TL;DR

Every unmanaged device in your business is an open door. This guide gives you a concrete checklist to harden laptops, desktops, and phones this week. Covers EDR tools ($3-$15/endpoint/month), patch automation, and MDM deployment, mapped to the ASD Essential Eight and CIS Benchmarks.​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​

Most cyber attacks start at the endpoint. A staff member clicks a phishing link on their unpatched laptop. A sales rep connects their personal phone to company email with no MDM policy. A contractor's old Windows desktop runs without EDR. That is how breaches happen. This post covers what to do about it, with specific tools and real costs.

1. EDR/XDR: Your First Line of Defence

Traditional antivirus is not enough. Signature-based detection misses fileless attacks, living-off-the-land techniques, and ransomware that mutates faster than definitions update. Endpoint Detection and Response watches behaviour, not signatures. It spots the PowerShell script spawning from a Word macro. It catches the lateral movement that AV ignores.​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​

‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​

Tools and costs for SMBs:

Tool Pricing Best For
Microsoft Defender for Endpoint P2 ~$5.20/endpoint/month (Microsoft 365 E5 Security add-on) Shops already on M365
CrowdStrike Falcon Go ~$4.99/endpoint/month (5-endpoint minimum) Lightweight, cloud-native, rapid deploy
SentinelOne Singularity Core ~$6/endpoint/month Strong ransomware rollback, automated remediation

This week's EDR checklist:

  • Inventory every device touching business data. Laptops, desktops, servers, VMs. Count them.
  • Pick one EDR tool from the table above. Sign up for a trial. Deploy to 3 devices first.
  • Verify the agent is reporting. Log into the console. Confirm each endpoint shows as active.
  • Enable tamper protection. If an attacker gets local admin, they should not be able to disable your EDR.
  • Set up alerting. Someone needs to get notified when the EDR flags something. That is you, or your MSP.

Microsoft Defender for Endpoint ties directly into M365. If you already pay for Business Premium, you already own it. Turn it on.

2. Patch Management: Automation or Nothing

The ASD Essential Eight lists "patch applications" and "patch operating systems" as two of the eight controls. The ACSC recommends patching critical vulnerabilities within 48 hours. If you are doing this manually, you are already failing.

The numbers are brutal. The average time to exploit a known vulnerability after disclosure is under 5 days. Your monthly patch cycle leaves a 25-day window open.

Tools:

  • Automox (~$3/endpoint/month). Cross-platform. Patches Windows, macOS, and Linux from one console. No on-prem infrastructure needed. Set a patch policy, it runs on schedule, you get a report.
  • PDQ Deploy + Inventory (~$1,500/year flat for SMBs). Windows-only. Excellent for shops with 20-100 endpoints. Deploy patches, scripts, and software in bulk. No agent on endpoints, just one server.
  • Windows Update for Business. Built into Windows 10/11 Pro. Configure update rings via Intune. Free if you already have Intune licensing.

This week's patch checklist:

  • Run a patch audit. Every OS, every application. Identify what is behind.
  • Deploy a patch management tool. Pick one. Install the agent or configure the scan account.
  • Set a patch schedule. Critical/security patches: within 48 hours. OS feature updates: within 14 days. Applications: within 7 days.
  • Verify patches applied. Do not trust the tool's dashboard alone. Spot-check 3 devices manually.
  • Create an emergency patch process. If a critical CVE drops on a Friday afternoon, who patches it and when?

3. MDM: Every Phone Is a Work Device

If staff check email on their phone, that phone is a business endpoint. No MDM means no remote wipe. No enforcement of passcodes. No control over what apps access company data. A lost phone with cached email credentials is a data breach waiting to happen.

Tools:

  • Microsoft Intune (included in M365 Business Premium, ~$22/user/month). Full MDM for Windows, macOS, iOS, Android. Conditional access policies enforce compliance: device must be encrypted, must have a passcode, must not be jailbroken, or it does not get email.
  • Jamf Pro (~$9/device/month for Apple). If your fleet is Mac and iPhone, Jamf is the gold standard. Deploy apps, enforce FileVault encryption, push configurations, lock devices remotely.
  • Kandji (~$8/device/month). Simpler Apple MDM. Good for teams without a dedicated IT person.

This week's MDM checklist:

  • Decide on BYOD vs corporate-owned. BYOD means Intune app protection policies (MAM). Corporate-owned means full device management (MDM).
  • Enroll all company-owned devices. Phones, tablets, laptops.
  • Configure the minimum policy: 6-digit passcode, encryption enabled, auto-lock after 5 minutes, remote wipe capability.
  • Enforce it. Block email and file access from non-compliant devices. Conditional access makes this automatic.
  • Verify. Attempt to sign in from an unenrolled device. It should fail.

4. OS Hardening: CIS Benchmarks, Not Defaults

Operating systems ship with features turned on that no business needs. SMBv1 file sharing. LLMNR. PowerShell execution policy set to unrestricted. Guest accounts. Every enabled feature is attack surface.

The Center for Internet Security publishes free hardening benchmarks for every major OS. They are prescriptive, specific configuration templates. Turn this off. Set this registry key. Enforce this group policy.

Quick-win OS hardening (do these today):

  • Windows: Disable SMBv1 (PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol). Disable LLMNR via GPO. Enable Windows Defender Firewall on all profiles. Set UAC to "Always notify." Remove local admin rights from daily-driver accounts.
  • macOS: Enable FileVault full-disk encryption. Enable Gatekeeper (allow App Store and identified developers only). Disable remote login (SSH) unless explicitly needed. Enable the built-in firewall.
  • Linux: Remove unused packages. Configure unattended-upgrades for security patches. Disable root SSH login. Set up fail2ban. Run a CIS benchmark audit with a tool like Lynis.

This week's OS hardening checklist:

  • Download the CIS Benchmark PDF for your primary OS. Free at cisecurity.org.
  • Implement Level 1 controls first. These are the ones that cause no operational disruption.
  • Remove local admin from all user accounts. Every user gets standard privileges. IT uses separate admin accounts for elevation.
  • Enable host firewalls. Windows Defender Firewall, macOS built-in firewall, iptables/nftables. Default deny inbound.
  • Disable or remove software nobody uses. Adobe Flash (if somehow still present), outdated Java runtimes, QuickTime for Windows, pre-installed bloatware.

5. Map It to Compliance Frameworks

You do not need to be a large enterprise to benefit from compliance frameworks. They are free blueprints.

ASD Essential Eight Maturity Level 1 (the baseline for SMBs):

  • Patch applications within one month. Patch operating systems within one month. This guide targets 48 hours for critical patches, which exceeds Maturity Level 2.
  • User application hardening: Block Office macros from the internet. Block JavaScript in PDF readers. Remove Flash, Java, and web advertising (ad blockers at browser level).
  • Restrict administrative privileges: Covered above. No daily-driver admin accounts.
  • Multi-factor authentication: Enforce MFA on all externally accessible services. This includes email, VPN, and any SaaS tools.

CIS Controls Implementation Group 1 (for businesses with limited IT resources):

  • Inventory and control of hardware assets. Know every device. This is step one of the EDR checklist.
  • Continuous vulnerability management. This is the patch automation tool you deployed.
  • Controlled use of administrative privileges. This is the local admin removal.
  • Secure configuration of hardware and software. This is the CIS Benchmark you applied.

FAQ

What if I cannot afford EDR? Can I just use Windows Defender?

Windows Defender (the free built-in version) is better than nothing, but it lacks the behavioural analytics and centralised alerting of EDR. If budget is zero, at minimum: enable Defender on every endpoint, configure it via GPO/Intune for consistent settings, and centralise logs to a SIEM. But $5/endpoint/month for CrowdStrike Falcon Go is cheaper than an incident response retainer.

Do I really need MDM for 5 phones?

Yes. Five phones that access company email are five devices that can be lost, stolen, or sold with data still on them. Intune is included in M365 Business Premium. If you already pay for that, MDM costs you nothing extra to configure. If you do not use M365, Apple Business Manager is free, and you can pair it with a lightweight MDM like Jamf Now ($4/device/month).

How do I handle contractors or part-time staff with their own devices?

Use app-level management, not full device management. Intune MAM (Mobile Application Management) controls the company data inside Outlook and Teams without touching the rest of the phone. When the contract ends, you wipe company data from the apps. The contractor keeps their photos and personal apps. This is the middle ground between "no control" and "full MDM."

How long does this actually take to implement?

EDR agent deployment: 2-3 hours for a 20-device fleet. Patch management setup: 4 hours including first audit. MDM enrollment: 1 day for 10-20 devices, assuming you have physical access or can send enrollment links. OS hardening: 30 minutes per device for the quick-win list above. Total: one dedicated week for a small business, or one weekend if you batch it.

Conclusion

Endpoint hardening is not a project. It is a posture. The checklist above is your starting point. Pick the EDR tool today. Run a patch audit tomorrow. Enroll phones in MDM by Friday. Remove local admin from everyone by end of week.

The tools are not expensive. Inaction is.

Visit consult.lil.business for a free cybersecurity assessment. We will check your endpoint posture, identify gaps against the Essential Eight, and give you a prioritised fix plan you can execute this week.

References

  1. ASD Essential Eight Maturity Model
  2. CIS Benchmarks (free PDF downloads)
  3. Microsoft Defender for Endpoint Pricing
  4. CrowdStrike Falcon Go for Small Business
  5. SentinelOne Singularity Platform

Your Work Phone Just Became an Unlocked Door — How to Check if It's Been Fixed

Explained Like You're 10

TL;DR

  • Google just fixed 129 security holes in Android phones — including one that hackers are already using right now [1]
  • If your staff use Android phones to check work email or access business systems, an unpatched phone is like leaving the back door to your business unlocked
  • Checking and fixing this takes about 2 minutes per phone

The Hole in Your Phone

Imagine every phone has thousands of tiny windows. Most are nailed shut. Every so often, someone finds a window that isn't — and before it gets fixed, they can squeeze through it to get inside.

