Without antivirus protection, a single infected USB drive, email attachment, or compromised website visit can spread malware across your entire network, encrypting your files and demanding ransom (ransomware attacks are very common in India). Your customers' data—credit card numbers, personal information—could be stolen and sold, leading to regulatory fines under the DPDP Act and permanent loss of customer trust. If you handle GST returns, employee records, or financial data and get breached, you may face audit penalties and legal action from the Income Tax Department. Even a small manufacturing or trading business in Bangalore, Mumbai, or Pune losing 2-3 days of operations to a ransomware attack loses lakhs in revenue and reputation damage.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You walk around the office and find computers running with no antivirus software installed, or licenses expired years ago. Employees don't know if their machines are protected and no one is checking.
Initial
You find that some machines have antivirus software installed, but it's outdated, licenses have lapsed, or the software isn't running actively. There's no central tracking of which machines have protection and which don't.
Developing
All company laptops and desktops have antivirus or endpoint security software installed with current licenses, but updates are manual and inconsistent. You have a basic list of which machines have protection, but no automated way to verify it's actually running.
Defined
All machines have endpoint security software with current licenses and automatic updates enabled. You have a documented inventory of all devices and can verify from a central point that protection is active on each machine at least monthly.
Managed
All endpoints run modern endpoint detection and response (EDR) software with real-time threat monitoring, automatic updates, and centralized enforcement. You receive weekly reports showing 100% compliance and can detect and block threats before they spread.
Optimised
You maintain EDR across all endpoints with AI-powered threat detection, automatic incident response, regular penetration testing to validate protection, and a formal change control process for any security software changes. Endpoint security is integrated with your security operations and threat intelligence.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Purchase and install antivirus software (free or paid) on every laptop and desktop, starting with the most critical machines (accounting, HR, servers). Ensure licenses are active. | IT person or Office Manager | 2-3 days (depending on number of machines) |
| 1 → 2 | Create a simple spreadsheet listing every computer (device name, location, employee name, antivirus software installed, license expiry date). Set calendar reminders to renew licenses 30 days before expiry. | IT person | 1 week |
| 2 → 3 | Deploy a centralized endpoint management tool (free option: Windows Defender with Group Policy; paid: Kaspersky, Trend Micro, or Quick Heal). Enable automatic virus definition updates and weekly compliance reporting. Document the policy in writing. | IT person with vendor support | 2-4 weeks |
| 3 → 4 | Upgrade to endpoint detection and response (EDR) software that monitors and logs suspicious behavior in real-time. Integrate with a centralized security dashboard. Run monthly threat simulation tests. | IT person or external cybersecurity consultant | 1-2 months |
| 4 → 5 | Conduct annual penetration testing to validate EDR effectiveness, maintain threat intelligence feeds, implement automated incident response playbooks, and review and update endpoint security policies quarterly. | IT person with external security firm | Ongoing (quarterly reviews) |
Documents and records that prove your maturity level.
- Inventory list of all company computers (laptops, desktops, servers) with hostname, OS, installed antivirus software, and license expiry dates
- Antivirus license certificates or renewal receipts showing active, current coverage for 100% of devices
- Centralized antivirus management console screenshots or reports showing protection status of each device updated within the last 30 days
- Change log or documentation showing when antivirus definitions were last updated on each machine (automatic update logs if using managed antivirus)
- Policy document defining which antivirus/endpoint security software is mandatory, minimum update frequency, and who is responsible for compliance checks
Prepare for these questions from customers or third-party reviewers.
- "Can you show me a current list of all computers in your company and confirm which ones have active antivirus or endpoint security protection?"
- "What antivirus software do you use, and can you provide proof that licenses are current and not expired?"
- "How do you ensure antivirus definitions and software are automatically updated? When was the last update on each machine?"
- "If I visit a random employee's desk, how would you verify in the next 10 minutes whether their machine has active endpoint protection?"
- "What do you do if a machine is found to have no antivirus or expired protection? Who is responsible for fixing it and how quickly?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Protects individual computers from viruses and malware in real-time | Windows Defender (built into Windows 10/11, adequate for small businesses); ClamAV (Linux/open-source); Avast Free | Kaspersky Small Office Security (₹3,000–5,000/year for 5 devices); Quick Heal Total Security (₹1,500–3,000/device/year); Trend Micro Maximum Security (₹4,000–6,000/year) |
| Centrally manage and monitor antivirus protection across all company computers from one dashboard | Windows Defender with Group Policy (Windows domain only); Zabbix (open-source monitoring) | Kaspersky Endpoint Security for Business (₹200–500/device/year for SMEs); Trend Micro Worry-Free Business Security (₹150–400/device/year); Quick Heal Total Defense (₹100–300/device/year) |
| Detect and respond to advanced threats and suspicious behavior in real-time across endpoints | OSquery (open-source endpoint monitoring) | Microsoft Defender for Endpoint (₹50–80/device/month or part of Microsoft 365 Business); Sophos Intercept X (₹300–600/device/year); SentinelOne (₹250–500/device/year) |
- Installing antivirus once and then ignoring it: licenses expire, definitions go stale, and the software stops protecting silently. Set up automatic renewals and updates from day one.
- Using only free antivirus without centralized management: in a 10-person office, one person's machine gets infected and nobody notices until data is already stolen. Budget for at least a basic managed antivirus solution.
- Assuming Windows Defender is 'good enough': it's better than nothing, but it's reactive, not proactive, and doesn't catch advanced threats. For businesses handling customer data, invest in something more robust.
- Not creating an inventory of devices: when an auditor or customer asks 'are all your machines protected?', you have no way to answer confidently. Start and maintain a simple spreadsheet.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Data Protection Obligation) requires reasonable security measures including protection against malware and unauthorized access |
| CERT-In 2022 Guidelines | Direction on securing systems includes mandatory antivirus software, regular updates, and patch management |
| ISO 27001:2022 | Annex A.8.3 (Technical and cryptographic controls) and A.8.7 (Protection against malware) |
| NIST CSF 2.0 | Protect Function, Category PR.DS-1 (Data protection processes and procedures) and PR.PT-1 (Processes and tools to protect information systems against malware and unwanted software) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →