TL;DR

Every unmanaged device in your business is an open door. This guide gives you a concrete checklist to harden laptops, desktops, and phones this week. Covers EDR tools ($3-$15/endpoint/month), patch automation, and MDM deployment, mapped to the ASD Essential Eight and CIS Benchmarks.


Most cyber attacks start at the endpoint. A staff member clicks a phishing link on their unpatched laptop. A sales rep connects their personal phone to company email with no MDM policy. A contractor's old Windows desktop runs without EDR. That is how breaches happen. This post covers what to do about it, with specific tools and real costs.

1. EDR/XDR: Your First Line of Defence

Traditional antivirus is not enough. Signature-based detection misses fileless attacks, living-off-the-land techniques, and ransomware that mutates faster than definitions update. Endpoint Detection and Response watches behaviour, not signatures. It spots the PowerShell script spawning from a Word macro. It catches the lateral movement that AV ignores.

Tools and costs for SMBs:

Tool Pricing Best For
Microsoft Defender for Endpoint P2 ~$5.20/endpoint/month (Microsoft 365 E5 Security add-on) Shops already on M365
CrowdStrike Falcon Go ~$4.99/endpoint/month (5-endpoint minimum) Lightweight, cloud-native, rapid deploy
SentinelOne Singularity Core ~$6/endpoint/month Strong ransomware rollback, automated remediation

This week's EDR checklist:

  • Inventory every device touching business data. Laptops, desktops, servers, VMs. Count them.
  • Pick one EDR tool from the table above. Sign up for a trial. Deploy to 3 devices first.
  • Verify the agent is reporting. Log into the console. Confirm each endpoint shows as active.
  • Enable tamper protection. If an attacker gets local admin, they should not be able to disable your EDR.
  • Set up alerting. Someone needs to get notified when the EDR flags something. That is you, or your MSP.

Microsoft Defender for Endpoint ties directly into M365. If you already pay for Business Premium, you already own it. Turn it on.

2. Patch Management: Automation or Nothing

The ASD Essential Eight lists "patch applications" and "patch operating systems" as two of the eight controls. The ACSC recommends patching critical vulnerabilities within 48 hours. If you are doing this manually, you are already failing.

The numbers are brutal. The average time to exploit a known vulnerability after disclosure is under 5 days. Your monthly patch cycle leaves a 25-day window open.

Tools:

  • Automox (~$3/endpoint/month). Cross-platform. Patches Windows, macOS, and Linux from one console. No on-prem infrastructure needed. Set a patch policy, it runs on schedule, you get a report.
  • PDQ Deploy + Inventory (~$1,500/year flat for SMBs). Windows-only. Excellent for shops with 20-100 endpoints. Deploy patches, scripts, and software in bulk. No agent on endpoints, just one server.
  • Windows Update for Business. Built into Windows 10/11 Pro. Configure update rings via Intune. Free if you already have Intune licensing.

This week's patch checklist:

  • Run a patch audit. Every OS, every application. Identify what is behind.
  • Deploy a patch management tool. Pick one. Install the agent or configure the scan account.
  • Set a patch schedule. Critical/security patches: within 48 hours. OS feature updates: within 14 days. Applications: within 7 days.
  • Verify patches applied. Do not trust the tool's dashboard alone. Spot-check 3 devices manually.
  • Create an emergency patch process. If a critical CVE drops on a Friday afternoon, who patches it and when?

3. MDM: Every Phone Is a Work Device

If staff check email on their phone, that phone is a business endpoint. No MDM means no remote wipe. No enforcement of passcodes. No control over what apps access company data. A lost phone with cached email credentials is a data breach waiting to happen.

Tools:

  • Microsoft Intune (included in M365 Business Premium, ~$22/user/month). Full MDM for Windows, macOS, iOS, Android. Conditional access policies enforce compliance: device must be encrypted, must have a passcode, must not be jailbroken, or it does not get email.
  • Jamf Pro (~$9/device/month for Apple). If your fleet is Mac and iPhone, Jamf is the gold standard. Deploy apps, enforce FileVault encryption, push configurations, lock devices remotely.
  • Kandji (~$8/device/month). Simpler Apple MDM. Good for teams without a dedicated IT person.

This week's MDM checklist:

  • Decide on BYOD vs corporate-owned. BYOD means Intune app protection policies (MAM). Corporate-owned means full device management (MDM).
  • Enroll all company-owned devices. Phones, tablets, laptops.
  • Configure the minimum policy: 6-digit passcode, encryption enabled, auto-lock after 5 minutes, remote wipe capability.
  • Enforce it. Block email and file access from non-compliant devices. Conditional access makes this automatic.
  • Verify. Attempt to sign in from an unenrolled device. It should fail.

