Cheap IT, Expensive Breach: The Bargain That Bankrupts UK Small Businesses
If your IT provider is £35 per user per month cheaper than the sensible option, you are not saving money. You are buying yourself a more dramatic disaster later.
That is the central question on this week’s podcast. Mauven MacLeod and I sat down to work through one of those LinkedIn graphics that lands in your feed every few weeks: bold colours, loads of confidence, not nearly enough nuance. The pitch was simple. Why pay a security-first managed service provider when a cheaper IT firm can save you thirty to forty pounds per user per month?
The answer is not vague fearmongering. It is arithmetic.
The bargain that quietly transfers risk to you
Twenty-five staff. Your current provider is £35 per user per month cheaper than a security-first MSP. That is £875 a month. £10,500 a year. On a spreadsheet, that looks lovely.
It is also exactly why this trick works on owners who are honestly trying to keep their business running. Cheap IT is sold as a tidy annual saving. It is almost never sold as a list of controls that have quietly been removed to hit that price.
The right question is not “why is the security-first provider dearer?” The right question is “how is the cheap one making the maths work?”
They are not performing wizardry. They are cutting something. Maybe proactive patching. Maybe enforced multi-factor authentication. Maybe endpoint detection and response. Maybe documented incident response. Maybe security awareness training. Usually it is a cheerful little mixture of all of them.
The trap is that the labels look identical. Both quotes say “managed IT support.” One means “we actively secure, monitor, document, and maintain your environment.” The other means “ring us when the printer bursts into flames.” Same label. Very different service.
The UK numbers, not the American ones
Let us ground this in actual UK government data. The DSIT Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cyber breach or attack in the previous twelve months. That works out to roughly 612,000 businesses. Phishing hit 85% of those. Ransomware doubled to 1% of all UK businesses, which sounds tiny until you say it properly: about 19,000 organisations.
The average cost of the most disruptive breach for businesses with a material outcome was £8,260 in 2025, up from the previous year. Line that against the supposed saving. You shaved £10,500 a year off the IT bill. The average meaningful breach already eats most of that, and that figure does not capture the bits that hurt most: three days of downtime, sales unable to work, accounts unable to invoice, ops unable to deliver, management losing a week to firefighting.
Some firms can absorb that. Plenty cannot.
What you have actually done, by picking the cheaper quote without understanding what it removed, is self-insured against cyber risk. That is fine if you have done it deliberately, with cash reserves, tested recovery plans, and the stomach for disruption. Most small businesses have not done it deliberately. They are not self-insured. They are accidentally uninsured.
What a security-first provider actually pays for
Here is the bit you rarely see on a pitch deck. Before any margin or salary cost, a security-first MSP pays real money for the tooling that keeps your environment safe. Remote monitoring and management runs roughly £3 to £5 per endpoint per month, and patch management is normally bundled in. Strip out the RMM, and patching quietly disappears with it.
Endpoint detection and response, if not bundled into a broader suite, starts around £5 per endpoint and rises with proper response features. DNS filtering is around £1.50 per user. A dedicated email security product is £5 or more per mailbox. Application control is around £8 plus per endpoint. Security awareness training is roughly £7.50 per user. Backup is £3 to £5 per endpoint. SOC monitoring sits anywhere between bundled and around £10 per endpoint.
Add it up honestly and a sensible bundle-heavy stack lands at around £20 to £25 per user per month before the provider has paid a single engineer. A full best-of-breed stack with dedicated EDR, SOC, and application control can hit £40 plus before labour.
Speaking of labour. Industry benchmarks put average support time at roughly one hour per user per month. A competent Level 2 engineer in the UK costs about £35,000 a year, which works out at £17 per hour at salary alone. That is before employer’s NI, pension, training, certifications, desk, insurance, or any of the other costs that come with employing humans rather than imagining them.
So when somebody offers a per-seat price wildly below the sensible range, they are not being clever. They are dropping tooling, under-resourcing labour, or both. If you are paying less than £50 per user per month outside London after stripping out Microsoft licensing, alarm bells should be ringing. In London, the trigger is closer to £75.
Insurance is not the safety net you think it is
Plenty of owners hear all this and shrug. “It’s alright, we’ve got cyber insurance.”
Maybe. You have a premium leaving your bank account every month. That is not the same thing as being claim-ready.
UK cyber insurance uptake among small businesses sat at 62% in 2025, up from 49% the previous year. Encouraging. But the Association of British Insurers reported £197 million paid out in cyber claims in 2024, a 230% year-on-year rise on the £59 million paid the year before. Malware and ransomware accounted for 51% of those claims, up from 32%.
When payouts climb that fast, insurers do not become more relaxed. They become fussy as hell.
Industry analysts have flagged that nearly one in four cyber insurance claims filed in 2024 were denied for failing to meet coverage requirements. The reasons are painfully predictable. Missing MFA. Patching gaps. Optimistic policy applications that say controls are in place when they are not. Reporting windows missed because nobody noticed the incident in time.
A security-first MSP tends to know all of this. They enforce MFA, document patching, keep logs, and ideally they have actually read your policy requirements. Bargain providers often do the bare minimum and rarely ask to see the policy at all. The insurance and the IT are joined at the hip, and many firms still treat them as separate purchases. They are not.
The regulator is sharpening up too
Layer the regulatory side on top. The Information Commissioner’s Office issued £5.6 million in fines in the first half of 2025 across just six cases. That is already more than double the £2.7 million across eighteen cases for the entirety of 2024. Fewer cases, bigger pain.
Maximum penalties under UK GDPR remain £17.5 million or 4% of global annual turnover, whichever is higher. For smaller firms, the 4% bites. £40,000 on a million in turnover. £200,000 on five million.
The Cyber Security and Resilience Bill is moving through Parliament right now, having had its second reading in January 2026 and its committee stage through February. Royal Assent is expected later this year. The direction of travel is clear: more organisations in scope, faster mandatory incident reporting, stronger regulator powers. Cheap IT is becoming not just a breach risk, but a regulatory one.
Poor security is not a sympathetic excuse. It is an aggravating factor. “We used the cheapest IT provider we could find” is not a defence. It is practically an own goal.
How to Turn This Into a Competitive Advantage
Most of your competitors are running the same cheap-IT bet you might be running. That is your opening.
Customers, especially in regulated sectors, professional services, and any B2B context, are increasingly asking suppliers about their cyber posture before they sign. Cyber Essentials Plus is becoming a tender ticket in places it never used to be. If you can answer those questions clearly, with evidence, you win work the cheap-IT competitor cannot. They cannot show MFA enforcement. They cannot show patching reports. They cannot show an incident response plan. You can.
Cyber security stops being a cost line and starts being a sales asset the moment you can point to it. That is the bit nobody mentions on the LinkedIn graphic.
How to Sell This to Your Board
Four arguments your finance director will actually engage with.
Risk-adjusted cost. A £10,500 annual saving against an £8,260 average breach cost is not a saving. It is a one-bad-year-from-being-underwater bet. Phrase it that way and the conversation changes.
Insurance integrity. If your policy requires MFA and your provider has not enforced it, your premium is buying you a fight, not a payout. The board needs to know whether the IT contract delivers what the insurance contract demands.
Regulatory exposure. ICO fines are getting larger, fewer, and more public. The Cyber Security and Resilience Bill will push reporting obligations harder. Cheap IT increases the chance of a breach and the severity of the regulatory tail.
Continuity. Plenty of UK SMBs have not survived a serious ransomware event. The board’s job is to make sure yours is not next.
What This Means for Your Business
You do not need to fire your provider this afternoon. You need to ask better questions.
- Audit your current contract. Find out what is actually in it. Patch management, EDR, MFA enforcement, monitoring, awareness training, incident response. If something is missing, get it in writing.
- Ask for evidence, not assurances. Patching reports. MFA coverage screenshots. Logs from monitoring. Incident response runbooks. If they cannot show you the artefacts, the artefacts probably do not exist.
- Pull out your cyber insurance policy. Read what controls it actually requires. Then ask your provider whether you are compliant with all of them.
- Compare quotes properly. When you next benchmark, demand a like-for-like control list, not a per-seat headline price. The headline number is meaningless without the contents.
- Set a price floor in your head. Below £50 per user per month outside London, or £75 in London, after Microsoft licensing, treat it as a signal that something has been removed. Then find out what.
Wise security spend protects cash flow, reputation, and jobs. Cheap IT can look clever for twelve months and gut-punch the whole business in week thirteen. Spend wisely, not blindly.
Listen to the Full Discussion
Mauven and I work the maths in detail on this week’s episode of The Small Business Cyber Security Guy podcast, including the seven questions to ask your IT provider this week and exactly what good answers sound like. The episode is up now on Podbean and all major podcast apps.
This week on the blog: a clinical breakdown of the MSP cost stack with Corrine on Tuesday, Mauven on the cyber insurance trap on Wednesday, Graham’s seven-question audit on Thursday, and Lucy on a 158-year-old British firm killed by exactly this problem on Friday.
Related reading:
- Cyber Insurance Claims Are Being Denied And It’s Your Fault
- The RMM Nightmare: How DragonForce Just Showed Us We’re All Sitting Ducks
- Why Ransomware Will Keep Winning Until Cybersecurity Becomes a Business Risk
Sources
| Source | Article |
|---|---|
| DSIT | Cyber Security Breaches Survey 2025 |
| DSIT | Cyber Security Breaches Survey 2025/2026 |
| Association of British Insurers | Nearly £200 million paid in cyber claims to help UK businesses recover |
| ICO | Enforcement action register |
| UK Parliament | Cyber Security and Resilience (Network and Information Systems) Bill |
| Sophos | The State of Ransomware 2024 |
| NCSC | Cyber Essentials |
| NCSC | 10 Steps to Cyber Security |
| The Small Business Cyber Security Guy | Podcast: Cheap IT, Expensive Breach |