In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Cyber threats are constantly evolving, and for small and medium-sized enterprises (SMEs), staying secure can pose a serious challenge. From cloud complexities to AI-powered scams, the risks are growing – and so is the pressure to keep up.
Techopedia spoke with Dr. Chuck Easttom, a leading cybersecurity expert with decades of experience, to get practical, no-nonsense advice on how companies can protect themselves in 2025 and beyond.
Key Takeaways
- Continuous exposure management is essential – security must be ongoing, not periodic.
- Don’t assume your cloud provider handles everything; verify their security measures.
- AI is advancing both defenses and attacks – staying ahead means constant vigilance.
- Zero trust is a strong foundation, but not a silver bullet; layered defense is still critical.
- Antivirus selection should be based on real performance data, not just brand familiarity.
- Training and awareness, especially regarding the limitations of specific tools, are crucial in preventing breaches.
- Show Full Guide
About Dr. Chuck Easttom
Dr. Chuck Easttom is the author of 42 books, including several on computer security, forensics, and cryptography. He is also an inventor with 26 patents and the author of over 70 research papers.
Easttom holds a Ph.D. in computer science, a Ph.D. in Nanotechnology, a Doctor of Science in Cybersecurity, and three master’s degrees (one in applied computer science, one in education, and one in systems engineering).
He is a senior member of both the IEEE and the ACM, and also a Distinguished Speaker of the ACM and a Distinguished Visitor of the IEEE.
Dr. Easttom is currently an adjunct professor at Georgetown University and Vanderbilt University.
Why “Continuous” Security Really Means All the Time
Q: Do you think that most companies understand the importance of continuous exposure management?
A: Some companies are doing a good job in that area, but when we say continuous exposure, I think people don’t realize just how interconnected their systems are and how many points of contact there are.
If you have a corporate network, you’re thinking about your servers, firewalls, etc., but you also need to think about all the end users using personal devices. Think about the number of IoT devices or smart devices. You may have company vehicles that have IP systems, for example. Are you securing those?
Security can’t be something you do at certain points in time. The word ‘continuous’ is used for a reason. We have to be managing and thinking of all the vulnerabilities that need to be patched in a small network all the time – that’s every operating system and every piece of software that you’ve got.
These days, we have chips and systems that we don’t even think about. I have a smart refrigerator that needs to be updated. These are issues that people aren’t thinking of and thus require continuous management.
There are tools out there to help, but you first have to be aware of how important it is before you even start investigating those tools.
Cloud Providers Aren’t a Free Pass, Here’s Why
Q: With cloud computing uptake, what should businesses be doing to protect their increased “attack surface”?
A: Unfortunately, many business owners just assume that the cloud service provider is handling it for them. Some things are the responsibility of private providers, but others are not.
Beyond that, though, are you certain that the provider is doing their job?
Too often, when people look at a cloud provider, they’re looking for the features and the price. I’d like to know more about their security.
There is a wide range of cloud standards out there. For example, the US has NIST SP 800-144. But I want to be clear – I don’t think standards are the end of security. It’s a baseline to start with.
Business owners should, at least, consult the major cloud security standards and compare them to their provider’s offering, ensuring that both their and their provider’s responsibilities are met at least to the level of the standard. Just because you’ve achieved compliance with a standard does not mean you’re done and you’re secure.
I tell my students that if I could magically imbue them with all knowledge of cybersecurity right now, it’s only going to serve them for a short period of time.
You’re going to need to add to that knowledge as the number of new attack vectors coming out is just astounding. And if you’re not keeping pace with that, you’re going to be vulnerable to some new way of attacking.
AI Is A Double-Edged Sword – Stay Vigilant
Q: What impact will machine learning and AI have on antivirus development in the next few years?
A: Almost everyone I consult with – from government agencies to companies – is asking me about artificial intelligence (AI). We have defensive uses for AI in intrusion detection systems, but we’re also already seeing the bad guys embrace AI.
It’s already been found that these large language models – similar to ChatGPT – actually develop better phishing emails than human beings. There was a case where a person was fooled into a business email compromise, where they transferred money to the wrong entity. They were on a Zoom call and did not realize the other participants were deepfakes.
They thought they were speaking to an executive who was telling them to transfer the money.
The innovation is going to continue. But frankly, the good guys need to not be so reactive. Let’s not wait until someone has done something bad. There are cybersecurity researchers who just sit around and try to come up with new attacks, not to execute them but in order to come up with a defense.
I tell professionals all the time – the best thing you can do is look at your system and ask yourself the question with all the inside knowledge you have, how could you misuse the system? Then, at least fix those vulnerabilities.
Zero Trust: Strong Foundation, Not a Magic Fix
Q: Is a zero-trust approach the best line of defense?
