Guide IT Management

How much should your business spend on IT? A budget framework for SMEs

Most SMEs spend 1–2% of revenue on IT. Industry benchmarks for professional services put the appropriate figure at 4–7%. The gap between what is spent and what is needed sits mostly in security, hardware planning, and support. This guide provides a framework for building a defensible IT budget from scratch.

CT
Cyvra Team
IT Management
29 May 2026
8 min read
Key takeaways
  • Industry benchmarks put IT spend at 4–7% of revenue for professional services; most SMEs in those sectors spend 1–2%
  • IT spending falls into five categories: hardware, software, connectivity, support, and security
  • A 4–5 year hardware refresh cycle costs less per year than emergency replacements after failure
  • Flexera data shows 25% of SaaS licences in surveyed organisations go unused; a licence audit typically pays for itself
  • Security should represent 15–20% of total IT spend; most SMEs spend under 5%

Why IT budgets are routinely underfunded

Most SMEs treat IT spending as reactive. Hardware fails and gets replaced. Software licences auto-renew. A new hire needs a laptop. Nobody adds these costs up, nobody plans for the cycle, and nobody asks whether the spending matches what the business actually needs.

The result is persistent underinvestment in prevention, combined with unpredictable spikes when things fail. A business that spends nothing on preventive maintenance for three years can face a single incident that costs more than three years of proper investment would have. The economics of reactive IT are consistently worse than planned IT, but the comparison is invisible until something breaks.

The calculation is also distorted by how IT spending looks on a budget line. Security tooling, monitoring, and proactive maintenance produce no visible return in a normal year. The return appears only when something bad does not happen, which nobody notices. This makes IT budgets easy targets for cost reduction until a breach, a ransomware attack, or a prolonged system outage changes the conversation.

Industry benchmarks

Gartner and Spiceworks publish annual IT spending surveys covering sector benchmarks. These vary by industry because IT intensity, regulatory requirements, and risk profiles differ.

1
Professional services
4–7% of revenue (consulting, law, accounting, recruitment). High IT intensity, compliance exposure, and client data handling justify the higher range.
2
Financial services
6–10% of revenue (banking, insurance, asset management). Regulatory requirements under DORA, FCA rules, and data protection obligations push spend higher.
3
Healthcare
5–8% of revenue. Patient data, clinical systems, and GDPR exposure for health data create above-average security and compliance requirements.
4
Manufacturing and logistics
2–4% of revenue. Lower IT intensity in many operations, but OT and supply chain systems can push requirements higher in specific contexts.
5
Retail and hospitality
2–4% of revenue. POS systems, property management, and payment card handling create specific security requirements even at lower overall spend levels.
The benchmark is a floor, not a target

Benchmarks describe what peer organisations spend on average, not what your business needs. A law firm handling sensitive client data under Legal Professional Privilege has higher security requirements than the benchmark implies. Use the benchmark to start the conversation with leadership, not to end it. If your current spend is below the floor, the question is what you are not covering.

The five spending categories

A structured IT budget covers five distinct areas. Each has different characteristics in terms of when costs land, how they grow, and what happens when they are underfunded.

Hardware (25–35% of IT spend). Physical equipment: laptops, desktops, servers, network switches, firewalls, phones, and peripherals. Hardware costs are lumpy: they land in peaks when refresh cycles complete or when emergencies force replacement before the planned date.

Software and licensing (25–30%). Microsoft 365 or Google Workspace, accounting and ERP software, CRM, security tools, and specialist applications. SaaS licences grow with headcount and are difficult to reduce once staff are dependent on them.

Connectivity and infrastructure (8–12%). Internet connections, leased lines, VPN infrastructure, and cloud hosting. Generally stable and predictable, but cloud costs can grow without a governance policy.

Support and managed services (15–25%). Help desk, managed service provider fees, monitoring, maintenance contracts, and warranty support. This is the most variable category depending on whether support is in-house, outsourced, or hybrid.

Security (15–20%). Endpoint protection, backup services, identity management, vulnerability scanning, and security awareness training. The category most commonly underfunded, and the one where gaps create the most expensive consequences.

25%
of SaaS licences go unused in surveyed organisations, Flexera 2025
4–7%
of revenue: IT benchmark for professional services firms
15–20%
security's recommended share of total IT budget

Hardware refresh cycles

Every device has a productive lifespan. Running hardware beyond it costs more in support time, user productivity loss, and unplanned replacement than the money saved by delaying the refresh.

Business laptops: 4–5 year refresh cycle. After five years, battery life degrades, performance under current software loads deteriorates, and driver support for newer peripherals becomes inconsistent. Users tolerate the decline without reporting it, but the lost time is a real cost.

On-premises servers: 5–7 years. After seven years, hardware support contracts become expensive or unavailable, and single points of hardware failure become more probable.

