TL;DR
Every laptop, desktop, phone, and tablet in your business is a potential entry point for ransomware, credential theft, and data loss. This week, your priority should be simple: inventory every device, deploy EDR/XDR, enforce patching, roll out MDM, and apply baseline hardening using the ASD Essential Eight and CIS Benchmarks.
A practical SMB endpoint security stack usually costs about $3-$15 per endpoint per month, depending on whether you use Microsoft Defender for Endpoint, CrowdStrike Falcon Go, SentinelOne Singularity, Intune, Jamf, Automox, PDQ Deploy, or a bundled managed security provider.
Why endpoint hardening matters now
Your endpoint fleet is no longer just office desktops. It includes remote laptops, contractor devices, mobile phones, tablets, shared workstations, browser profiles, cloud identity sessions, and unmanaged personal devices that may still access business email, files, or customer systems.
Attackers know this. Many real-world intrusions start with a compromised laptop, unpatched browser, stolen session token, malicious attachment, exposed remote access tool, or unmanaged mobile device. Endpoint hardening is the work of reducing that attack surface before an incident happens. For most business owners, the goal is not perfection this week; it is measurable control over every device that can touch business data.
The quickest way to improve endpoint security posture is to focus on four controls: know what devices exist, protect them with EDR/XDR, patch them quickly, and manage them with MDM.
1. Build your device inventory before buying tools
Before deploying new security software, create a device inventory. You cannot secure laptops, desktops, phones, tablets, and servers that nobody is tracking.
This week, build a simple inventory with:
- Device name
- User or owner
- Operating system and version
- Serial number or asset tag
- Business role
- Location or remote status
- Whether it has EDR/XDR installed
- Whether it is enrolled in MDM
- Last patch date
- Disk encryption status
- Local admin status
- Backup status
For a small business, this can start in a spreadsheet. For a Microsoft environment, Intune and Microsoft Defender for Endpoint can discover enrolled Windows, macOS, iOS, and Android devices. For Apple-heavy teams, Jamf is often the cleaner MDM path. For mixed environments, tools like Automox can help show patch status across Windows, macOS, and Linux.
A practical rule: if a device can access company email, customer records, cloud storage, accounting systems, CRM, source code, or admin panels, it must be inventoried and managed. “It is just the owner’s personal laptop” is not a security exception; it is usually a higher-risk endpoint.
2. Deploy EDR/XDR to every laptop and desktop
Traditional antivirus is no longer enough. Endpoint Detection and Response (EDR) tools monitor behaviour, detect suspicious activity, isolate compromised machines, and provide visibility into attacks that basic antivirus misses. Extended Detection and Response (XDR) goes further by correlating endpoint signals with identity, email, cloud, and network telemetry.
For SMBs, the most common options are:
- Microsoft Defender for Endpoint: strong fit if you already use Microsoft 365 Business Premium or E5. It integrates well with Windows, Entra ID, Intune, and Microsoft security tooling.
- CrowdStrike Falcon Go: lightweight endpoint protection aimed at smaller teams that want strong malware and threat prevention without heavy infrastructure.
- SentinelOne Singularity: strong autonomous endpoint protection with rollback and response features, suitable for businesses that want broader EDR capability.
- Managed EDR or MDR provider: useful if nobody internally can monitor alerts, investigate detections, or respond after hours.
Typical SMB pricing ranges from about $3-$15 per endpoint per month. Basic endpoint protection sits near the lower end. Full EDR/XDR, managed detection and response, threat hunting, and premium support push costs higher. The cheaper tool is not always the cheaper outcome if alerts are ignored.
This week’s EDR/XDR rollout plan:
- Pick one tool and assign an owner.
- Deploy to 5-10 pilot devices first: owner laptop, finance computer, admin workstation, remote worker laptop, and one standard staff device.
- Confirm the agent is active and reporting.
- Enable tamper protection where available.
- Turn on ransomware, exploit, and malicious script protections.
- Configure alert notifications to a monitored inbox or ticket queue.
- Roll out to all laptops and desktops.
- Review devices that did not report in after 24 hours.
- Create an isolation procedure: who can isolate a device, when, and how staff are contacted.
Do not stop at installation. The business value of EDR comes from response. If an alert fires, someone must know whether to isolate the device, reset credentials, collect evidence, or escalate to an incident response provider.
3. Patch operating systems and applications on a schedule
The ASD Essential Eight specifically calls out patch applications and patch operating systems because unpatched software remains one of the most reliable ways attackers gain access. Your practical goal is to make patching boring, visible, and routine.
Patch in three layers:
- Operating systems: Windows, macOS, Linux, iOS, Android.
- Business applications: Microsoft 365 apps, browsers, PDF readers, Zoom, Teams, Slack, accounting software, VPN clients, remote access tools.
- High-risk components: browsers, browser extensions, Java, .NET, Office, Adobe products, compression tools, developer tools, and security agents.
