What are small businesses actually spending on IT? How many have MFA? What do MSPs charge, and how far above market is yours? This is the data your IT provider doesn't publish — benchmarks from 2,400+ small and mid-size businesses across regulated industries.
How much do small businesses actually spend on IT — and how does it vary by company size, industry, and compliance requirement?
| Company Size | Low (25th pct.) | Median | High (75th pct.) | Per-User Median |
|---|---|---|---|---|
| 1–10 employees | $400 | $900 | $1,800 | $120 |
| 11–25 employees | $1,400 | $2,600 | $4,200 | $140 |
| 26–50 employees | $3,200 | $6,100 | $9,800 | $155 |
| 51–100 employees | $6,800 | $12,400 | $19,500 | $160 |
| 101–250 employees | $14,000 | $26,000 | $44,000 | $170 |
| Industry | Median $/User/Month | Compliance Driver | vs. Average |
|---|---|---|---|
| Healthcare | $210 | HIPAA | +31% |
| Financial Services (RIA/BD) | $225 | SEC/FINRA/GLBA | +40% |
| Legal | $185 | ABA Rules/State Bar | +16% |
| Government Contractors | $240 | CMMC/DFARS | +50% |
| Manufacturing | $155 | ISO, OT/IT | -3% |
| Construction | $130 | Insurance requirements | -19% |
| Accounting/CPA | $175 | FTC Safeguards Rule | +9% |
| Nonprofit | $95 | Grant compliance | -41% |
How protected are small businesses, really? These numbers reveal the gap between what business owners believe about their security and what their IT environments actually show.
| Business Type | MFA on Email | MFA on Remote Access | MFA on All Systems |
|---|---|---|---|
| Healthcare practices | 61% | 54% | 28% |
| Law firms | 49% | 41% | 19% |
| CPA firms | 44% | 38% | 16% |
| Financial advisers (RIA/BD) | 72% | 65% | 38% |
| Manufacturers | 35% | 29% | 11% |
| Construction companies | 28% | 21% | 8% |
| General small business | 43% | 34% | 17% |
| Training Practice | % of SMBs |
|---|---|
| Annual security awareness training (documented) | 38% |
| Phishing simulation testing in past 12 months | 22% |
| New employee security onboarding | 31% |
| Written information security policy (WISP) | 27% |
| Incident response plan (written) | 19% |
What do managed IT services actually cost in 2026? These benchmarks are based on actual MSP agreements — not rack rates or what providers advertise.
| Tier | What's Included | 25th Pct. | Median | 75th Pct. |
|---|---|---|---|---|
| Basic monitoring only | RMM, alerts, patch management | $35 | $55 | $80 |
| Managed IT (standard) | Above + helpdesk, antivirus, backup monitoring | $85 | $125 | $165 |
| Managed IT + security | Above + EDR, email security, security training | $130 | $165 | $210 |
| Full managed + compliance | Above + compliance reporting, vCISO, risk assessments | $185 | $240 | $320 |
| Factor | Typical Premium |
|---|---|
| HIPAA compliance documentation and BAA management | +$20–40/user/month |
| CMMC Level 2 compliance support | +$40–80/user/month |
| 24/7 SOC monitoring (not just business hours helpdesk) | +$25–50/user/month |
| On-site technician hours included | +$15–35/user/month |
| Microsoft 365 GCC (instead of commercial) | +$10–20/user/month |
| vCISO services (fractional CISO) | +$30–100/user/month |
How do IT profiles differ by sector? These findings reflect the distinct technology, compliance, and risk environments of each industry.
| Metric | Finding |
|---|---|
| Median IT spend/physician/month | $380 |
| % with written BAAs for all cloud vendors | 44% |
| % with tested backup restoration | 31% |
| % with medical device network segmentation | 26% |
| Most common EHR platform (small practices) | athenahealth (28%), eClinicalWorks (22%), Epic (18%) |
| Average time to detect a breach (reported incidents) | 62 days |
| Metric | Finding |
|---|---|
| Median IT spend/attorney/month | $295 |
| % using cloud-based practice management | 63% (Clio 31%, MyCase 18%, Other 14%) |
| % with MFA on practice management software | 41% |
| % with documented offboarding procedure | 34% |
| % with written IT/data security policy | 29% |
| Most common breach vector (reported incidents) | Email compromise (48%), Lost/stolen device (22%) |
| Metric | Finding |
|---|---|
| Median IT spend/advisor/month | $340 |
| % with SEC 17a-4 compliant email archiving | 61% |
| % with tested BCP (annual test documented) | 47% |
| % with written cybersecurity policy (post-2023 rules) | 54% |
| Most common CRM | Redtail (34%), Salesforce (22%), Wealthbox (19%) |
| Most costly incident type | Wire fraud / BEC (median loss $187,000) |
| Metric | Finding |
|---|---|
| Median IT spend/employee/month | $155 |
| % with documented OT/IT network segmentation | 22% |
| % with complete IIoT device inventory | 31% |
| % currently running on SAP | 18% (most common: Epicor 28%, SAP 18%, Sage 16%) |
| % with CMMC compliance requirement | 34% (defense supply chain) |
| Average production downtime per ransomware incident | 8.4 days |
Based on IT assessments conducted through SerenIT's free tools, these are the gaps that appear most consistently — across industries and company sizes.
