The Challenge of Antivirus for SMEs

When someone decides to start their own small business, one of the issues that comes up pretty quickly is what do about the IT – that itself usually gets framed as “how to I get email?”, “how do I get a website?”, and “where do I store my files?”. Some of those questions get answered by popping along to the new business owners local branch of Currys PC World, John Lewis, or similar.

This creates, for the savvy seller of IT equipment, an opportunity – what you have here is someone coming into your store with a need (“I need a laptop for my new business”), but this person is not a professional IT buyer. You are also, as a savvy seller of IT equipment, used to not making much in the way of margin out of a PC sale. One way to add a bit of fat is to sell antivirus products.

There is no doubt that your PC requires some sort of antivirus protection. Your humble PC has a very long history – in particular a history that is steeped in geek hobbyist communities in the 1970s and 1980s. If 40-50 years ago, you were into computers, the general principle was that they were a toolkit of parts that you could explore and bend to your will. This meant that architecturally, everything in a PC was wide open – if you had access to it, you were largely trusted to act in a beneficent way. (The iPhone, incidentally, was built on the exact opposite model, which is the App Store is so locked down and why no one talks about computer viruses or malware on iOS devices.)

This was fine when there were a) only (relatively) few computers in the world, and b) there was no internet – but as the internet gained a foothold and more and more people were using them to store data that was worth something, this “wide open” architecture became a problem. To protect your PC against “bad actors” who got their kicks (and got paid) by writing malicious software, you needed antivirus — ideally one that provided malware protection.

For a while, Microsoft went along with this and was content to look after building Windows, allowing a third-party ecosystem of virus protection products to develop. We saw products like Norton Antivirus, McAfee, Kaspersky, AVG, etc come to market.

As these were separate products, and were largely needed to make the computing experience safe, if you went into PC World to buy a laptop, buying an antivirus subscription along with it made sense and everyone won – the retailer made more profit (and Microsoft had happier retailers), the antivirus vendors had a decent business, and the customer had a secure system.

Eventually though, Microsoft started to get concerned about its own image. They were, by some measure, pitching an insecure product that required third-party products to make safe – it started to look like Windows wasn’t technically/legally fit for purpose without the user installing an additional antivirus product. Microsoft therefore decided to plough billions into making Windows not need antivirus software but a) hardening the operating system itself, and b) making what was then called Windows Defender but is now called Windows Security, actually a good product.

Third-party retail antivirus products are as a result, mostly, junk and exist mainly to allow the retailer to make more money. Most antivirus products now have got ridiculously bloated, offering a whole bunch of additional features that no one really needs. As a result, I have been diligently telling my customers to uninstall any retail antivirus that they buy and rely on Windows Security. This approach makes their IT simpler, and cheaper.

(This comes with the caveat that Windows needs to be patched and kept up-to-date, that they use strong passwords with a password manager like LastPass, and that they abhor email attachments or links unless they absolutely know that they are trusted, lest your business ends up leaking personal information leading to reputational damage and fines from the ICO.)

However, I am now modifying this advice…

Retail antivirus is, sadly, junk, but enterprise antivirus – the type of antivirus that an organisation with 10,000 users buys, is not. This type of antivirus product – called “endpoint protection” is worth having, or rather given the cost its crazy not to. This type of software can more properly be thought of as security software. The use of the noun "endpoint" means that it covers desktop and laptop computers, as well as mobile devices.

One of the things I encourage my customers to work towards is Cyber Essentials This is a government-backed scheme, the principle of which is that the government wants to invest in making sure that businesses within the UK are protected against all sorts of crime, including cybercrime. Cyber Essentials looks to train decision makers within businesses to consider their information security in the same way they consider their physical security. (For example, most business owners would intuitively understand the value of monitoring their car park with CCTV, but might not see the value in changing the default password on their broadband router.) Antivirus is part of Cyber Essentials, although Windows Security within Windows 10 is good enough Cyber Essentials.

What is missing from relying on Windows Security within the SME is the aspect of intentionality. An enterprise endpoint protection solution within the context of an SME is like having insurance as well as taking the “physical” security of the business seriously – you wouldn’t just rely on the locks to your office, you’d have insurance against theft as well.

My recommendations are to look at products from Bitdefender, F-Secure, and Sophos.

By Matthew Reynolds