Many small business machines will be configured with an account that has local administrative access. This is usually the account that the machine was set up with and this will be the account that the user uses every day. In terms of cyber security this is a bad idea and not for the reason you might think.
Users running admin rights can install software on their machines. Some assume that this ability to install is acceptable if the user is particularly senior, technical or trustworthy. We have no issue with letting users have admin rights on their machines for all of these reasons, because for those users it’s not the intentional installation of software that we’re trying to prevent.
Broadly, viruses are programs that are installed on users’ machines. Most will not announce the installation process to the user – that would be counter-productive. But if a user does not have local admin rights, then the installation process will be interrupted by a prompt for an admin username/password. The simple act of introducing a prompt can alert the user to the installation attempt.
So, we prefer to have admin accounts and standard accounts on all machines and to insist that users run under the standard accounts. If allowed by the company, the users may know the admin account password for when they are making planned changes to software or the machine.