The web-filtering category had its heyday somewhere around 2010 to 2018. Every SME we onboarded in that era had something: Barracuda, Forcepoint, an on-prem appliance, a category-based filter sitting on the firewall, a productivity-monitoring plugin somebody had bought after a board meeting. Most of them are still paying for it in 2026, and a surprising number shouldn’t be.
This isn’t an argument against web filtering as a category, it’s an argument for looking at the line item, asking what problem it’s actually solving, and either retiring it or replacing it with something that does the modern version of the job.
What web filtering used to do
The classic web-filtering pitch had four jobs:
- Stop people visiting genuinely malicious sites: drive-by malware, phishing pages, exploit kits.
- Stop people visiting categories of site the business didn’t want them on: gambling, adult, illegal.
- Stop people wasting time on social media, news sites, shopping.
- Generate a productivity report somebody at executive level could look at.
In 2010 those four jobs were all real, the technology stack to do them was specialist, and you needed a dedicated product to get any of it. The market grew accordingly.
What’s happened since is that three of those four jobs have either become commodity features in something the SME already pays for, or stopped being a job anyone actually wants done.
What the modern stack does for free
The first job, blocking genuinely malicious sites, is now done in multiple places, most of which the SME is already paying for. Microsoft Defender SmartScreen, baked into Edge and Office, blocks known phishing and malware sites at the browser level. Microsoft 365 (M365, the Microsoft cloud bundle: email, Word, Excel, Teams, file storage) Defender for Endpoint, where it’s deployed, blocks at the network level. Most modern firewalls do reputation-based blocking out of the box. A decent DNS-layer filter, DNS (domain name system, the address book that turns a website name like jmopartners.co.uk into the numeric address browsers actually use) filtered at that lookup step, by Cloudflare’s free tier, Quad9, or a paid product like DNSFilter, does it at a layer above all of that.
If you’re paying separately for “stop people visiting malicious sites” in 2026, you’re paying for something the rest of the stack is already doing. The question isn’t whether you need that capability (you do); it’s whether you’re paying for it twice.
The second job, category-based blocking of gambling, adult, illegal content, is still real for some industries (regulated, education, certain HR-sensitive environments) but cheap. DNS-layer filtering does this for £2-3 per user per month, often less. The £15-per-user-per-month enterprise filtering product isn’t doing this job ten times better than the cheap option.
The third job, productivity-monitoring blocking of social media and news, is the one that’s genuinely shifted, and not in the direction the vendor marketing suggested. Most SMEs we work with have moved away from this entirely. The reasons:
- The pandemic accelerated trust-based working. Blocking news sites on a workplace network reads as performative.
- Remote and hybrid working make in-network filtering nearly meaningless. The user on their phone, hotspotting, or on a home connection isn’t filtered. The category-blocking budget protects only the in-office laptop, which isn’t where the work is happening.
- Browser-based productivity-monitoring has reputational and HR consequences SMEs increasingly don’t want.
The fourth job, productivity reports for executive review, has historically produced reports nobody reads.
What’s actually worth paying for in 2026
We’ve ended up recommending a fairly minimal stack, layered:
DNS-layer filtering, applied everywhere. Block known malicious domains, block the categories the business has a defensible reason to block, log enough to investigate an incident. Apply it to the office network and to the endpoint (the laptops, phones and tablets people work on) so it follows the user off-network. Cost is low and value is high, which is why this is the layer most SMEs should still be paying for.
Browser-level safe-browsing protection. Edge SmartScreen for SMEs in M365, Chrome’s safe browsing for the rest. Free, on by default, blocks the most common phishing and malware sites, with nothing to procure.
Email link rewriting and detonation (the security check that opens a suspicious link in an isolated sandbox before deciding if it’s safe). Where the genuinely dangerous links arrive in 2026, it’s via email or messaging. The investment is in email-side protection (link rewriting, sandboxing, time-of-click checking), not in the perimeter web filter (the appliance or service that sits between your office and the open internet, blocking dodgy URLs). This is a Defender for M365 or third-party email-security spend, and it does more for an SME’s actual risk than a category-based web filter ever will.
Endpoint security with web protection. Modern endpoint security agents include some level of web protection. Where they do, it’s an additional layer at zero marginal cost.
The combined cost of the modern stack is often lower than the legacy web-filter line item it replaces, and the risk coverage is higher.
What’s coming next
A few things we’re tracking.
Browser-based security platforms. Specifically-built secure browsers (Island, Talon, the enterprise capabilities arriving in Edge) are starting to do something interesting. They put the security perimeter at the browser itself, where the actual work is happening. For SMEs this is two or three years from being mainstream, but it’s worth knowing it’s coming.
DNS-over-HTTPS bypass. Increasingly, browsers and apps use DNS-over-HTTPS (DoH, DNS lookups encrypted inside web traffic so they can’t be inspected by an outside filter), which bypasses traditional DNS-layer filtering. The DNS-filter vendors have responded; most now offer an agent that intercepts before the bypass happens. But if your filter is the old “set the DNS server on the router” approach, it’s filtering less than it used to.
AI-driven phishing. The volume and quality of phishing emails are both going up. The defensive layer that matters is email-side, and the case for serious email security keeps strengthening. The case for traditional web filtering keeps weakening relatively.
What we see on the ground
Three patterns.
Renewal that nobody questions. The £8,000-a-year web-filter renewal gets approved in March because it always gets approved in March. Nobody’s asked in five years what it’s actually doing. We’ve helped clients cut this line item entirely on more than one occasion, replaced with a DNS-layer product at a fraction of the cost.
Filter that filters nobody. The web filter applies to the office network. Half the staff are hybrid. The filter is covering the smaller half of the user base for less than half their working hours.
Legacy categories blocking modern tools. The “social media” category in the legacy filter blocks LinkedIn, which the sales team needs to do their jobs, so the sales team are exempted, which means the filter is doing nothing for the people most likely to be targeted by social-engineering attacks.
Practical implication for SMEs
Look at the line item. Ask what problem it’s solving. Check whether the rest of the stack is already solving it. If the answer is “yes, mostly”, the right move is to replace it with a DNS-layer filter, redirect the budget to email security, and stop paying for the legacy product.
This isn’t a project so much as an afternoon. The savings tend to be real and the security posture improves rather than degrades.
That’s our Security Solutions practice. We look at the existing stack, identify what’s still earning its keep, and replace what isn’t.
Every quarter that renewal rolls through unchallenged is money lighting itself on fire for a layer that’s covering the smaller half of your team, missing the channel attackers actually use (email), and leaving you exposed where it matters. Meanwhile the email security spend that would have caught the AI-generated phishing run targeting your finance lead next month doesn’t get funded, because the budget is tied up in the filter nobody questions. One afternoon of looking changes both sides of that picture.
Got a security renewal coming up and not sure what’s actually doing anything? Drop us a note at info@jmopartners.co.uk. One of us will read it.
JMO|Partners · Enterprise IT, sized for SMEs.