Josh Brunty had spent more than a decade in cybersecurity — first as a digital forensics analyst for the West Virginia State Police, then as someone who taught the subject at Marshall University — when he discovered a shocking secret about his father, Butch.
Butch Brunty was still paying money every year for third-party antivirus protection on his home computer, which his son felt hadn’t been necessary for most people for years.
“He was talking about renewing his antivirus. I said, ‘Are you literally paying for antivirus?’” Brunty said. “I don’t know how he ended up doing it, but he ended up getting connected to Norton, spending, like, $60 a year.”
Brunty’s father, like a lot of other people, hadn’t gotten the message that has become intuitive to many people who work in cybersecurity: There’s just no longer any reason for regular people to pay for antivirus software for their personal devices.
It’s a shift that highlights not only how computer security has evolved in the past decade but also the way many people misunderstand the greatest threats to their computer security.
Antivirus software still centers on its original use: looking for and mitigating software viruses. Because modern computer systems already do that, many programs now offer additional protections, like monitoring the dark web to see whether someone posts customers’ personal information, which experts find to be of little use.
But the greatest threats most users face are no longer from viruses, particularly now that so much personal computing happens over the internet.
Brunty said his dad also paid for a virtual private network, which routes a computer’s internet traffic through a third party. They were once considered vital to prevent nearby hackers from spying on online activity, but security experts now say that thanks to additional built-in security protections in most major browsers, virtual private networks are useful in only a handful of specific scenarios, like streaming video that is restricted in certain countries or getting around government censors like China’s “Great Firewall.”
“He had no understanding of those two technologies, really,” Brunty said. “I think he just felt like if he spent the money, the investment of paying for it was going to protect him from everything.”
Some antivirus programs can offer certain benefits, such as tools that help users avoid email-based phishing campaigns that steal sensitive login credentials. Others can help prevent identity theft.
But most experts agree that the built-in antivirus protections on any major system — a fully updated Windows or Apple computer or an Android phone or iPhone — already protect against viruses just as well as the major programs people can pay for. It’s important, however, for users to keep their systems protected through automatic software updates offered by all major software providers.
It wasn’t always that way. For much of Microsoft’s history, computer experts worried that Windows machines were susceptible to viruses, and there was no firm consensus about what third-party programs people needed to stay safe.
But Microsoft Defender, the free and automatic antivirus program now built into Windows, has gotten so effective that it’s as good as anything customers can pay for, said Simon Edwards, the founder of SE Labs, a London-based company that compares and tests antivirus programs.
“We test it regularly, and it’s one of the top products we’ve seen. It has improved a lot,” Edwards said.
That doesn’t mean malicious software isn’t a threat. But newer devices tend to take care of most problems on their own. Hackers are constantly devising new ways to break into operating systems, and companies have to keep updating ways to stop them. Fortunately, the days of cybersecurity engineers’ writing patches for new, safer versions of software and just hoping users will update them is largely over.
“It’s almost impossible these days to not have a fully patched Windows or Mac system, because they pretty much force updates,” Edwards said.
While it’s a myth that Macs can’t get viruses, the myth is well-founded: Macs essentially had antivirus protections built into their operating systems from their early days. The same goes for iPhones and Android smartphones. The British government even tells its residents not to bother buying antivirus software for their phones, provided that they don’t needlessly endanger themselves by installing programs not vetted by an app store.
Butch Brunty isn’t alone. A survey by Security.org, a cybersecurity advice website, estimated that nearly 45 million households pay for antivirus software. It also found that people are increasingly more likely to pay for antivirus software the older they are and that most have been using it for years. The dynamic has been observed in other parts of the technology world, such as people who continued to pay AOL for internet service even though they had other internet providers.
McAfee, the once-ubiquitous Windows antivirus program, still has more than 20 million paying customers, a spokesperson said. More than half of the revenue the antivirus company Malwarebytes made last year came from personal users, a spokesperson for the company said. Other major antivirus companies, including Norton, ESET and Kaspersky, didn’t respond to emailed requests for such information.
But trying to stay secure by relying on antivirus software misses the way hackers have evolved, said Bob Lord, who revamped the Democratic National Committee’s cybersecurity strategy for the 2018 and 2020 elections after the party was hacked by Russian intelligence in 2016.
“When I look at all the personal account compromises I’ve seen over the past three years, I don’t think any of them were caused by malware,” Lord said. “They happened because the victims had poor password hygiene and didn’t have two-factor authentication on their accounts.”
What to do instead
The good news is that almost all of the tools everyone should be relying on to be more secure are free.
Hackers today are most likely to target regular people by trying to take over their personal accounts for email, social media or financial websites. It’s easier to stop them when you know that their goal is “to impersonate you and take over an account you want to keep private,” said Harlo Holmes, the chief information security officer at the Freedom of the Press Foundation, where she advises journalists around the world about the best ways to protect themselves from hackers.
That means using unique passphrases — several words together, which are easier to remember than a string of random characters — because the longer a password is, the harder it is for an automated program to guess. People should also protect every important account with two-factor authentication. That lets users use their phones as a second way to prove their identities to websites, which gives hackers an additional hurdle if they’re trying to get into one of their accounts.
Experts recommend using an app like Google Authenticator or Authy when you set up two-factor authentication, rather than through a text message, which dedicated hackers can intercept.
Some for-purchase antivirus products come bundled with additional benefits that address more modern concerns, like monitoring whether customers’ passwords have been included in a giant dump of stolen credentials or telling them whether criminals are sharing their personal information on the dark web.
But most of the services either do little or are available elsewhere for free, said Susan Grant, the director of consumer protection and privacy at the Consumer Federation of America, a nonprofit group that serves as an umbrella organization for consumer advocacy groups.
“There’s a limit to what that type of service actually provides,” Grant said. “They don’t prevent you from becoming an identity theft victim. They can’t prevent your information from ending up on the dark web, and they can’t remove it. They can just alert you.”
The website Have I Been Pwned lets everyone check which of their accounts and passwords have been stolen and traded. The Federal Trade Commission offers a free guide for people who have had their identities stolen, as does the nonprofit Identity Theft Resource Center.
“It may make people feel better to pay for such a service,” Grant said. But “the advice that you get is available from other sources for nothing.”