A: It certainly must be embraced, and there’s simply no question about that. There are so many standards out there to help you with this. The US Department of Defence even has a reference architecture.
My only issue with zero trust is that people in the cybersecurity world keep looking for a holy grail. They believe that if we deploy zero trust, we will be perfectly fine. That’s not true. Just a short while back, people said that if we had two-factor authentication, we would be good.
Zero trust should be the foundation of your security. That doesn’t mean that once you’ve implemented it, you’re done.
It does get more difficult to implement for smaller businesses. Fortunately, there are so many automated tools. However, there’s always going to be a trade-off between ease of use and security. I can make a system incredibly secure, but you wouldn’t want to use it as it would be too difficult.
On the other hand, I can make it terribly easy to use, and a child could break into it. Each organization is going to have to find the sweet spot for them.
You need to always ask yourself the basic question: What would be the impact on my business if there was a breach? If you can live with that impact, then you’re doing enough security. But just be aware that there are now compliance rules.
The EU already has them in place, and US states like California are following. If you’re breached and you didn’t have appropriate security, you can be fined. This fine could wind up being much more expensive than the cost of security.
It’s always shocking to me how many businesses are not doing the basics, and this doesn’t come to light until there is an audit.
Aside from all the costs to the business of a breach, I think we have an ethical responsibility. If we’re going to take someone’s data because we need it for whatever purpose, we have to protect it.
“A Silly Little Arms Race That Has No End”
Q: The сhief technology officer at Neohapsis, Greg Shipley, described the relationship between antivirus companies and virus writers as “a silly little arms race that has no end.” Do you agree?
A: I agree that there’s an arms race that will never come to an end. I don’t know if I would call it silly because it’s very serious. It’s very similar to nation states that are rivals, constantly trying to outdo each other.
We are often on the defensive side, which used to have more resources, but now we are up against hacker gangs and groups that the authorities in certain countries don’t do anything to stop. It’s a race that is not showing any signs of abating.
Choosing Antivirus: Avoid the Familiarity Trap
Q: As an SME owner, how do you pick an option when the array of antivirus packages seems overwhelming?
A: Unfortunately, most people are simply going to pick whatever they know when it comes to choosing the antivirus software for their needs. There’s a reason why antivirus people want their product on your computer when you buy it. Most people will then just go ahead and pay for the subscription and keep it running.
What I’m not seeing people do is independent studies comparing antivirus options. Instead, they’re relying on marketing data. I’m not trying to impugn anyone’s integrity, but marketing people will focus on the positive and gloss over the negative.
If you take any two major antivirus options, you’re going to be hard pressed to find a comparative study that shows which one actually does better.
I would recommend if you have the time, at least think about what your major issues are and see if you can find some data about whether the product you are tending towards is indeed a better product.
Match Your Cybersecurity to Your Business Needs
Q: What aspects of your business are the most important when selecting the nature and level of the protection you need?
A: For every business, you start by looking at the type of data you’re securing and the type of connections you have. For example, if you’re talking about a university setting, you have such a diverse population of users.
You have highly technical engineering graduate students, and you have English professors who barely know how to log into their email! You need to think about who is interacting with your system.
Cost will always be an issue. I hate to say that because I don’t want everything to come down to dollars and cents, but every organization has a finite budget.
Antivirus Training: What Your Team Needs to Know
Q: Do companies provide training on their antivirus packages, or is this something business owners need to provide themselves?
A: I would be more interested in the employees knowing what their antivirus package can’t do, and therefore what they have to be aware of. It’s amazing how many breaches are still happening because someone opened an attachment.
Your tech team definitely needs training. For example, Microsoft Defender comes pre-installed with Windows and offers an option to set up folders for monitoring, ensuring that no changes can be made to that folder without your approval.
This prevents ransomware from encrypting that folder. I have talked to Windows administrators, who were surprised to hear that that was a feature.
Education is always going to be the key. In cybersecurity, it’s a continuous thing. You don’t go to school, learn, and we’re done. There’s always more to learn.
Free Antivirus? Maybe, But Know the Risks
Q: Are free antivirus programs acceptable in a business setting? Should you always opt for an antivirus package that comes with support?
A: For very small businesses, budget is probably king there. There are some good free antivirus packages out there. Malwarebytes does a pretty good job. The problem with the free packages is that they are getting updated frequently enough. Some are also difficult to configure.
If you don’t know what you’re doing, you’d probably actually save money by buying a commercial package, because it sets up with a quick GUI interface. For most companies of any size, you probably want something that’s got more support, regular updates, and some guarantees.
The Bottom Line
Cybersecurity isn’t a one-time checklist – it’s a continuous process. For SMEs, the key is awareness, smart tool selection, and consistent education.
As Dr. Easttom puts it, if you’re going to take someone’s data, you have an ethical (and increasingly legal) responsibility to protect it.
