, you don't really know if your backups work.
With so many business applications running in the cloud, your internet connection is now critical infrastructure. A reliable connection isn't a nice-to-have — it's a necessity.
Business internet service: $100 to $500 per month for a reliable business-grade connection with decent upload speeds and an SLA (service level agreement). Business-grade internet costs more than residential, but it comes with guaranteed uptime, faster repair response, and static IP addresses you'll need for VPN and remote access.
Redundant connection: $50 to $200 per month for a secondary internet connection (LTE/5G failover or a second ISP). If your primary connection goes down and your team can't access email, cloud applications, or phone systems, how much does that cost you per hour? For most businesses, a backup connection pays for itself the first time you need it.
The common mistake: Running your entire business on a residential internet connection because it's cheaper. Residential ISPs don't guarantee uptime, they don't prioritize business customers for repairs, and they often have upload speeds that are a fraction of download speeds. When 25 people are all on video calls while syncing files to OneDrive, that matters.
Here's the framework I walk my clients through. It's not complicated, but it works.
Step 1: Start with what you're spending now. Most businesses don't actually know their total IT spend because it's spread across different vendors, credit cards, and budget lines. Pull it all together into one list. Every subscription, every hardware purchase, every support invoice, every internet bill. You'll probably be surprised by the total.
Step 2: Categorize your spending. Use the categories above. Where is your money actually going? Most businesses find they're over-spending on software licensing and under-spending on security and backups. That's a dangerous imbalance.
Step 3: Identify your gaps. Compare what you're spending against the ranges I've outlined. Are you spending nothing on security training? That's a gap. Do you have no Microsoft 365 backup? That's a gap. Is all your hardware more than five years old? That's a ticking time bomb.
Step 4: Build a 3-year plan. IT spending isn't just about this year. Hardware has replacement cycles. Software licenses come up for renewal. Servers age out. Build a simple spreadsheet that forecasts your IT costs over the next three years so you can see big expenses coming and budget for them ahead of time instead of getting blindsided.
Step 5: Prioritize ruthlessly. You probably can't fix everything at once. That's fine. Prioritize based on risk. Security gaps and backup gaps come first — because those are the ones that can actually threaten your business. Hardware refreshes and nice-to-have software can wait if they need to.
Spending too little on security. This is number one. I've seen businesses that spend $200,000 on IT and allocate virtually nothing to security. When they get hit with ransomware, the recovery costs more than everything they've spent on IT in the past five years combined. Security is not optional. It's the foundation.
Spending too much on software licensing. Paying retail for VMware, Windows Server, and other enterprise software when open source alternatives do the same job for free. Paying for Microsoft 365 E5 licenses when Business Premium would work. Paying for seats for employees who left six months ago. Audit your licenses and challenge every cost.
Treating IT as a cost to minimize instead of an investment to optimize. The businesses that get the best return on their IT spending aren't the ones who spend the least. They're the ones who spend strategically. They invest in reliability, security, and good support — and they avoid the expensive emergencies that plague businesses who try to cut corners.
Not budgeting for hardware replacement. Equipment wears out on a predictable schedule. If you're not setting aside money for replacements, you'll eventually face a year where everything dies at once and you need $50,000 you don't have. Spread the cost over time by planning ahead.
Paying for break-fix when managed services would be cheaper. Do the math on your break-fix invoices from the last two years. Add up the cost of downtime when you were waiting for a callback. Add the productivity lost to recurring problems that never got properly fixed. Then compare that total to what a managed IT provider would charge. For most businesses, the managed approach costs less and delivers dramatically better results.
I'm not going to pretend that IT is cheap. It's a real line item, and for a small business watching every dollar, it can feel like a lot. But the alternative — underfunded, neglected, break-fix IT — is a false economy that costs you more in the long run through downtime, data loss, security incidents, and missed opportunities.
The goal isn't to spend as much as possible on IT. The goal is to spend the right amount, in the right places, so that your technology supports your business instead of holding it back. That means investing in security, maintaining your hardware, backing up your data, and having a partner who's looking out for you proactively — not just waiting for the phone to ring.
If you can build a budget that covers the essentials I've outlined here, keeps your hardware on a lifecycle, and includes someone who's actually watching your systems and thinking ahead, you're in good shape. It doesn't have to be perfect on day one. It just has to be intentional.