If your entire security strategy is an antivirus subscription, you're bringing a butter knife to a gunfight. Here's what the real threat landscape looks like — and what actually protects you.
I've been in this industry for over 30 years. When I started out, antivirus software really was enough. The threats were mostly clunky viruses that spread on floppy disks. You installed Norton or McAfee, it scanned your files, it caught the bad stuff. Done.
That world is gone. It's been gone for a long time. And yet when we sit down with a new client and ask about their security, "we have antivirus" is still one of the most common answers we hear. Sometimes said with genuine confidence, as if that settles the matter.
It doesn't settle the matter. Not even close.
Antivirus is like locking the front door of your business and calling your security done. It's a good start. It's not a strategy. Modern attacks don't knock on the front door — they come through the employee entrance, the loading dock, the second-floor window you forgot to latch. And they often don't look like anything your antivirus has ever seen before.
Let's talk about what the actual threat landscape looks like in 2026, and what a real security approach for a small business includes.
Traditional antivirus works on signatures. It keeps a database of known malware, compares files against that database, and flags matches. That works great for threats that have already been identified and catalogued. The problem is that attackers know this, and they've spent two decades engineering around it.
Here's what modern attacks actually look like:
Fileless malware. Attacks that never write anything to disk. They run entirely in memory, using legitimate Windows tools like PowerShell or WMI. There's no file for your antivirus to scan. Nothing shows up as suspicious because nothing was ever saved anywhere. These attacks have been around since 2017 and are now extremely common.
Zero-day exploits. Attacks that take advantage of vulnerabilities that haven't been publicly discovered yet — or that were just discovered and the patch hasn't been released. By definition, no antivirus signature exists for them yet.
Credential theft and account takeover. Your antivirus has no idea whether the person logging into your Microsoft 365 account at 2 a.m. from an IP address in Eastern Europe is you or an attacker. That's not what antivirus is built to detect.
Phishing leading to ransomware. Someone on your team gets a convincing email, clicks a link, enters their password on a fake Microsoft login page. Now the attacker has valid credentials. They log in, lurk, and at some point deploy ransomware that encrypts everything. Your antivirus might catch the ransomware payload if it's a known variant. It almost certainly won't catch the attacker quietly wandering your network for weeks beforehand.
The bottom line: antivirus catches old, known, file-based threats. Modern attacks are often new, unknown, and file-less. The tool and the threat are no longer matched.
We're not here to tell you to buy seventeen different security products. Most small businesses don't need enterprise-grade complexity. But there are a handful of layers that every business — regardless of size — should have in place. Here's what we actually recommend and why.
If you do nothing else on this list, do this. MFA means that even if an attacker steals your password, they still can't get in without that second factor — usually a code from your phone. Microsoft estimates that MFA blocks over 99% of automated account compromise attacks. That's not a typo.
Enable it on your Microsoft 365 accounts, your email, your banking, your cloud storage, your remote access tools. Every account that matters should have MFA. This is free or near-free on most platforms, takes an afternoon to roll out, and is probably the single highest-leverage security action you can take. We wrote a whole post on this: MFA Explained.
This is the modern replacement for traditional antivirus. EDR tools don't just scan for known malware signatures — they monitor behavior. They watch what processes are doing, what files they're touching, what network connections they're making. If something starts behaving like ransomware (rapidly encrypting files, for example), the EDR can stop it and alert you, even if it's a brand-new variant that's never been seen before.
Good EDR for small businesses doesn't have to be expensive. Tools like Malwarebytes for Teams, Huntress, or SentinelOne offer solid protection at price points that make sense for businesses with 10-50 employees. We're generally recommending Huntress to our managed clients right now because it's designed specifically to be monitored by a human security team, not just algorithms.
DNS filtering is one of the most underutilized, cost-effective security controls out there. When someone on your team clicks a link — whether in an email, a website, or a document — their computer first has to look up the domain name. DNS filtering intercepts that lookup and checks it against lists of known malicious domains. If the site is on the list, the connection is blocked before it ever loads.
