Is an antivirus and a firewall enough for the average SME?

Large companies often spend millions on cybersecurity — but is that something SMEs necessarily need to invest a large chunk of their resources into?
2 November 2018

Do you have the right cybersecurity for your business? Source: Shutterstock

When we speak of an SME, we’re speaking of someone whose business employs about 50-odd people and brings up to a US$100 million (or EUR100 million) in revenues.

That definition is important when you’re trying to figure out if an antivirus and firewall will suffice as the business’ only line of defense. But it’s equally important to talk about what kind of business you’re operating.

If it’s a technology-heavy business, irrespective of size and scale, they’ll need to be smart about how they secure their data and overall IT infrastructure.

A fintech company, for example, or a niche digital marketing agency handling a slice of the ad budget for a select group of Fortune 500 companies. They’re going to need strong cyber defense.

However, SMEs in other industries such as manufacturing and transport, those providing accounting and facilities management services — they’re the guys that tend to wonder whether they need to spend a couple hundred thousand on cybersecurity services — and if yes, which ones.

Most tend to believe that a good antivirus and a firewall are enough to protect their business. Are they right? Let’s find out.

Understanding antivirus and firewalls

An antivirus is just a software that is used to protect users from being infected by a virus. How do most users get a virus? Well, usually from files downloaded from the internet, and via email.

While antivirus software is fairly straightforward to understand, and it’s easy to envision how such a solution can protect businesses, let’s explore firewalls now — in a little more detail.

A firewall, in their simplest form, is a solution that helps companies monitor incoming and outgoing traffic to its network and determines (based on a set of rules) whether to allow or block that traffic.

How does this help? Say you’re a business that only does business here in the United States and doesn’t serve or supply to customers in Russia and Vietnam, maybe it’s a good idea to use a firewall and block all traffic to your website and network that originates from anywhere outside the US.

If you’re an SME, it’s quite likely that you’ll be operating in one geography, serving a small market — which makes the simplest firewall solution your best friend.

Alright, we’ve established that an antivirus and a good firewall protection solution is important for your business.

But the question was: Are the two enough?

Well, most experts will say that a good antivirus software whose virus definition files you keep up to date, on a machine whose patches you install immediately, is already half the battle won.

Further, if you look at the threat reports issued by some of the most popular antivirus vendors, you’ll realize that the biggest problem areas are malware and ransomware — both of which can be prevented with a good antivirus.

Next, targeted cyber attacks on SMEs such as local manufacturers supplying to the US (and maybe Canada) and regional service providers are quite unlikely as the business doesn’t tend to collect and store too much data about its customers.

Accounting probably happens on a SaaS platform and the company probably also runs SaaS-based project management software — both of which are protected by their respective providers — and they are cloud-based vendors who are probably spending a lot on their cybersecurity.

If the company has a server for some custom built applications or to support internal functions, a firewall should suffice, provided rules are carefully set up to pick up and block all malicious and harmful traffic.

Although many experts speaking on the subject agree with the conclusion we’ve drawn — for the kinds of SMEs we defined at the start, they also emphasize that education and awareness about safe online practices is the first line of defense for every business.

Employees, after all, can make or break an organization’s cybersecurity measures, no matter how sophisticated they are.