The IT transition from 25 users to 75 users

The 25-to-75-user growth window is where small-business IT stops working quietly and starts producing surprises. At 25 users, one generalist with a spreadsheet can run most things. At 75, nothing scales the same way. The systems that worked at 25 either break, generate friction or quietly accumulate risk until something forces attention.

Firms that plan the transition in advance move smoothly through the window. Firms that don’t tend to hit three to four “oh no” moments between month 12 and month 24 of the growth cycle, each one expensive to resolve and avoidable with earlier structure.

Here is what actually changes, what breaks, what to build and when — grounded in the mid-market SMB reality where many AR clients operate.

The 25-user baseline

At 25 users, most firms operate with:

• One IT-capable generalist internally (often the office manager, a senior engineer or the CFO) handling tickets, vendor management, onboarding and offboarding
• A break-fix IT consultant for hands-on technical work
• Microsoft 365 Business Basic or Standard for email and collaboration
• File storage split between SharePoint/OneDrive and a local file server
• Line-of-business applications on either a local server or cloud SaaS
• Basic antivirus on endpoints, sometimes not centrally managed
• Backup of the file server, sometimes tested, often not
• A WiFi network that just works, usually without guest isolation
• Informal access control (everyone can get to everything on the shared drive)
• Cyber insurance if any, usually a baseline add-on to the general business policy

This configuration works. It is inexpensive, low-friction and produces acceptable outcomes for most 25-person firms whose data is not particularly sensitive.

The 35 to 45 milestone, the first wall

Between 35 and 45 users, the baseline starts producing friction.

What breaks:

• The internal generalist’s IT responsibilities compete with their primary role
• Onboarding and offboarding happen often enough that ad-hoc handling creates gaps
• Shared drives accumulate enough structure that permission confusion becomes frequent
• The first employee-departure with material access produces a scare
• The first customer asks for a security questionnaire that the firm cannot credibly answer
• A ransomware attempt at a peer company gets on the leadership radar

What to build:

• Move to managed IT. The break-fix model runs out of headroom somewhere in this range. Transition to an MSP with a 90-day onboarding.
• Upgrade to Microsoft 365 Business Premium. Unlocks Conditional Access, Intune device management and Defender for Business. Unlocks the security controls needed going forward.
• MFA universal. No exceptions. Start with email, expand to remote access and administrative functions.
• EDR with managed detection and response. Replace baseline antivirus with EDR on 100% of endpoints with MDR coverage.
• Backup hardening. Immutable backup with a documented first restore test. Establish the quarterly test cadence.
• Documented information security policy. Short, clear, appropriate for the scale. The first version can be 4 to 8 pages.
• Access review discipline. Quarterly review of shared drive permissions and SaaS application access.
• Formal onboarding and offboarding runbooks. IT provisioning checklists, departure-day access termination.

Typical investment: $40,000 to $100,000 annual run-rate increase, plus a one-time onboarding investment of $25,000 to $75,000 for the MSP transition.

The 50 to 60 milestone, the second wall

Between 50 and 60 users, more structural items surface.

What breaks:

• The local file server is either aging or becoming operationally risky
• SharePoint/OneDrive has accumulated enough structure to need an information-architecture pass
• Password management is a mess because nobody has deployed a shared password manager
• A customer security questionnaire lands that requires SOC 2 or equivalent evidence
• Cyber insurance renewal gets materially harder
• The leadership team wants real security reporting, not just “nothing happened this month”

What to build:

• File server migration. Move to SharePoint or a managed cloud equivalent. Retire the local server. Document information architecture.
• Business password manager. Roll out 1Password, Bitwarden, Dashlane or equivalent. Migrate shared credentials from email and spreadsheets.
• Phishing-resistant MFA for privileged accounts. FIDO2 hardware tokens or passkeys for administrative accounts and executive accounts.
• Security awareness training program. Annual training plus quarterly simulated phishing. Document completion.
• Vendor risk inventory. A maintained spreadsheet of SaaS vendors with data sensitivity, tier and contact. Review cadence established.
• Incident response plan. Written plan with designated roles, notification tree, first-hour actions. Tabletop the plan once.
• Quarterly security metrics. Simple dashboard for leadership. Control coverage, incident count, training completion, vulnerability status.
• Cyber insurance refresh. Review policy against current controls. Evaluate market options if renewal is hardening.

