In-house IT vs managed IT services: which is right for Australian SMEs?

For Australian SMEs above roughly 30 staff, the choice between hiring internal IT staff and engaging a managed services provider is a real decision with material cost and capability differences. The short answer: in-house works when your business is large enough to justify a multi-person team with specialist depth (typically 100+ staff), while managed services delivers better economics and capability breadth for everyone else.

The decision rarely comes down to cost alone. It also depends on continuity, depth of expertise, strategic input, and the realistic scope a single internal hire can cover. This guide walks through the comparison the way a 30-person Sydney SME owner should actually think about it.

Key facts

• A junior IT staff member in Sydney costs approximately AU$70,000 to AU$90,000 per year base salary, with a fully loaded cost of well over AU$100,000 once superannuation, payroll tax, equipment, training, and management overhead are included.
• Managed services for a 30-person Australian SME typically costs AU$36,000 to AU$72,000 per year ex GST, depending on scope and security baseline.
• A single internal IT hire is typically a generalist; an MSP delivers a multi-disciplinary team (helpdesk, cloud, security, network, senior consultant) on the same contract.
• The crossover point where in-house becomes economically competitive is typically around 100-150 staff, when the business can justify a 2-3 person internal team with at least some specialist depth.
• Hybrid models (internal IT manager plus MSP for specialist depth and out-of-hours cover) become optimal above 150 staff, or earlier in regulated industries.
• Continuity risk is the most underestimated factor. An MSP has documented procedures and multiple engineers familiar with the environment; a single internal hire creates a single point of knowledge.

What's the real cost of an in-house IT hire in Sydney?

A junior IT support staff member in Sydney commands AU$70,000 to AU$90,000 per year base salary in 2026. That figure is the starting point, not the total. The loaded cost includes superannuation (12 percent in 2026, so AU$8,400 to AU$10,800), payroll tax (around 5.45 percent in NSW above the threshold), workers' compensation insurance, equipment (laptop, monitor, phone, software licences), training and certification, recruitment cost (typically 15 to 25 percent of first-year salary if you use an agency), management overhead, and the productivity drag while the person ramps up.

Fully loaded, expect AU$100,000 to AU$130,000 per year for a competent junior IT generalist. A mid-level IT engineer with 5+ years experience and broader capability sits closer to AU$130,000 to AU$170,000 loaded. A senior IT manager who can also do strategy and stakeholder work is AU$180,000 to AU$240,000 loaded.

Compare against managed services for a 30-person SME with a full security baseline and Microsoft 365 administration: AU$3,500 to AU$6,000 per month ex GST, or AU$42,000 to AU$72,000 per year. The cost comparison favours managed services for businesses up to roughly 100 staff. After that, the per-user math starts to favour bringing some capability in-house.

What does a single internal IT hire realistically cover?

One internal IT person can run helpdesk and basic system administration for a small-to-medium business well. What one person cannot realistically cover with depth: cybersecurity (which now requires specialist tools, threat hunting, and ongoing intelligence), cloud architecture (Microsoft 365 governance, Conditional Access, identity), networking (firewall configuration, segmentation, secure remote access), backup and disaster recovery (architecture, testing, ransomware-resilient design), and strategic input (vCIO-level capability translating tech decisions into board language).

The typical pattern we see when a 30-50 person SME hires their first internal IT person: the person is competent and well-intentioned. They cover 60-70 percent of the work brilliantly. The remaining 30-40 percent (security, cloud governance, strategic planning, backup architecture) gets either deferred or done at a generalist level that turns out to be inadequate. Six to twelve months in, the business engages an MSP anyway, but for the gaps rather than the whole.

This isn't a failure of the individual. It's a structural limit. The breadth of modern IT work is larger than one generalist can reasonably cover with depth, and the security stakes are now too high for "good enough" coverage in any of the specialist areas.

What's the depth advantage of an MSP?

An MSP delivers a multi-disciplinary team on a single contract. The same monthly fee gets you helpdesk engineers handling day-to-day requests, cloud engineers configuring Microsoft 365 and Conditional Access, security analysts monitoring endpoints and responding to alerts, network specialists handling firewall and Wi-Fi work, and senior consultants providing strategic input at quarterly business reviews.

No single person on that team is your business's "IT person", but collectively they cover the breadth that a single internal hire cannot. For an Australian SME this matters because cyber expectations have risen substantially. Cyber insurance underwriters now expect Essential Eight alignment, MFA coverage, documented incident response procedures, and verifiable backup recovery. A generalist internal hire can configure MFA, but probably cannot stand up a full Essential Eight maturity program by themselves. An MSP can.

The other depth advantage: pattern recognition. An MSP supporting 40 to 80 Sydney SMEs sees the same problems play out hundreds of times. A novel ransomware variant, a tricky Microsoft 365 licence question, a vendor offering that looks suspicious. These get answered fast because someone on the team has seen it before. An internal IT person hits these for the first time, learning on your dime.

What about continuity and key-person risk?

