If you’re running a small business with Windows Defender on every machine, or a free antivirus tool you installed years ago, you’re not doing nothing. You’re doing what most small businesses do. And the people selling you “next-generation” security have a financial interest in making you feel foolish about it.
So let’s start fair. Free and built-in antivirus tools work. They catch known malware. They’ve gotten genuinely better over the past decade — Microsoft Defender in particular now includes behavior monitoring and cloud-delivered protection in its baseline, and it stops a meaningful percentage of garden-variety threats before they execute. If you have it on, it’s doing something useful.
The problem isn’t that it’s broken. The problem is that the attacks targeting small businesses in 2026 are specifically engineered to walk past it — and there’s no version of “more antivirus” that fixes the structural gap. Understanding what that gap actually is, in operational terms, is the difference between making a real decision about your security and just buying whatever the next vendor sells you.
What antivirus was built to do
Traditional antivirus works on signatures. When a new piece of malware appears in the wild, security researchers analyze it, extract a unique fingerprint — a hash of the file, a distinctive byte pattern, a specific string — and add that fingerprint to a database. Your antivirus downloads the updated database regularly, scans files against it, and quarantines anything that matches.
That model assumes two things. First, that malware is a file sitting on disk waiting to be scanned. Second, that the threat exists in the database before it reaches you — that someone, somewhere, has already seen this specific malicious file and written a signature for it.
Both assumptions used to be roughly true. In 2026, neither is.
How modern attacks get past signatures
The shift in attacker technique over the last several years isn’t subtle. CrowdStrike’s 2024 Global Threat Report found that 75% of detected attacks were malware-free — meaning the attacker never dropped a file the antivirus could scan in the first place.
What does malware-free look like in practice? An attacker logs into your Microsoft 365 account using a password they bought on a credential marketplace, sets up an inbox rule to forward your CEO’s emails to an external address, and waits for an invoice to come through. No file. No download. No signature to detect. The login looked like a login because it was a login — with valid credentials.
Or this: an attacker sends an employee a Word document. The document isn’t malicious. It contains a macro that, when enabled, runs PowerShell — a legitimate tool already on every Windows machine. PowerShell downloads a script directly into memory and runs it without ever writing a file to disk. This technique has a name in the security industry — “living off the land” — because the attacker uses tools that are supposed to be there. Your antivirus sees PowerShell running, which is normal, because PowerShell runs all the time.
Or this: the attacker buys access to a piece of malware that has been recompiled with subtle code changes specifically to produce a different hash than any known sample. The behavior is identical to known ransomware. The signature is brand new. Until someone catches it, analyzes it, and pushes an update, no signature-based tool will recognize it.
The Verizon 2024 Data Breach Investigations Report found that the use of stolen credentials has appeared in almost one-third of all breaches over the past 10 years, and that the median time for a user to click a phishing link after opening the email is 21 seconds. Signature-based antivirus has nothing useful to say about either of those situations. The credentials are valid. The click happens before any scanner can intervene.
What behavioral detection does instead
The category of tool that replaces traditional antivirus in a business context is called EDR — endpoint detection and response. The naming convention isn’t important. What it does is.
An EDR agent runs on each device and watches what processes actually do. Not what they are, what they do. When Microsoft Word opens, that’s normal. When Microsoft Word spawns PowerShell, which then opens an outbound network connection, which then attempts to read every file in the user’s Documents folder — that’s a sequence of behaviors that, in combination, almost never happens in legitimate work. The EDR flags the sequence, can kill the process chain, can isolate the device from the network, and generates an alert.
The mechanism is different from signature scanning in a way that matters. The EDR doesn’t need to have seen this specific malware before. It needs to recognize that this pattern of behavior — file encryption activity, lateral movement, credential dumping, command-and-control beacon — is what attacks look like. Behavioral detection works on attacks the world has never seen, because the techniques are constrained even when the code isn’t.
This is what changes day to day on a protected endpoint: instead of a scanner that wakes up periodically to check files against a list, a lightweight agent watches process behavior continuously and can intervene mid-attack. The workflow change for the user is essentially nothing. The workflow change for an attacker is significant — the techniques that bypass signatures don’t bypass behavior.
