The Endpoint Protection Question
Every small business owner asks the same question: "Do I actually need to pay for antivirus, or is Windows Defender enough?"
The answer isn't simple—it depends on your risk profile, what data you handle, and how you work. This guide helps you decide and, more importantly, verify your protection is actually working.
What Windows Security Provides
Windows Security (formerly Windows Defender) has improved dramatically. It now includes:
Core Protection
| Feature | What It Does | Effectiveness |
|---|---|---|
| Antivirus/Antimalware | Scans files for known threats | Good—top-tier detection rates |
| Real-time protection | Monitors file activity | Good—blocks threats as they appear |
| Cloud-delivered protection | Checks files against Microsoft cloud | Excellent—rapid response to new threats |
| Automatic sample submission | Sends suspicious files for analysis | Improves ecosystem-wide protection |
| Tamper protection | Prevents malware disabling protection | Important—enable this |
Additional Features
| Feature | What It Does | Notes |
|---|---|---|
| Firewall | Controls network traffic | Good basic protection |
| Browser protection | SmartScreen blocks malicious sites | Works in Edge, Chrome, Firefox |
| Exploit protection | Hardens against common attack techniques | Enable default settings |
| Controlled folder access | Protects against ransomware | Useful but can cause application issues |
| Device security | Hardware security features | Depends on device capabilities |
What It Doesn't Do
Windows Security lacks some business features:
- Central management: Can't see all company devices from one console
- Advanced threat detection: No EDR (Endpoint Detection and Response)
- Email security: Separate from email protection
- Reporting: Limited visibility into threats across organisation
- Priority support: Community support only
When Windows Security Is Enough
You're probably fine with just Windows Security if:
- You have fewer than 10 computers
- Staff are tech-aware and careful
- You don't handle highly sensitive data
- You have good backup practices
- You use MFA and keep systems updated
- Your email provider has good spam filtering
Many small businesses fit this profile. Windows Security, properly configured, provides solid protection.
When You Need More
Consider paid endpoint protection if:
- You need central management (see all devices, push policies)
- You handle sensitive data (medical, legal, financial)
- You face compliance requirements (Cyber Essentials Plus, ISO 27001)
- You've experienced security incidents
- You want advanced threat detection (EDR)
- You need dedicated support when things go wrong
- You have a mix of Windows and Mac (unified management)
Business Endpoint Protection Options
Microsoft Defender for Business
Best for: Microsoft 365 users wanting unified security
Pricing: £2.50/user/month standalone, or included in Microsoft 365 Business Premium (£18.70/user/month)
What you get beyond Windows Security:
- Centralised dashboard (see all devices)
- Threat analytics (understand attacks)
- Automated investigation and remediation
- Attack surface reduction rules
- Web content filtering
- Simplified EDR capabilities
Pros: Integrated with Microsoft 365, no additional agent to install, good value
Cons: Windows/Mac only (no Linux), requires learning new portal
Sophos Intercept X
Best for: Businesses wanting strong protection with simple management
Pricing: From £2.50/device/month
Key features:
- Excellent malware detection
- Anti-ransomware (CryptoGuard)
- Exploit prevention
- Root cause analysis
- Central cloud management
- Cross-platform (Windows, Mac, Linux, mobile)
Pros: Strong independent test results, good management console, UK company
Cons: Can be resource-heavy on older machines
CrowdStrike Falcon
Best for: Businesses wanting enterprise-grade EDR
Pricing: From £5/device/month (Pro)
Key features:
- Excellent EDR capabilities
- Cloud-native, lightweight agent
- Threat intelligence
- Managed threat hunting (higher tiers)
- Strong against sophisticated attacks
Pros: Industry-leading detection, minimal performance impact, strong MDR options
Cons: More expensive, may be overkill for simple environments
ESET PROTECT
Best for: Budget-conscious businesses wanting solid protection
Pricing: From £1.80/device/month
Key features:
- Good detection rates
- Low system impact
- Multi-platform support
- Cloud or on-premises management
- Long-established reputation
Pros: Affordable, lightweight, reliable
Cons: Less advanced EDR features, interface feels dated
Bitdefender GravityZone
Best for: SMBs wanting comprehensive protection
Pricing: From £2/device/month
Key features:
- Excellent detection rates
- Integrated patch management
- Full disk encryption management
- Risk analytics
- Multi-platform
Pros: Strong independent test scores, good feature set
Cons: Can be complex to configure fully
Comparison Table
| Solution | Detection | Management | EDR | Price (approx) |
|---|---|---|---|---|
| Windows Security | Good | None | No | Free |
| Microsoft Defender for Business | Excellent | Good | Basic | £2.50/user |
| Sophos Intercept X | Excellent | Good | Yes | £2.50/device |
| CrowdStrike Falcon | Excellent | Excellent | Best-in-class | £5/device |
| ESET PROTECT | Good | Good | Basic | £1.80/device |
| Bitdefender GravityZone | Excellent | Good | Yes | £2/device |
Configuring Windows Security Properly
If you decide Windows Security is sufficient, ensure it's properly configured:
Step 1: Verify Protection Is On
Windows Security → Virus & threat protection
Check that all these show "On":
- Real-time protection
- Cloud-delivered protection
- Automatic sample submission
- Tamper protection
Step 2: Enable Controlled Folder Access
Windows Security → Virus & threat protection → Ransomware protection
Enable "Controlled folder access"
Note: This may block legitimate applications. Add exceptions for business software that needs access to protected folders.
