Antivirus, backup, and security are three different jobs: what a small firm actually needs

If your office runs antivirus software, you may feel protected from a cyberattack. If you back up files to the cloud, you may feel your data is safe. If you're on Microsoft 365, you may believe both boxes are checked. For a firm of ten people or fewer, none of those assumptions is fully right—and the gap between them is where incidents do lasting damage.

Antivirus, backup, and cybersecurity are three distinct functions that do not substitute for one another. Microsoft 365 Business Premium gives small firms enterprise-grade endpoint protection and security controls at an accessible cost, but it does not include data backup. A complete posture covers all three layers without requiring enterprise IT staff or enterprise spending.

What each of these tools actually does

Endpoint protection—what most people call antivirus—watches your devices for malicious software and stops threats before they run. Microsoft Defender for Business goes further than legacy antivirus by detecting suspicious behavior, not just known threat signatures. But it does nothing to recover files you have already lost, and it does not control who can access your accounts.

Backup copies your data so you can restore it after something goes wrong: ransomware that encrypts your files, an accidental mass deletion, a hardware failure, or an employee departure that takes shared files with it. Backup is entirely reactive. It shortens your recovery window after an incident but does not prevent one.

Security controls cover identity and access: who can log in, from where, on which devices, with what verification. They include email filtering and phishing protection—the defenses that stop an attacker from walking in with a stolen password. Strong controls reduce how often incidents reach your antivirus or your backup in the first place.

These three functions interact but do not replace each other. A firm with endpoint protection and no backup can block most threats—and lose everything to the one that slips through. A firm with backup and no access controls will restore the same compromised environment it just recovered from.

What does Microsoft 365 Business Premium actually cover?

Business Premium is one of the most complete starting points available for a small firm. When properly configured, it covers both endpoint protection and the broader security layer:

• Microsoft Defender for Business — enterprise-grade endpoint detection and response for PCs and Macs, replacing standalone antivirus with behavioral detection and automated remediation.
• Defender for Office 365 Plan 1 — scans email attachments and checks links in real time before they reach the inbox.
• Azure Active Directory Premium P1 — enables multi-factor authentication and conditional access policies, blocking sign-ins from unfamiliar locations or unmanaged devices.
• Microsoft Intune — enforces security settings across enrolled devices, including personal phones used for work email.

Together, these give a small firm a security posture that previously required a dedicated IT department to build and maintain. That is the real value of Business Premium at the SMB level—not the Office apps, but the enterprise-grade controls running underneath them.

What does Business Premium not include?

Backup. Microsoft's platform retains deleted items and file version history for limited default periods. Certain compliance subscriptions extend retention windows, but retention is not backup. Retention keeps data inside Microsoft's platform under Microsoft's terms. Backup is a separate, independent copy you control, stored outside the source system, that you can restore from when the source is unavailable, corrupted, or deleted in a way the platform cannot reverse. If a ransomware actor encrypts your SharePoint environment, or an administrator error wipes shared files, extended retention does not recover you. A third-party backup covering Exchange Online, SharePoint, OneDrive, and Teams is the missing layer.

Why configuration determines whether Business Premium actually protects you

Microsoft 365 Business Premium ships with most security features turned off or set to minimal defaults. Multi-factor authentication is available but not enforced until an administrator enables it. Conditional access policies exist but require deliberate setup to function. Defender for Business runs in passive mode on devices that have not been onboarded to the portal. Intune cannot manage a device that has not been enrolled.

The practical consequence: a firm that purchases Business Premium and installs Office has not implemented Business Premium's security layer. It has purchased a license. The gap between a purchased license and a configured, monitored environment is the gap most small firms operate in when they report a breach.

Proper configuration is not optional if the goal is compliance or resilience. It requires someone who understands what policies to set, what the defaults mean, and what a compliant baseline looks like for your specific industry. It also requires ongoing maintenance, because Microsoft updates its platform continuously, and a setting that was correct in January may not reflect current best practice in July.

What does a complete security posture look like for a firm of ten people or fewer?

A complete posture for a small firm has four components:

1. Properly configured Microsoft 365 Business Premium — MFA enforced on every account, conditional access enabled, Defender for Business onboarded to all endpoints, Intune managing all devices including personal phones with access to work data.
2. Third-party backup — daily or continuous backup of Exchange Online, SharePoint, OneDrive, and Teams to a separate platform, with tested restore procedures documented and verified on a regular schedule.
3. Security awareness training — phishing simulation and training delivered consistently. Most incidents begin with a human action: a clicked link, an entered credential, an opened attachment. Technical controls reduce the blast radius; training reduces the frequency.
4. Documented incident response — a written procedure covering who does what when something goes wrong, including contact information for legal counsel and your cyber insurance carrier. Regulators in healthcare, financial services, and law ask for this. Firms that have it spend less time in remediation and more time demonstrating that the breach was contained.

None of these require a full-time internal IT staff member. They require a dedicated team that knows your environment and your regulatory obligations, and maintains your configuration as conditions change.

How regulated industries change the requirements

Healthcare firms subject to HIPAA must maintain audit logs, control access to electronic protected health information, and address backup and disaster recovery as part of a documented Security Rule risk analysis. Antivirus alone does not satisfy these requirements. Neither does Microsoft 365 with default settings and no backup.

Law firms handling client matter data face professional responsibility rules—including duties of competence and confidentiality—that increasingly extend to data security. Bar associations in multiple states have issued formal ethics opinions addressing this directly. Backup retention, access controls, and breach notification procedures are all relevant to those duties.

Financial services firms operating under SEC, FINRA, or state regulatory frameworks face their own recordkeeping and cybersecurity requirements. The specifics vary by firm type and state, but the underlying posture—controlled access, protected data, documented procedures—is consistent across frameworks.

In each of these sectors, we had antivirus is not a defense in a regulatory inquiry. We had a documented, tested, and monitored security program is a starting point for one.

Frequently asked questions

Is Microsoft 365 Business Premium enough cybersecurity on its own?

It covers endpoint protection and security controls when properly configured, which is a strong foundation. It does not include data backup, and its protections only function after deliberate setup. For a complete posture, Business Premium should be paired with a third-party backup solution and maintained by someone responsible for keeping configuration current.

What is the difference between Microsoft's retention policies and actual backup?

Retention keeps data inside Microsoft's platform for a defined period. Backup creates a separate, independent copy on a different platform that you control. If your Microsoft 365 tenant is compromised, corrupted, or deleted, retention does not help you recover. A tested backup does.

Does multi-factor authentication really matter for a firm this small?

Credential theft is the most common initial access method in business email compromise and account takeover incidents. MFA blocks the large majority of automated credential-stuffing attacks. It is also a requirement or strong expectation under HIPAA, most cyber insurance underwriting guidelines, and several state privacy frameworks. Enabling and enforcing it is the single highest-impact configuration step a small firm can take.

How often should we test our backup restores?

At minimum, quarterly. A backup you have never tested is a backup you cannot rely on. A restore test verifies that data was captured correctly, that the restore process works, and that the time required fits within your actual recovery window. Document each test result. Regulators and insurers increasingly ask for this documentation.

What should we ask a managed IT provider before signing an agreement?

Ask how they configure Business Premium for firms in your industry, what backup platform they use and who owns the backup data, how they handle Microsoft policy changes and product updates, and what their incident response process looks like. Ask for written answers to each question. A provider operating in your regulatory space should be able to answer without hesitation.