The cloud surface your antivirus can’t see
Here’s the part of the problem most small business owners don’t realize exists. Your antivirus runs on your computers. Your business does not, anymore, run entirely on your computers.
If you use Microsoft 365 or Google Workspace — which nearly every small business does — a substantial portion of your attack surface lives in the cloud. Email, file storage, calendar, identity, app permissions. An attacker who compromises your M365 tenant doesn’t need to touch your computers. They log into the cloud directly using stolen credentials, often from a residential IP address using a normal browser, and your endpoint antivirus has no visibility into any of it.
The threats that live in this space are real and routine:
- Business email compromise. An attacker takes over an executive’s mailbox, watches communication patterns for days or weeks, then injects a fraudulent wire transfer request at the right moment. The FBI’s Internet Crime Complaint Center reported that business email compromise resulted in over $2.9 billion in adjusted losses in 2023.
- OAuth consent phishing. An attacker tricks an employee into granting a malicious app permission to read their mailbox or files. The “app” is the attacker. Once consent is given, no password is needed — the access persists through password resets and often through MFA, until someone explicitly revokes the token.
- Inbox forwarding rules. After compromising a mailbox, attackers commonly add a hidden rule that forwards specific emails to an external address. The user sees their normal inbox. The attacker sees everything that mentions invoices, wires, or banking.
None of this is visible to an antivirus product running on a laptop. Detecting it requires a different kind of monitoring — log collection from the cloud tenant itself, watching for anomalous sign-ins, suspicious mailbox rule creation, unexpected OAuth grants, impossible-travel patterns. This is a separate layer from endpoint protection, and most small businesses have nothing covering it at all.
Why the human layer is the part that actually matters
Suppose you have a real EDR product. It generates an alert at 2:47 a.m. on a Saturday. The alert says a process on an accounting workstation is exhibiting behavior consistent with ransomware staging. The alert is correct. What happens next?
If nobody sees the alert, nothing happens next. The attack continues. By Monday morning, your servers are encrypted.
This is the gap that defines the difference between a tool and protection. Modern security tools generate a lot of signal. Some of that signal is genuine. Some of it is noise — a developer running a legitimate script that looks suspicious, a backup job that triggers a file-activity threshold, an admin tool used by your IT person. Distinguishing real threats from noise requires a human who knows what they’re looking at, and that human has to be available when the alert fires, not when business hours resume.
This is what a Security Operations Center — a SOC — does. It’s a team of security analysts, staffed around the clock, watching alerts from the tools deployed across many client environments. When an alert fires that meets escalation criteria, an analyst triages it within minutes: looks at the process tree, checks whether the behavior matches known attack patterns, decides whether to isolate the device, whether to disable user accounts, whether to wake someone up.
For an enterprise, the SOC is in-house. For a 15-person accounting firm, it isn’t. There is no scenario in which a 15-person firm staffs a 24/7 security team. The economics don’t work, and the talent isn’t available. What’s available — and what didn’t exist for small businesses a decade ago — is a shared SOC delivered as part of a managed IT services engagement. The same analysts watch your environment that watch hundreds of other small business environments. The cost is spread across the client base. The coverage is real.
Without that human layer, EDR is a smoke detector with no fire department on the other end. The detection works. The response doesn’t exist.
“We’re too small to be a target”
This is the most common reason small businesses don’t invest in real security, and it’s wrong in a specific way worth understanding.
Attackers don’t pick targets the way you’d pick a business to rob. They don’t drive around looking for promising buildings. The work of finding victims is almost entirely automated. Credential-stuffing tools test stolen username and password combinations against thousands of M365 tenants per hour. Phishing campaigns send millions of emails. Vulnerability scanners sweep the internet looking for exposed services.
You don’t get singled out. You get caught in a net. Whether you’re a 12-person law firm or a 12,000-person hospital system, you appear in the scan results the same way, and the attacker decides what to do with you based on what’s there.
Small businesses are valuable to attackers for several reasons that have nothing to do with size:
- Lower defenses. The probability of getting in is higher per attempt because the security investment is lower. Volume × probability still produces a profitable business model.
- Supply chain access. Your small business is connected to larger ones. You have a VPN into a client’s environment. You exchange files with vendors. You hold client data. Compromising you is sometimes the path to compromising someone bigger. The Verizon DBIR has tracked supply chain compromise as a growing share of breaches for years.
