Three Stages of IT Maturity in Small Businesses

Over the years we’ve observed a lot of different takes on small businesses using IT. With over 30 million businesses of 500 employees or less, there’s a lot of variety.

With that being said, there are clearly different stages of what we’ve coined “IT Maturity Stages”. As small businesses increase in employee headcount and revenue, you’d hope their IT Maturity Stage would also increase to accommodate increased complexity, risks, and demand. However, this isn’t always the case.

Why does this matter for you? For one, knowing what stage you’re at helps you understand both where you are and what’s next. It’s possible you’re at a lower maturity level than you thought. Or, if you’re working with the right IT Company, you could be at a higher IT Maturity than your competitors without knowing it. 

Higher IT Maturity businesses in our experience:

  • Pay less in reactive IT costs
  • Have less downtime
  • Know backups are occurring that are tested routinely
  • Use IT as a competitive advantage 
  • Easily onboard and offboard new employees
  • Work with an IT Company who has a vested interest in your growth and stability

Low IT Maturity businesses typically: 

  • Spend more on IT crisis situations
  • Experience more downtime
  • Use consumer grade computer and network equipment
  • Have little to no IT security in place
  • Have backups that are unverified and possibly aren’t even occurring 
  • Work with “IT Guys” who show up days later for reactive work with whom you have no established partnership relationship
  • Have IT that is so inefficient and mismanaged that it hurts the business’s reputation and bottom line

Level 1 is the lowest maturity level. It is understandable when these are startup businesses with 1-10 employees or they are established businesses with no aspiration to grow. They typically run in the “technology laggard” category of technology adoption. IT is seen as an expense to be minimized. It’s often unlikely that a Level 1 could justify the costs of a Managed Services agreement with an IT Company, and it’s unlikely any IT Company would work with a Level 1 due to lack of budget. The concern is when businesses that are larger, with 10-500 employees, are operating at this maturity level. The health and survival of the business can be at risk due to underestimating the importance of IT to the business and not making the responsible investments that are best for the business. 

Level 2 is a middle maturity level. This level is most often seen at businesses with 10-50 employees who have identified that IT is important, but lack the resources and/or justifications to move to the next level. Businesses in this level are usually in the “late majority” category of technology adoption. IT spending is looked at line by line for any savings and optional initiatives are likely to be declined unless the old way of doing it is being retired. Depending on the leadership of the business, businesses at this level can benefit when they take on a seasoned IT Company that helps justify the benefits of reaching Level 3 Maturity. Level 2 businesses will often outgrow and notice the downsides of contractor/one man “IT guy” operations and benefit from seeking out more reliable and scalable IT vendors. 

Level 3 is the highest maturity level. These are businesses typically with 10-500 employees who have an IT advocate in a management role. These businesses are usually in the “early majority” category (or even early adopters/innovators) of technology adoption. IT is seen as critical to the business and they understand the  correlation of revenue and smooth IT operations. There’s also a deeper understanding of loss of revenue due to IT downtime. Only mature IT companies can work with Level 3’s, as these types of businesses know what questions to ask early to vet the IT Company’s capabilities.

Below we’ll quickly review examples of some IT categories that we typically review in depth during an Assessment Project, along with the typical attributes of each maturity level. 

Email Platform

  • Level 1 – Free consumer-class solution, i.e.,,, Usually a shared mailbox for key departments. 
  • Level 2 – Business-class cloud solution, such as Office 365. Usually a shared mailbox for key departments.
  • Level 3 – Same as #2, but all staff have email accounts. Shared mailboxes and distribution groups are used strategically and sparingly to avoid unnecessary complexity. A third party solution is backing up the entire Office 365 tenant. Multi-factor authentication, email encryption, anti-phishing capabilities, and other mitigation solutions are often implemented based on the organization’s requirements. 


  • Level 1 – Consumer-class file & folder solution, manual backups, or no backups at all. No file restore testing until it’s too late. No Protected Health Information is allowed on these types of platforms, but it happens anyway (that’s a breach!). 
  • Level 2 – Business-class file and folder solutions are in place. Monthly testing is often performed. If your business is in a regulated industry, it’s likely this type of solution would fail an audit. 
  • Level 3 – A business-class Backup and Disaster Recovery solution is in place that backs up the entire server. Weekly tests verifying backups are occurring, including restoring successfully, and that the backups are sent offsite at least daily. If required, the Backup Solution can spin up backed up servers within an hour, enabling the highest functionality of backup – business continuity. 

IT Companies can also be classified in maturity levels, just like businesses. Here are some guidelines:

Engaged IT Company’s Maturity

  • Level 1 – Family, friend, or 1099 contractor who does IT on the side. No contract or scalable method of contacting them (text/email owner directly for help). They likely do not resell hardware but instead, they’ll send you links to buy equipment online. The IT Company owner performs technical work, even the minor stuff. There is a high likelihood they do not have an errors & omissions policy or cybersecurity insurance. Successful businesses that use these types of companies will outgrow and replace this type of IT resource quickly. 
  • Level 2 – Micro IT Company or an incorporated individual. The IT Contract could be either a handshake agreement or written. There is possibly a general mailbox for IT requests, if not the owner’s email and cellphone like in a Level 1 Company. Likely unfamiliar with industry regulations and trends, as they’re so busy driving from client to client to perform reactive work. They may resell hardware, such as high margin “white-box” custom computers. They possibly have some insurance, and it is important to confirm this if you work in a regulated industry, as this is an easy corner to cut. Successful businesses will often want more than an IT Company like this can offer and they’ll move to a more robust IT resource when budget allows or a large downtime event occurs. 
  • Level 3 – Established IT Company (aka Managed Service Provider). There is always a signed contract that lays everything out and scales with your size. They resell name brand business-class hardware. They have an errors & omissions policy and cybersecurity insurance. The Level 3 IT Company has a robust workflow for tracking tickets. The owners and technical staff do not work via cell phones and direct email addresses, as this is an unscalable method to support IT for a business. 

To summarize, there’s a lot of nuances to IT Maturity levels. The bottom line is that you need to end up with an IT Company that operates at a minimum at your own IT Maturity level. When a gap exists between maturity levels, the business with the higher level will part ways organically.

Reach out to us if you’d like to continue this discussion. Our Assessment Project will help you understand your IT Maturity Level and how you can move up. Contact us here.