4. OS Hardening: CIS Benchmarks, Not Defaults

Operating systems ship with features turned on that no business needs. SMBv1 file sharing. LLMNR. PowerShell execution policy set to unrestricted. Guest accounts. Every enabled feature is attack surface.

The Center for Internet Security publishes free hardening benchmarks for every major OS. They are prescriptive, specific configuration templates. Turn this off. Set this registry key. Enforce this group policy.

Quick-win OS hardening (do these today):

  • Windows: Disable SMBv1 (PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol). Disable LLMNR via GPO. Enable Windows Defender Firewall on all profiles. Set UAC to "Always notify." Remove local admin rights from daily-driver accounts.
  • macOS: Enable FileVault full-disk encryption. Enable Gatekeeper (allow App Store and identified developers only). Disable remote login (SSH) unless explicitly needed. Enable the built-in firewall.
  • Linux: Remove unused packages. Configure unattended-upgrades for security patches. Disable root SSH login. Set up fail2ban. Run a CIS benchmark audit with a tool like Lynis.

This week's OS hardening checklist:

  • Download the CIS Benchmark PDF for your primary OS. Free at cisecurity.org.
  • Implement Level 1 controls first. These are the ones that cause no operational disruption.
  • Remove local admin from all user accounts. Every user gets standard privileges. IT uses separate admin accounts for elevation.
  • Enable host firewalls. Windows Defender Firewall, macOS built-in firewall, iptables/nftables. Default deny inbound.
  • Disable or remove software nobody uses. Adobe Flash (if somehow still present), outdated Java runtimes, QuickTime for Windows, pre-installed bloatware.

5. Map It to Compliance Frameworks

You do not need to be a large enterprise to benefit from compliance frameworks. They are free blueprints.

ASD Essential Eight Maturity Level 1 (the baseline for SMBs):

  • Patch applications within one month. Patch operating systems within one month. This guide targets 48 hours for critical patches, which exceeds Maturity Level 2.
  • User application hardening: Block Office macros from the internet. Block JavaScript in PDF readers. Remove Flash, Java, and web advertising (ad blockers at browser level).
  • Restrict administrative privileges: Covered above. No daily-driver admin accounts.
  • Multi-factor authentication: Enforce MFA on all externally accessible services. This includes email, VPN, and any SaaS tools.

CIS Controls Implementation Group 1 (for businesses with limited IT resources):

  • Inventory and control of hardware assets. Know every device. This is step one of the EDR checklist.
  • Continuous vulnerability management. This is the patch automation tool you deployed.
  • Controlled use of administrative privileges. This is the local admin removal.
  • Secure configuration of hardware and software. This is the CIS Benchmark you applied.

FAQ

What if I cannot afford EDR? Can I just use Windows Defender?

Windows Defender (the free built-in version) is better than nothing, but it lacks the behavioural analytics and centralised alerting of EDR. If budget is zero, at minimum: enable Defender on every endpoint, configure it via GPO/Intune for consistent settings, and centralise logs to a SIEM. But $5/endpoint/month for CrowdStrike Falcon Go is cheaper than an incident response retainer.

Do I really need MDM for 5 phones?

Yes. Five phones that access company email are five devices that can be lost, stolen, or sold with data still on them. Intune is included in M365 Business Premium. If you already pay for that, MDM costs you nothing extra to configure. If you do not use M365, Apple Business Manager is free, and you can pair it with a lightweight MDM like Jamf Now ($4/device/month).

How do I handle contractors or part-time staff with their own devices?

Use app-level management, not full device management. Intune MAM (Mobile Application Management) controls the company data inside Outlook and Teams without touching the rest of the phone. When the contract ends, you wipe company data from the apps. The contractor keeps their photos and personal apps. This is the middle ground between "no control" and "full MDM."

How long does this actually take to implement?

EDR agent deployment: 2-3 hours for a 20-device fleet. Patch management setup: 4 hours including first audit. MDM enrollment: 1 day for 10-20 devices, assuming you have physical access or can send enrollment links. OS hardening: 30 minutes per device for the quick-win list above. Total: one dedicated week for a small business, or one weekend if you batch it.

Conclusion

Endpoint hardening is not a project. It is a posture. The checklist above is your starting point. Pick the EDR tool today. Run a patch audit tomorrow. Enroll phones in MDM by Friday. Remove local admin from everyone by end of week.

The tools are not expensive. Inaction is.

Visit consult.lil.business for a free cybersecurity assessment. We will check your endpoint posture, identify gaps against the Essential Eight, and give you a prioritised fix plan you can execute this week.

References

  1. ASD Essential Eight Maturity Model
  2. CIS Benchmarks (free PDF downloads)
  3. Microsoft Defender for Endpoint Pricing
  4. CrowdStrike Falcon Go for Small Business
  5. SentinelOne Singularity Platform

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation