At some point, you will be asked to explain the IT bill. Maybe it is the annual budget review. Maybe a new invoice looks different from last month's. Either way, if you are running the office for a small professional services firm, you want one clear answer: is what we are spending normal?
Here is a plain breakdown of how small firms — ten employees or fewer, running Microsoft 365 Business Premium — typically distribute their IT and security dollars, and where the spending tends to be misaligned.
Small firms under 20 employees typically spread IT and security spending across five areas: productivity licensing, managed IT services, backup and recovery, supplemental security tools, and cyber insurance. Most firms overspend on aging hardware and redundant software while underinvesting in backup, email security, and security awareness training. Microsoft 365 Business Premium, professionally managed, is the most defensible starting point for this firm size.
The five places your IT budget actually goes
Productivity licensing
For most small firms, this means Microsoft 365 Business Premium — email, Teams, Office apps, Intune for device management, and a meaningful set of built-in security tools including Defender for Business and Conditional Access. The security value here is frequently left unconfigured. If you are paying for Business Premium and MFA is not enforced firm-wide or Defender for Business was never set up, you are leaving included protection unused.
Managed IT services
A managed service provider handles patching, monitoring, device management, and helpdesk support for a flat monthly per-user fee. For a firm under 15 people, this is one of the highest-leverage purchases in the budget. The logic that it is cheaper to handle IT in-house rarely holds up once you account for the employee hours spent troubleshooting, delayed fixes, unpatched systems, and the near-certain loss of institutional knowledge if the person managing it leaves.
Backup and recovery
This line item is consistently underweighted. Microsoft 365 includes data retention settings, but retention is not backup. Email, SharePoint files, and OneDrive data each need a separate cloud-to-cloud backup that creates point-in-time snapshots you can actually restore from. If backup does not appear on your current IT invoices, that is the first gap to close — ahead of almost anything else.
Security tools beyond the platform
Business Premium's built-in protections are solid for the price, but there are gaps. Exchange Online Protection handles a significant volume of threats, but not all of them. A dedicated email security layer, DNS filtering, and dark web monitoring for compromised employee credentials each address what the base subscription does not fully cover. None of these are large line items. Most small firms simply have not added them.
Cyber insurance
Premiums for small professional services firms vary by revenue, industry, and the security controls you can document at application time. Firms that can hand an insurer evidence of enforced MFA, active endpoint protection, and a tested backup policy tend to pay less and face fewer disputes at claim time. A qualified MSP should be the one supplying that documentation on your behalf.
Where small firms overspend
- Aging hardware. Laptops running past their practical useful life cost more in support time and security exposure than they save on the asset side. Once a device stops receiving operating system security updates, it is a liability, not an asset.
- Redundant software subscriptions. Most small firms carry two or three SaaS tools that duplicate something already included in Microsoft 365. A short audit almost always finds the overlap.
- Break-fix IT support. Per-incident billing feels controllable. Over 12 months it rarely is — and it produces no ongoing monitoring, no documentation, and no accountability between service calls.