That's what a security vulnerability is.

In March 2026, Google found — and fixed — 129 of these unlocked windows in Android phones [1]. That's a lot at once.

Two of them are the most serious:

The one already being used by hackers: There's a flaw in the graphics chip used by many Android phones (made by a company called Qualcomm). Hackers have already figured out how to use this flaw to get inside certain phones [1][2]. Google has confirmed real attacks are happening right now.

The one that needs no tapping or clicking: There's a second flaw so serious that a hacker could break into a phone just because it's connected to the internet — no dodgy link, no suspicious attachment, nothing. Just "phone exists on the internet, phone gets hacked" [1].

Why Your Work Phone Is Your Business's Problem

Here is the part that surprises a lot of business owners.

When Sarah from your team uses her personal Android phone to check her work email or log into your accounting software — her phone is now a door into your business.

It's like if your staff member kept the office Wi-Fi password on a sticky note in their wallet. If someone steals the wallet, they can get into your office. In the same way, if a hacker gets into a phone that's logged into your business systems, they can reach your business data.

Most businesses are really careful about keeping their office computers updated. Very few think about the phones.

The 2-Minute Check

Here is how to check if any phone is protected.

On any Android phone:

  1. Open Settings
  2. Scroll down to About Phone
  3. Tap Android Version (or Software Information on Samsung)
  4. Look for Android Security Patch Level

If the date shown is March 2026 or later — protected.

If it shows February 2026 or earlier — still at risk. (Update needed)

How to Update

On Android: Settings → System → System Update → Check for Updates

If an update is available, install it. Takes 10–15 minutes and a restart.

If no update is available yet: Some phone brands are slower to release Google's patches. If a work phone can't get the March update and it has access to your business systems — it's worth temporarily removing that access until it can be updated. This sounds strict, but it's the same thinking as "don't leave the front door unlocked just because the locksmith is busy."

The Bigger Picture for Your Business

Your business probably has a rule about keeping computers updated. This month is a good reminder that phones need the same treatment.

Here's a simple rule that works well for small businesses:

If a device accesses business systems, it needs to be running the latest security update — or it doesn't get access.

You don't need expensive software for this. You just need to check once a month, the same way you might check the locks before you leave the office.

The Australian Signals Directorate (Australia's cyber safety agency) consistently highlights outdated mobile software as one of the most common ways businesses get compromised [4].

FAQ

If your phone manufacturer has stopped releasing security updates (usually after 3–5 years for most brands), your phone will never get this fix. If that phone is accessing your business email or systems, consider replacing it — or using a different device for business that can receive updates. Google Pixel phones receive 7 years of updates now, which makes them a solid business choice.

No — this is specific to Android phones. iPhones have their own separate security updates, which Apple releases quickly. The same principle applies though: keep your iPhone updated too.

Focus on the ones that access the most sensitive systems first — whoever handles finance, customer data, or admin access. A quick message asking them to screenshot their security patch level screen takes 5 minutes for your whole team.

It's not that Android suddenly became a lot more vulnerable — it's that Google bunches up patches and releases them monthly. Some of these fixes were in development for months. The number looks scary but most are low-severity issues that would be hard to exploit in practice. The two we highlighted are the ones that genuinely need urgent attention.

Once a month is enough. Google releases security updates monthly. Set a reminder on the first Monday of each month to quickly confirm all work-accessed devices are current.

References

[1] Google, "Android Security Bulletin—March 2026," Android Open Source Project, Mar. 2026. [Online]. Available: https://source.android.com/docs/security/bulletin/2026/2026-03-01

[2] The Hacker News, "Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited," The Hacker News, Mar. 3, 2026. [Online]. Available: https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html

[3] Qualcomm, "March 2026 Security Bulletin," Qualcomm Technologies, Mar. 2026. [Online]. Available: https://docs.qualcomm.com/securitybulletin/march-2026-bulletin.html

[4] Australian Signals Directorate, "ASD Annual Cyber Threat Report 2023-24," Australian Signals Directorate, 2024. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2023-june-2024

[5] NIST, "SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise," National Institute of Standards and Technology, 2023. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final

[6] CISA, "Mobile Device Best Practices," Cybersecurity and Infrastructure Security Agency, 2024. [Online]. Available: https://www.cisa.gov/resources-tools/resources/mobile-device-best-practices

[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[8] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

Want someone to check whether your business's phones and devices are properly secured? Book a free 30-minute review with lilMONSTER — we'll look at what's accessible and give you a simple checklist to fix the gaps.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation