The call came at 6.47 on a Tuesday morning. Claire Watkins, who ran a 22-person bookkeeping firm in Parramatta, was already at her desk when her office manager rang to say that nothing was working — computers were locked, files were inaccessible, and a message on every screen was demanding $28,000 in cryptocurrency within 48 hours.

The ransomware had entered through a remote desktop port that Watkins's part-time IT contractor had left open after a routine maintenance job three months earlier. Recovery took eleven days. The ransom itself went unpaid — Watkins's advisors recommended against it — but the cost of the incident landed at $63,400 once forensic consultants, data reconstruction, and client notification obligations under the Privacy Act were tallied. Two clients left. One threatened legal action.

"People always said to me: you're too small to be a target," she says now. "That's completely wrong. We were exactly the right size to be a target. We had client financial data, and we had nobody watching the door."

The Accounting That Most SMBs Never Do

Australia has roughly 2.5 million small and medium businesses. The overwhelming majority manage their own IT, either in-house or through occasional break-fix contractors. Most of their owners, if asked, would say they are saving money compared to a managed service contract.

The question is whether that calculation is correct — or whether it is simply incomplete.

When Nous Group conducted a cost analysis of 45 Australian SMBs in 2024, comparing self-managed IT against equivalent managed service arrangements, the gap was striking. Businesses that believed they were spending around $30,000 a year on IT were, on average, actually spending $67,000 once all costs were accounted for. The hidden items were consistent: owner and senior staff time diverted to IT troubleshooting, productivity losses from unresolved performance issues, emergency contractor rates during incidents, and the annualised cost of security events.

Tom Featherstone, a partner at Sydney-based technology advisory firm Archbridge Consulting, has seen the same pattern repeatedly. "The problem is that most of the real cost is invisible," he says. "It doesn't appear on an IT invoice. It appears as a slower quarter, or a staff member who leaves because they're constantly frustrated with their tools, or a client relationship that quietly cools after a data problem."

What the Numbers Actually Look Like

Consider a hypothetical — though representative — 18-person professional services firm in Adelaide. The owner estimates annual IT costs at $24,000: a part-time IT contractor at $800 per month, software licences, and hardware amortised over three years.

What that estimate omits: the owner spends approximately six hours a week on IT-related matters, from vendor calls to troubleshooting staff issues. At a conservative $180 per hour — well below what her billable rate would be — that is $56,160 a year in opportunity cost. Her staff collectively lose an estimated four hours per week to slow systems, workarounds, and waiting for contractor callbacks: at average salaries, another $28,000. Emergency contractor callouts over the past two years averaged $8,500 per year.

The real number is closer to $116,000. A managed service contract covering the same business would cost between $42,000 and $58,000 annually — and would include 24/7 monitoring, helpdesk support with contractual response times, and security tooling that the current arrangement simply does not have.

The Break-Fix Trap

The contractor model — pay someone to fix things when they break — is structurally misaligned with how IT risk actually works. The contractor has no financial incentive to prevent problems; their revenue comes from problems occurring. Proactive security hardening, patch management, and configuration review are all work they are not paid to do unless specifically engaged for it.

This is not a criticism of individual contractors, many of whom are skilled and well-intentioned. It is an observation about the incentive structure. An MSP operating on a fixed monthly fee has the opposite incentives: every incident they prevent is work they don't have to do for the same payment. The commercial model aligns with the client's interests in a way that break-fix simply cannot.

Watkins switched to a managed service provider three months after the ransomware incident. Her monthly fee is $3,800. "I used to think that was expensive," she says. "Now I think of the eleven days I lost, the clients I nearly lost, and the $63,000. Three thousand eight hundred dollars a month looks completely different from that side of the experience."

When Self-Management Is Genuinely Viable

There is a small class of SMBs for which self-management makes sense: businesses with a technically sophisticated founder who actively manages IT as part of their role, minimal data sensitivity, and limited regulatory exposure. For everyone else — businesses handling client financial data, medical records, legal files, or personal information of any kind — the risk-adjusted case for professional management has become compelling. The threat landscape has not softened, and the regulatory expectations under the Privacy Act have grown more demanding with each amendment cycle.

The Australian Cyber Security Centre's 2024 annual report documented a 23 percent increase in cybercrime reports from small businesses year-on-year. The most common vector was not sophisticated zero-day exploits. It was unpatched software and misconfigured remote access — exactly the kind of thing that routine managed services catch before they become incidents.