Step 3: Check Exploit Protection
Windows Security → App & browser control → Exploit protection settings
Keep default settings unless you have specific compatibility needs.
Step 4: Verify Firewall
Windows Security → Firewall & network protection
All network types (Domain, Private, Public) should show firewall "On".
Step 5: Check for Updates
Windows Security → Virus & threat protection → Protection updates
Definitions should be less than 24 hours old. If older, check for update issues.
Step 6: Run a Scan
Virus & threat protection → Quick scan (for speed) or Full scan (for thoroughness)
Run a full scan monthly, quick scans happen automatically.
Verifying Your Protection Works
EICAR Test File
The EICAR test file is a harmless file that all antivirus should detect:
1. Go to eicar.org/download-anti-malware-testfile
2. Download the test file
3. Your antivirus should block or quarantine it
4. If nothing happens, your protection isn't working
Test this monthly to verify protection is active.
Simulated Attacks
For more thorough testing:
- Microsoft Attack Simulator (Defender for Business): Simulates phishing and attack scenarios
- Atomic Red Team: Open-source tests for security controls (technical)
- Purple Knight: Free Active Directory security assessment
Independent Test Results
Check how your antivirus performs in independent tests:
- AV-TEST (av-test.org): Regular testing of major products
- AV-Comparatives (av-comparatives.org): Detailed protection tests
- SE Labs (selabs.uk): UK-based testing lab
Windows Security consistently scores well in these tests—usually top tier.
Beyond Antivirus: Defence in Depth
Endpoint protection is one layer. A proper security posture includes:
Layer 1: Prevention
- Updates: Patched systems close vulnerabilities
- MFA: Blocks credential theft
- Email filtering: Stops phishing before it arrives
- Web filtering: Blocks malicious sites
Layer 2: Protection
- Endpoint protection: Stops malware that gets through
- Encryption: Protects data if device is stolen
- Firewall: Controls network traffic
Layer 3: Detection
- EDR: Identifies sophisticated attacks
- Logging: Records activity for investigation
- Monitoring: Alerts on suspicious behaviour
Layer 4: Response
- Backup: Recover from ransomware
- Incident plan: Know what to do when attacked
- Remote wipe: Protect data on lost devices
Endpoint protection alone isn't enough. It's one essential piece of a broader approach.
For Macs
Macs need protection too. Options:
Built-in Protection (XProtect, Gatekeeper)
- XProtect: Basic malware signatures, auto-updates
- Gatekeeper: Blocks unsigned software
- Notarisation: Apple checks apps for malware
Good but not comprehensive for business use.
Third-Party Options
- Sophos Home/Intercept X: Works well on Mac
- CrowdStrike Falcon: Full Mac support
- Malwarebytes: Good for scanning, less real-time protection
- Microsoft Defender for Endpoint: Works on Mac with M365 Business Premium
Authority Resources
- NCSC Cyber Essentials: ncsc.gov.uk/cyberessentials - UK government security standard, includes endpoint protection requirements
- NCSC 10 Steps to Cyber Security: ncsc.gov.uk/collection/10-steps - Comprehensive security guidance
- AV-TEST Business Results: av-test.org/en/antivirus/business-windows-client - Independent protection testing
- Microsoft Security Documentation: docs.microsoft.com/en-us/microsoft-365/security - Official Defender documentation
Your Endpoint Protection Checklist
If Using Windows Security Only
- [ ] Verified all protection features are enabled
- [ ] Enabled tamper protection
- [ ] Enabled controlled folder access (with exceptions)
- [ ] Tested with EICAR file
- [ ] Set up monthly full scan schedule
- [ ] Verified definitions are updating
If Adding Business Protection
- [ ] Chosen solution appropriate for your needs
- [ ] Rolled out to all devices
- [ ] Configured policies (scan schedules, exclusions)
- [ ] Set up alerting for threats
- [ ] Tested detection is working
- [ ] Trained staff on any new requirements
Ongoing
- [ ] Monthly verification (EICAR test)
- [ ] Review threat detections monthly
- [ ] Keep solution updated
- [ ] Annual review of whether current solution still fits
Getting Started This Week
Day 1: Check Windows Security settings on all computers (follow configuration steps above)
Day 2: Run EICAR test on all machines to verify protection
Day 3: Review whether you need more than built-in protection
Day 4: If upgrading, sign up for trials of 2-3 solutions
Day 5: Document your endpoint protection status
Monthly: EICAR test, review any detected threats, verify definitions updating
Endpoint protection is essential but not magic. Combined with updates, MFA, backups, and user awareness, it forms part of a sensible security approach. Whether you use free Windows Security or invest in business solutions, make sure it's actually working—test it regularly.