Network equipment (switches, firewalls): 5–7 years. Firewalls carry an additional consideration: vendor firmware support windows. A firewall running unsupported firmware creates a security gap equivalent to running an unsupported operating system. Check your firewall vendor's end-of-support schedule as part of the IT asset inventory.

For a 50-person business with 55 laptops at an average replacement cost of €1,400, a 4-year refresh cycle is €55,000 in capex spread over four years, or roughly €14,000 per year. Most businesses do not plan for this and then absorb the full cost as a crisis when multiple devices fail in the same period.

The software licensing audit you have not done

Most organisations have no accurate picture of what software licences they pay for, what is used, and whether the two figures match. Flexera's 2025 State of the Cloud report found that 25% of SaaS licences in surveyed organisations were unused. For a 50-person business paying €120 per user per month across all SaaS tools, that is €450 per month going to vendors for licences nobody uses.

The audit has three components: what you pay for (pull all licence agreements and subscription invoices), who uses it (check last-login dates in admin consoles), and whether you need it (ask team leads what they rely on). Duplicate tools are common in growing businesses: two departments using different project management applications, two teams with overlapping CRM and spreadsheet workflows.

Conduct this audit annually and set calendar reminders 90 days before any major contract renewal. Decisions made under auto-renewal pressure are rarely the right ones.

Building your budget

Step 1: Hardware inventory. List every device, its age, its replacement value, and when it should be replaced. Build a year-by-year forecast for the next three years. The irregular pattern this reveals is why IT budgets need multi-year planning rather than annual line-item approvals.

Step 2: Software audit. Document every licence and subscription, compare against usage, and eliminate or consolidate what is not being used.

Step 3: Support baseline. Document your current support costs at fully-loaded rates or get current quotes from MSPs. Include contracts approaching renewal.

Step 4: Security baseline. At minimum for a 50-person business: endpoint protection with EDR capabilities, backup to immutable off-site storage with quarterly restoration tests, Microsoft Entra ID P1 for identity management and MFA, and annual security awareness training for all staff. This runs €10,000–18,000 per year at current market rates. If your current security spend is below €5,000 per year for 50 users, the gap is the most pressing budget conversation to have.

Step 5: Three-year forecast. Combine the five categories for each of the next three years. The result shows lumpy hardware capex, steady software and connectivity spend, and growing security spend. This three-year view is the document that makes the conversation with leadership or a board straightforward rather than contentious.

IT budget conversations become straightforward when you present the spend as infrastructure, not IT.

Frequently asked questions

Our business is growing. Should we budget IT based on current revenue or projected revenue?

Budget on current revenue for the baseline and add a growth buffer for areas that must scale with headcount: licences, devices, and support capacity. If you plan to hire 20 people in the next 12 months, cost the IT for those roles explicitly. Hardware procurement has lead time, licensing needs to be ordered in advance, and support capacity must be contracted before it is needed. Plan the IT budget on the headcount you expect to have at year end, not the headcount you have today.

We are spending above the benchmark. Does that mean we are overspending?

Not necessarily. Benchmarks describe what peer organisations spend on average, not what a specific business needs. A firm handling sensitive data, operating in a regulated sector, or recovering from a security incident may be spending above the benchmark deliberately and correctly. The question is whether the spend is planned and productive. If you are above benchmark and cannot describe what the extra spend covers, that is worth investigating. If you can describe it, the benchmark does not matter.

Should we buy hardware outright or lease it?

Leasing converts lumpy capital expenditure into a predictable monthly operating cost, which helps with budgeting and aligns the refresh cycle with the lease term. The total cost over the lease period is higher than buying outright, but the cash flow profile is more manageable for growing businesses. Buying outright is more cost-effective over the life of the asset but requires capital and the discipline to set aside a refresh reserve. Either model works; what matters is having a documented refresh plan with the funds to execute it.

What is a reasonable first-year budget if we have never done formal IT budgeting before?

Start with a current-state audit: list every software subscription, every support contract, every hardware asset and its age, and every IT-related cost line. You will find costs you did not know existed and costs you pay for things you no longer use. Once you have an accurate picture, categorise it into the five areas and identify the largest gaps against your operational needs, typically security and hardware refresh planning. A formal first-year budget is current spend plus the cost of filling those gaps, documented and approved by leadership.

Talk to Cyvra

Get a clear picture of your IT spend

We conduct IT cost audits and help businesses in the Netherlands and UK build three-year IT budgets that align spend with actual requirements.

Get in Touch IT Management Services

Disclaimer: This article is for general informational purposes only and does not constitute legal, regulatory, or professional advice. Cyvra makes no warranty as to the accuracy or completeness of this content, which may not reflect the most current regulatory developments. Readers should seek independent legal and regulatory advice appropriate to their specific circumstances. Cyvra accepts no liability for any loss arising from reliance on this content.