Found in 57% of assessments. The single highest-impact missing control. Business email compromise (wire fraud, credential theft) is almost entirely preventable with MFA. Cost to fix: $0 (included in Microsoft 365 and Google Workspace).
Found in 71% of assessments. The organization believes they have a backup. They've never confirmed it actually restores. When they need it, they discover it's been failing for months.
Found in 48% of assessments. Staff who left months or years ago still have active accounts in cloud platforms — email, CRM, file storage, or practice management. Often discovered only when an incident occurs.
Found in 69% of assessments. Traditional antivirus is insufficient against modern ransomware. EDR tools provide behavioral detection that stops ransomware before encryption begins — and are now required by most cyber insurance carriers.
Found in 61% of assessments. Staff access business email, client files, or practice management software on personal phones and laptops. Those devices aren't managed, can't be remotely wiped, and create data exposure when lost or stolen.
Found in 54% of assessments. Workstations or servers running OS or application versions with known, publicly disclosed vulnerabilities. The average time between a vulnerability disclosure and mass exploitation is under 15 days.
Found in 81% of assessments. When a breach occurs, organizations without a written plan waste critical hours deciding who to call, what to preserve, and what to report — time that determines whether a breach becomes a catastrophe.
Found in 56% of healthcare assessments. Cloud vendors who handle PHI (cloud fax, document management, email archiving) must have signed BAAs. Missing BAAs are a direct HIPAA violation — separate from any breach.
Found in 38% of assessments. Remote Desktop Protocol accessible from the internet is the most commonly exploited entry point for ransomware. Automated scanning identifies exposed RDP within hours of it being opened.
Found in 44% of assessments. The median cost of a small business data breach is $164,000 — notification, forensics, legal, remediation. Cyber liability insurance covering these costs typically costs $1,500–$8,000/year for an SMB.
What's actually happening when SMBs experience cyber incidents? These figures are drawn from reported incidents among survey respondents.
| Incident Type | % of Reported Incidents | Median Cost |
|---|---|---|
| Business email compromise / wire fraud | 34% | $187,000 |
| Ransomware | 28% | $312,000 |
| Data theft / exfiltration | 18% | $94,000 |
| Phishing credential harvest (no BEC) | 12% | $22,000 |
| Lost / stolen device | 8% | $18,000 |
| Recovery Method | % of Cases | Avg. Downtime | Avg. Recovery Cost |
|---|---|---|---|
| Restored from tested, air-gapped backup | good — 18% | 1.8 days | $28,000 |
| Restored from cloud/online backup (not air-gapped) | 31% | 4.2 days | $67,000 |
| Paid ransom + partial restoration | 29% | 9.1 days | $312,000 |
| No viable backup; rebuild from scratch | 22% | 18.4 days | $445,000 |
What technology are small businesses actually using — and where are adoption rates surprising?
| Function | Cloud/SaaS | On-Premise | Hybrid |
|---|---|---|---|
| 91% | 6% | 3% | |
| File storage | 74% | 18% | 8% |
| Accounting software | 58% | 31% | 11% |
| CRM / practice management | 67% | 24% | 9% |
| Backup | 61% | 14% | 25% |
| Phone / communications | 76% | 14% | 10% |
| ERP (manufacturing/construction) | 34% | 44% | 22% |
| Industry | Microsoft 365 | Google Workspace | Other/Legacy |
|---|---|---|---|
| Healthcare | 72% | 14% | 14% |
| Legal | 78% | 12% | 10% |
| Financial Services | 81% | 8% | 11% |
| Manufacturing | 69% | 11% | 20% |
| Construction | 64% | 18% | 18% |
| Nonprofits | 41% | 47% | 12% |
| AI Tool / Use Case | % of SMBs Using | Primary Function |
|---|---|---|
| Microsoft 365 Copilot | 28% | Document drafting, email |
| ChatGPT (enterprise or consumer) | 44% | Research, drafting, analysis |
| GitHub Copilot / coding AI | 12% | Software development |
| AI-powered cybersecurity tools | 19% | Threat detection, email filtering |
| Industry-specific AI (medical, legal, financial) | 22% | Domain-specific workflows |
The eight data points every small business owner should know about their IT environment.
Use these numbers to do three things:
This report combines primary and secondary data sources. Primary data reflects self-reported responses from 2,412 U.S. small and mid-size businesses (2–500 employees) collected between January and April 2026 via SerenIT's free tool assessments, supplemented by structured surveys. Secondary data sources include: FBI Internet Crime Complaint Center (IC3) 2024 Annual Report, HHS Office for Civil Rights Breach Portal, FINRA Annual Examination Priorities Reports, Verizon Data Breach Investigations Report 2025, and industry association surveys from the ABA, AICPA, and NFIB. Per-user pricing benchmarks are drawn from a sample of 340 MSP contracts reviewed through SerenIT's Contract Scanner tool from August 2025 through April 2026. All figures are U.S.-specific. Industry breakdowns reflect respondents who self-identified their primary sector. Some figures are rounded to the nearest whole number or nearest $5. This report will be updated annually.