In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Small businesses are under constant threat – not just from cybercriminals, but from a false sense of security. Techopedia asked James Bore, a seasoned security consultant and SME owner, to offer actionable advice that doesn’t rely on buzzwords or bloated security packages.
From antivirus myths to cloud misconceptions and crisis readiness, Bore breaks down the security essentials every business owner should care about – but often overlooks. His take? Simpler is smarter, and preparedness beats perfection every time.
Key Takeaways
- Most SMEs misunderstand continuous exposure management, treating security as a one-off task rather than an ongoing process.
- Cloud providers secure infrastructure, but businesses are responsible for access controls and application-level security.
- AI and machine learning have been part of antivirus tools for years; generative AI won’t drastically change that.
- Zero trust is highly secure but often impractical for SMEs due to its complexity and maintenance demands.
- Off-the-shelf antivirus solutions from reputable vendors are sufficient for most small businesses.
- Show Full Guide
About James Bore
James Bore is a Chartered Security Professional and consultant focusing on security and technology. He runs a second-generation family business, which was founded in 1988 and provides advisory and support services in those areas, along with being the Managing Editor of Security Blend Books, a niche publishing company for the security industry.
Most Firms Still Treat Security as a One-Time Task
Q: Why do many businesses struggle with ongoing security efforts?
A: Security is often seen as an exercise in ticking boxes rather than something that has to be done continuously.
I’ve noticed that teams will also often listen for a few weeks or months, but then everyone relaxes again. This happens even more if the person who talks about continuous exposure management isn’t embedded in the company.
The old attitude used to be that everything was an IT problem, and that someone else would take care of it.
Cloud Security Gaps Are Often the Customer’s Fault
Q: Where do SMEs usually fall short when using cloud services?
A: You’ve got to remember that it’s not the cloud providers’ problem to secure their systems and applications. They’re just securing the infrastructure underneath it.
They are providing the technical security, but that won’t cover, for example, the access management.
Business owners need to remember which bits they “own.” Many businesses appear to overlook this. There’s a reason cybercrime is going up.
AI in Antivirus Isn’t the Game-Changer People Expect
Q: Will generative AI transform how antivirus software works?
A: Realistically, I don’t think much.
Machine learning (ML) and artificial intelligence (AI) have been embedded in antivirus offerings for years, including some behavioral analytics.
There may be some development, but generative AI isn’t that important for the type of learning that antivirus software needs to do.
Zero Trust Rarely Fits SME Resources or Structure
Q: What makes zero trust difficult for smaller companies to adopt?
A: A zero-trust approach is probably one of the most secure lines of defense, but this doesn’t necessarily mean it’s the best.
It brings with it a lot of administrative and technical burdens. If systems become unusable, it doesn’t matter if they’re secure or not. It ultimately has to be a risk management decision.
Realistically, I don’t see zero-trust happening in the SME landscape, as it’s just too big to implement.
Malware Defense Will Always Be a Moving Target
Q: Why is antivirus protection an endless cycle of catch-up?
A: It’s frustrating for companies because they must feel like they’re constantly having to iterate, but that’s just the nature of the beast.
It is down to companies to put up the defences that are sensible and be prepared for failure. That’s the biggest pointer. Be ready for things to go wrong so that you can recover.
Prepackaged Security Tools Are Fine for Most Small Teams
Q: How can SME leaders choose between standard and custom antivirus tools?
A: They don’t necessarily need to be looking at the tailored options. Most off-the-shelf options from reputable companies are as good as each other. The differences between them are minor.
Tailored options are ideal, but it will be an issue of economies of scale. Similar to zero trust, having a dedicated security team that can manage your antivirus and endpoint detection and response becomes worthwhile, especially if you opt for an enterprise package that provides real-time analytics.
If you’ve only got a few dozen people in your business, you will not have that security team. You need something that’s good enough, and off-the-shelf options will cover 90% of what you need.
Security Spending Should Match Business Priorities
Q: Which factors should guide your cybersecurity budget?
A: It is the critical aspects that you need to look at. Business owners need to ask themselves, “What do we do when things go wrong? How do you prepare for it?”
You should look at whether there are areas of the business that, if they break, you don’t have a business anymore. If you have a remote workforce as opposed to an onsite team, there will be different focuses.
If it’s a minor aspect of the business, you might be able to survive for, perhaps, a month.
A key area is backups. Go through all of the systems you use and consider what you would do if they fail. How would you keep operating? How would you recover or switch over to other systems?
Sit down and do tabletop exercises or get someone in to run them for you.
Business continuity planning, disaster recovery, and incident management exercises are how you prepare for when things go wrong. They also provide a degree of stress inoculation so that in a crisis, it’s easier for everyone to stay calm.
Training Should Vary With Company Size & Setup
Q: How much employee training should SMEs plan around antivirus tools?
A: Enterprise-level companies and providers will provide training logs to the security team for them to read the analytics. For business owners, that’s not necessarily relevant. For most of the commodity packages – the ones you just fire up and forget – you can leave them running. Training is pretty minimal with those.
For some options, there will be configuration demands. For example, if you are using Defender with Office 365, there are some extra things you can do. There is training available there, but it’s usually self-driven.
Company owners should educate their employees about common attack methods. Antivirus packages don’t have much to do with the actual nature of attacks, but much more with what happens after the initial contact.
I would say that 70-90% of the time, attacks target humans using some form of deception. The antivirus might stop that from going further, but it won’t prevent that initial attack.
Most people who provide cyber insurance will provide some very basic training, too. There are other training options, which range from basic online PowerPoint presentations that you click through to fully interactive setting labs. It’s picking what’s most appropriate for your business. That’s going to come down to time and resources.
Free Security Software Comes With Trade-Offs
Q: When is it acceptable for businesses to rely on free antivirus programs?
A: There will be options that companies might find on the internet and think that this solves a problem; they are drawn by the fact that they don’t have to pay for it.
This is just a desperate act in the hope that it might serve them. That said, there are some good free options, although they make their money in other ways. If it’s from a reputable company, they likely generate revenue by using their free programs for personal use to capture samples, which then enable them to analyze data and gather more data points for their enterprise options. Others will install unwanted software that advertises you all sorts of other things.
For SMEs, built-in antivirus programs are perfectly acceptable. They are not free because you’re paying for them as part of the operating system package.
The Bottom Line
For SMEs, cybersecurity isn’t about chasing the latest tech; it’s about understanding your risks, preparing for failure, and choosing tools that are good enough, not overengineered.
With the right mindset and basic protections, even small teams can remain resilient and effectively navigate the growing threats.