Typical investment: $30,000 to $80,000 additional annual run-rate. One-time file server migration $15,000 to $50,000 depending on data volume and complexity.

The 65 to 75 milestone, the third wall

Between 65 and 75 users, the firm hits mid-market territory.

What breaks:

• Identity sprawl: each SaaS has its own directory, provisioning is inconsistent
• Network assumes flat and permissive, becomes a liability
• Regulatory scrutiny appears (enterprise customers, insurance carriers, occasionally state regulators)
• Compliance framework alignment becomes an operational requirement, not an aspiration
• Executive team wants clearer IT strategy and roadmap

What to build:

• Identity consolidation. Single sign-on for every SaaS that supports it. Microsoft Entra ID or Okta becomes the identity source of truth. Conditional access policies deployed.
• Network segmentation. Guest WiFi isolated. IoT devices on their own VLAN. User and server zones separated at the firewall.
• Compliance framework alignment. NIST CSF 2.0 or equivalent with documented control mapping. Annual review cadence.
• Fractional or full-time security lead. A named role accountable for cybersecurity, either internally or via vCISO engagement. Reports to executive team quarterly.
• Vendor risk management program. Not just inventory — due diligence on tier-1 vendors, contract review cadence, breach notification obligations.
• Annual penetration test. Independent external test, findings documented, remediation tracked.
• Zero Trust identity foundations. Conditional access, device compliance checks, phishing-resistant MFA universal for administrative access.
• IT strategy and roadmap. A 12-18 month technology roadmap aligned to business plans. Reviewed quarterly.

Typical investment: $50,000 to $150,000 additional annual run-rate. One-time identity consolidation project $50,000 to $200,000 depending on SaaS complexity.

The cumulative view, 25 to 75 over 18 to 36 months

A firm executing this transition across 18 to 36 months typically ends up:

• IT budget shifting from $1,500 to $2,000 per user per year (common at 25 users on break-fix) to $2,500 to $3,500 per user per year (common at 75 users on managed IT with a full security program)
• Named roles for IT ownership (internal + MSP)
• Documented program aligned to a recognized framework
• Evidence library capable of responding to customer security questionnaires in under a week
• Cyber insurance posture credible enough to renew without premium surprises
• Annual tabletop and penetration test as operational rhythm
• Dashboard reporting to leadership

The per-user cost looks higher, but the incident risk, the customer-deal risk and the leadership time cost have all declined. Most firms that execute this transition well report that the leadership team’s IT-related stress at 75 users is lower than it was at 35, despite the larger operation.

Common failure modes

Three patterns that cause the transition to stall.

• Waiting for the forcing function. The firm tells itself it will upgrade when a customer asks, an auditor finds something or an incident happens. The forcing function arrives more expensively than the planned upgrade would have. This is the most common failure mode.
• Piecemeal upgrades without strategy. One tool, then another, then a policy, then a vendor change, each decided independently. After 2 years, the firm has spent more money than a strategic upgrade would have cost and ended up with a less coherent program.
• Over-engineering early. The 35-user firm buys enterprise tooling and a SIEM because “we’ll need it eventually.” Licenses sit unused. The MSP spends hours managing tools that no one uses. Better to buy appropriate-for-scale and upgrade when the scale actually arrives.

Where we fit

Atticus Rowan operates as the managed IT partner for firms in exactly this 25-to-75-user growth window. The engagement model is calibrated to the milestones — we do not deploy the 75-user program to a 30-user firm, and we do not leave a 65-user firm operating on the 35-user baseline.

The practical work is anticipatory rather than reactive. Monthly rhythm of operations plus a quarterly strategic review that identifies which milestone is next and what needs to be built for it. By the time the forcing function arrives, the firm has already addressed it.

If your firm is somewhere in the 25-to-75-user window and you want a practical read on which milestone you are approaching and what that means for IT and cybersecurity, schedule a discovery call. We can walk through the current posture and scope the next 6 to 12 months of work.