This is the factor most SME owners underestimate. A single internal IT hire is a single point of knowledge. When they take annual leave, get sick, attend training, or leave the company, there's a gap. Documentation rarely keeps up with reality in small IT teams; the credentials and configurations tend to live in one person's head, in their personal password manager, or in scattered notes.

When that person leaves, the handover is often partial. We've inherited environments from departing internal hires where domain admin credentials weren't documented, the backup architecture wasn't fully understood, and the line-of-business application vendors' contacts were only in the previous person's email. None of this is malicious. It's just what happens when one person is responsible for a complex environment and nobody else is keeping pace.

An MSP solves this structurally. Multiple engineers are familiar with each client environment. Documentation lives in the MSP's PSA system, not in a person's head. Annual leave doesn't create a coverage gap because another engineer can step in. When an MSP engineer leaves the firm, their successor inherits the documented baseline. The business doesn't even notice the handover most of the time.

When does in-house make sense?

In-house IT becomes the right answer in three specific situations.

The business is large enough to justify a multi-person team. Above 100-150 staff, you can afford a 2-3 person team with at least basic specialisation (a helpdesk lead, a senior engineer, possibly a security or cloud specialist). That team can cover the breadth that a single hire cannot, and the per-user math starts working in-house's favour.

The business has highly specialised line-of-business systems. Some SMEs run niche software (engineering CAD, medical imaging, manufacturing control systems) where deep internal knowledge of the application is worth more than IT generalism. Hiring someone who knows that specific stack inside-out can deliver real value, particularly if they also handle basic IT.

Regulatory requirements demand it. A few industries (defence supply chain, certain APRA-regulated entities, critical infrastructure) have regulatory expectations that effectively require internal IT capability with appropriate clearances. Most Australian SMEs do not fall into this category, but if you do, it changes the equation.

Outside these three cases, the structural advantages of an MSP (economics, capability breadth, continuity) usually win for businesses under 100 staff.

What about a hybrid model?

The hybrid model is the most common arrangement for Australian SMEs at the 100 to 300 staff range. An internal IT manager handles day-to-day, owns the relationships with internal stakeholders, and runs strategic planning. An MSP provides specialist depth (cybersecurity, cloud architecture, network), out-of-hours cover, and surge capacity for projects.

The internal IT manager becomes the business's IT voice in board meetings and the operational owner of decisions. The MSP becomes the technical execution arm and the source of specialist capability the business cannot justify hiring full-time. Cost structures vary: typically the internal manager is AU$130,000 to AU$200,000 loaded, plus AU$30,000 to AU$80,000 per year for a co-managed MSP relationship at reduced scope (since the MSP isn't covering helpdesk, just specialist work).

For SMEs in this size range, the hybrid model often outperforms either pure approach. It also makes the eventual transition to fully in-house (if the business continues to grow) much smoother, because the internal IT manager is already in place and the MSP relationship can be gradually scaled down as the internal team grows.

Frequently asked questions

At what size should I hire my first internal IT person?

Most Australian SMEs we work with don't benefit from internal IT until they're above 75-100 staff. Below that, the loaded cost of even a junior hire exceeds the cost of a comprehensive managed services agreement, and the capability gap (security, cloud, strategic) usually drives them back to engaging an MSP for the gaps within 12 months.

Can an internal IT person handle cybersecurity?

Some can, particularly if they have a security background. The honest answer is that modern cybersecurity is a specialist discipline requiring tools, threat intelligence, and ongoing professional development that a generalist IT person cannot realistically maintain alongside helpdesk work. For most SMEs, even those with internal IT, security is better handled by a specialist team. That could be an MSP with strong security capability or a dedicated MSSP.

Is it cheaper to outsource just helpdesk and keep everything else in-house?

It can be, but the savings are usually less than expected once you account for the fixed costs of an internal IT function (management overhead, equipment, professional development). The bigger reason to keep parts in-house is strategic and stakeholder management, not cost. Hybrid arrangements work best when the internal role is positioned as IT manager rather than IT support.

What happens if our internal IT person leaves while we're between MSPs?

This is the worst-case scenario for businesses without a documented IT baseline. The handover is partial, credentials are scattered, and operational continuity depends on whether the departing person is willing to support the transition. An MSP engagement, even at minimal scope, gives you a documented baseline and a fallback team if your internal person leaves unexpectedly.

Do MSPs ever recommend going in-house?

Honest MSPs do, when it's the right answer. We've recommended in-house hires to clients whose growth made it the better option, and helped structure the transition. An MSP that resists every conversation about in-house capability isn't serving your interests; it's protecting their revenue.

How do we transition from in-house to MSP (or back)?

Allow 60-90 days for either direction. A structured transition includes documenting the current environment, transferring credentials and access, knowledge transfer sessions, and a parallel operation period where both parties have access while the new arrangement settles in. Skipping the parallel period is the most common cause of transition friction.

If you're sitting in the 30 to 100 staff range and wrestling with this decision, happy to have a no-pressure conversation about which model would actually suit your business. The right answer depends on your specific stack, risk profile, and growth plans, not a formula.