- Credential harvesting at scale. Even if you have nothing worth stealing, your employees reuse passwords. Credentials harvested from your M365 tenant get tested against bank logins, payroll systems, and other higher-value targets.
- Ransomware works on you. A larger organization may have the resources to refuse to pay and rebuild. A 20-person business with no functioning systems and a payroll due Friday is statistically more likely to pay.
The FBI’s 2023 Internet Crime Report shows that ransomware complaints from critical infrastructure sectors rose 18% year over year, and the actual incident count across all small business sectors is widely acknowledged to be significantly underreported. “Too small to target” describes a world where targeting requires effort. It hasn’t been that world for a long time.
The cost question, reframed
The natural comparison the reader makes is between free antivirus, which costs zero, and managed endpoint security, which costs something. Framed that way, free wins every month nothing bad happens.
That’s the wrong comparison. The right comparison is between the predictable monthly cost of protection and the unpredictable cost of an incident, weighted by how likely the incident is over the life of the business.
A ransomware incident at a small business typically involves several days to several weeks of downtime, depending on backup posture. It involves forensic investigation costs. It involves legal and notification costs if personal data was accessed. It involves client trust damage that doesn’t appear on any invoice. It involves, frequently, the discovery that cyber insurance won’t pay because the required controls — MFA, EDR, monitored backups — weren’t actually in place. Having a solid data backup and disaster recovery plan in place is one of those controls insurers increasingly require.
IBM’s 2024 Cost of a Data Breach Report found the global average cost of a data breach reached $4.88 million, and while that figure is skewed by larger incidents, the report also documents that organizations with strong security automation and incident response capabilities saw breach costs hundreds of thousands of dollars lower than those without. The same report notes that 70% of breached organizations reported significant or very significant disruption to their business.
The structural comparison is what matters. Managed endpoint security is a predictable operating expense in the same category as accounting fees, business insurance, or payroll software — a fixed monthly cost that converts an unmanaged risk into a managed one. An incident is none of those things. It’s a one-time event that consumes cash, time, and reputation in proportions that are hard to predict and hard to recover from.
What to check in your own environment
Before talking to anyone — including us — there are concrete things worth knowing about your current setup. The answers will tell you where you actually stand.
- What security product is running on your computers, and is anyone reviewing what it detects? If the answer is “I don’t know” or “nobody,” that’s a real gap.
- Is multi-factor authentication enforced on every M365 or Google Workspace account, including administrative accounts? Not “available” — enforced.
- If a security alert fires at 2 a.m. Saturday, who sees it, and what happens?
- If a workstation started encrypting files right now, what would isolate it from the network, and how fast?
- Are your backups stored somewhere that ransomware running on your network can’t reach? When was the last time someone actually restored from them to verify they work?
- Does anyone monitor your M365 tenant for suspicious sign-ins, OAuth grants, or mailbox rule creation?
If you can answer most of these confidently, you’re in better shape than most small businesses. If several of them produce a shrug, that’s where the conversation starts.
Where ForeverOn fits
ForeverOn Technology Solutions runs managed endpoint security for small businesses across Washington County, Frederick County, and the surrounding Maryland region. The stack we deploy is the same category of tool a 500-person company would use — EDR with behavioral detection, cloud monitoring across M365 and Google Workspace, and a 24/7 Security Operations Center staffed by human analysts who triage alerts and respond when something matters. For Total Care clients, emergency response is one hour or less remote and same-day onsite. The person who picks up the phone knows who you are.
Erik Grewe handles the initial consultation personally. It’s a two-visit process: the first visit gathers data on your current environment, and the second presents what was found — visually, with color-coded charts that show where the gaps actually are. The point isn’t to sell you the most expensive plan. It’s to make the situation legible enough that you can make a real decision. We don’t upsell, and we don’t push services you don’t need.
If you want to know what your current setup is actually leaving exposed, a free security assessment is the next step. There’s no cost, no commitment, and no pressure to switch providers. You’ll come out of it knowing where you stand. Call us at (301) 739-7311 — a real person answers — or request the assessment online and we’ll schedule a time that works for you.