This stops a huge percentage of phishing sites, malware distribution sites, and command-and-control servers cold. Services like Cisco Umbrella or Cloudflare Gateway can be deployed in 15 minutes and cost next to nothing for a small business. It's one of the best security investments relative to its cost.
Most email systems, including Microsoft 365, include basic spam filtering. That catches the obvious junk but misses a lot of sophisticated phishing. Layering on additional email security — like Microsoft Defender for Office 365 Plan 1, which comes with the Business Premium license — adds sandboxing for attachments (they get opened in a safe environment before they reach your inbox), link scanning, and anti-impersonation protection.
If your team is on Microsoft 365 Business Basic or Standard, upgrading to Business Premium is often the single highest-value licensing change a small business can make from a security standpoint. You get Defender for Office 365, Intune for device management, and Azure AD Premium — all for a few extra dollars per user per month. Worth it.
That $60 router from Best Buy is not a firewall. It does network address translation, which gives basic protection, but it has no ability to inspect traffic, block suspicious outbound connections, or alert you when something on your network is trying to phone home to a command-and-control server.
A proper business-grade firewall — whether that's a Fortinet FortiGate, a pfSense-based appliance, or a Ubiquiti solution — can do all of that. It can also segment your network so that your guest WiFi doesn't have access to your file server, and your security cameras can't communicate with your point-of-sale systems. Network segmentation alone closes off a huge class of lateral movement attacks.
This isn't strictly antivirus vs. not antivirus, but it belongs in any honest conversation about security. Ransomware is still the most common way small businesses lose significant money to cyberattacks. The best defense against ransomware, once everything else has failed, is a clean, tested backup that isn't connected to your network.
The keyword is tested. We've written about this before — backups that have never been restored are an unknown quantity. You need to know they work before you need them. The 3-2-1 rule is your baseline: three copies of your data, on two different types of media, with one stored offsite or in the cloud.
One of the most persistent myths we encounter is "we're too small to be a target." This used to be roughly true. It is not true anymore.
Modern ransomware is largely automated. Attackers don't manually pick which businesses to hit — they run scans across huge IP ranges, looking for vulnerable systems. If your firewall has a known unpatched vulnerability, your RDP port is exposed to the internet, or your Microsoft 365 account doesn't have MFA, you will eventually show up in someone's scan results. Your size doesn't factor into the equation. Your vulnerability does.
The Verizon Data Breach Investigations Report has consistently shown that small businesses make up roughly 46% of all breach victims. Not because attackers have a particular grudge against small businesses, but because small businesses are statistically more likely to have the configuration weaknesses and security gaps that make opportunistic attacks succeed.
The good news is that most of what attackers are exploiting is fixable. MFA closes off a huge chunk of account compromise. A real firewall eliminates exposed services. Email filtering kills phishing before it reaches your team. DNS filtering stops malware from communicating even if something slips through. These aren't exotic measures — they're table stakes, and they're well within reach for any business.
If reading through that list feels overwhelming, take a breath. You don't have to implement everything tomorrow. A reasonable security improvement plan prioritizes by impact and cost.
Start this week: Enable MFA on your Microsoft 365 accounts and any other cloud services your business uses. Free. High impact. No excuses.
Next 30 days: Evaluate your email security. If you're on Business Basic, price out Business Premium. Look at your DNS filtering options — Cloudflare Gateway has a free tier that covers the basics.
Next 90 days: Assess your endpoint protection. If you're running stock Windows Defender or a traditional antivirus, evaluate EDR options. Look at your firewall and network segmentation situation. Check your backup strategy — when was the last time you actually restored from a backup to verify it works?
The goal isn't a perfect security posture overnight. The goal is to make your business a significantly harder target than it was before — hard enough that opportunistic attackers move on to easier prey. You don't have to outrun the bear. You just have to outrun the person next to you.
If you want a clear picture of where you actually stand, our free cybersecurity guide walks through the essentials in plain English. Or just reach out — we're happy to do a quick assessment and give you an honest read on your current setup, no strings attached.