Cheap IT Costs More When the Bill Arrives

Picture this: your IT quote comes in £875 a month cheaper than the alternative. That’s £10,500 a year. On a spreadsheet, it looks like a sensible decision. The problem is that figure usually means something has been quietly removed to make the numbers work.

Both quotes say “managed IT support.” One means your systems are actively monitored, patched, and secured. The other means “ring us when something catches fire.” The gap between those two things is where the real cost lives.

What gets cut when the price drops

When a provider shaves their quote, they’re cutting tooling, labour, or both. Before a single engineer draws a salary, a proper managed IT service pays for the software stack that keeps your business secure. Remote monitoring and management, endpoint detection, email filtering, security awareness training, backup. Add it up honestly and you’re looking at around £20-25 per employee per month before anyone touches your systems. When a quote lands well below that floor, something has gone. Find out what.

According to the latest government cyber security breaches survey, 43% of UK businesses experienced a cyber attack or breach in the past year. For those with a material impact, the average cost was £8,260 — already eating most of that annual saving, before you count downtime, lost invoices, and the hours spent firefighting.

What you’ve actually done, by picking the cheaper quote without checking what’s gone, is self-insured against cyber risk. That’s fine if you’ve done it deliberately, with cash reserves and a tested recovery plan. Most businesses haven’t done it deliberately. They’re accidentally uninsured.

Insurance might not save you

Plenty of owners assume their cyber insurance will catch it if something goes wrong. Insurers are getting increasingly strict about this. A significant share of claims are being rejected because controls that should have been in place simply weren’t: multi-factor authentication not enforced, patching gaps, logs that don’t exist. If your IT provider isn’t actively doing those things, your policy application may say one thing and your actual setup quite another.

Layer on top the fact that ICO enforcement has sharpened considerably, with maximum fines under UK GDPR sitting at £17.5 million or 4% of annual turnover. Poor security is not a sympathetic defence in an investigation.

Questions worth asking

If you’re comparing IT contracts, go beyond the per-seat price and ask:

• What’s actually included? Patch management, endpoint detection, MFA enforcement, monitoring, documented incident response, security training?
• Can they show evidence? Patching reports, MFA coverage, monitoring logs?
• Does your cyber insurance require specific controls, and does your provider actually deliver them?
• What’s the price floor? Below roughly £50 per employee per month outside London (after Microsoft 365 licensing), treat that as a prompt to ask what’s been removed. A saving that creates a gap in your defences is not a saving. If you want an honest look at whether your current IT setup actually delivers the controls it should, Dragon Digital audits IT contracts and security posture for businesses across North Wales and will tell you plainly what’s there and what isn’t.