For Windows-heavy SMBs, Microsoft Intune, Windows Update for Business, and Defender vulnerability management can create a strong patch baseline. For mixed environments, Automox can patch Windows, macOS, and Linux from a cloud console. PDQ Deploy and PDQ Inventory remain useful for Windows networks where devices are regularly reachable on the LAN or VPN.
A simple patch policy for this week:
- Critical security updates: deploy within 48 hours.
- High-risk internet-facing or exploited vulnerabilities: deploy as soon as practical, ideally within 24-48 hours.
- Standard operating system updates: weekly deployment ring.
- Third-party application updates: weekly or fortnightly.
- Mobile OS updates: enforce minimum supported versions through MDM.
- Exceptions: document the device, reason, owner, compensating control, and review date.
Use deployment rings to reduce breakage. Start with IT/admin devices, then 10-20% of staff, then the full fleet. If you do not have IT staff, use a managed service provider or patching platform that gives clear success/failure reporting.
The key metric is not “we have automatic updates turned on.” The key metric is “95% of active endpoints installed critical patches within the required timeframe.”
Essential Eight Assessment Kit — $47
Templates, gap analysis worksheets, and maturity level scorecards built specifically for SMBs. Audit-ready documentation in hours, not weeks.
Get the Assessment Kit →4. Roll out MDM for laptops, mobiles, and tablets
Mobile Device Management is how you enforce minimum standards across devices. For many SMBs, MDM is the missing control that turns endpoint security from “we asked staff to do it” into “the device cannot access business data unless it complies.”
Common MDM options include:
- Microsoft Intune: strong for Microsoft 365, Windows, iOS, Android, and conditional access.
- Jamf: strong for Apple-first environments using macOS, iPhones, and iPads.
- Kandji, Mosyle, or Addigy: alternatives for Apple-focused SMBs.
- Google endpoint management: useful for Google Workspace environments with lighter requirements.
Minimum MDM policies to implement this week:
- Require screen lock and strong passcodes.
- Enforce full disk encryption: BitLocker for Windows, FileVault for macOS.
- Block jailbroken or rooted mobile devices.
- Enforce supported OS versions.
- Require automatic updates where practical.
- Remove local admin rights from standard users.
- Restrict unmanaged USB storage where business risk justifies it.
- Enforce approved browsers and security extensions.
- Configure remote wipe for lost or stolen devices.
- Require device compliance before accessing email, cloud storage, CRM, and admin systems.
- Separate business data from personal data on BYOD devices.
For BYOD, be clear with staff. MDM does not need to mean the business can read personal messages or photos. Use app protection policies, work profiles, and conditional access to protect business data while respecting personal privacy.
The quick win is conditional access: no compliant device, no business email or cloud files. This single control reduces the chance that a stolen password from an unmanaged device becomes a full business compromise.
5. Apply hardening baselines: Essential Eight and CIS Benchmarks
Once EDR, patching, and MDM are underway, apply hardening baselines. Two practical references are the ASD Essential Eight and CIS Benchmarks.
For this topic, three Essential Eight controls matter immediately:
- Patch applications: keep browsers, Office, PDF tools, and business software updated.
- Patch operating systems: keep Windows, macOS, Linux, iOS, and Android supported and patched.
- User application hardening: disable risky features such as unnecessary macros, browser plugins, ads, and untrusted script execution.
CIS Benchmarks provide detailed OS hardening guidance for Windows, macOS, Linux, iOS, Android, and major software platforms. You do not need to implement every benchmark setting on day one. Start with high-impact controls:
- Disable unnecessary local admin rights.
- Enforce disk encryption.
- Require MFA for business applications.
- Block unsigned or untrusted macros from the internet.
- Disable legacy protocols and unused services.
- Configure host firewalls.
- Turn on screen lock.
- Restrict PowerShell and scripting abuse where appropriate.
- Remove unsupported software.
- Standardise browser security settings.
- Log security events centrally if possible.
A useful business-owner question is: “If this laptop is stolen tonight, what data is exposed?” With disk encryption, screen lock, MDM remote wipe, MFA, and conditional access, the answer should be “very little.”
Quick-win endpoint hardening checklist
Use this checklist over the next five business days.
Day 1: Inventory
- List every laptop, desktop, phone, tablet, and server.
- Identify unmanaged devices accessing email or cloud apps.
- Remove stale devices and former staff access.
- Assign an owner to endpoint security.
Day 2: EDR/XDR
- Choose Microsoft Defender for Endpoint, CrowdStrike Falcon Go, SentinelOne Singularity, or an MDR provider.
- Deploy to pilot devices.
- Enable tamper protection and ransomware protection.
- Confirm alerts go somewhere monitored.
- Roll out to the remaining laptop and desktop fleet.
Day 3: Patching
- Check OS patch status.
- Check browser and Office patch status.
- Deploy missing critical updates.
- Select a patching tool such as Intune, Automox, or PDQ Deploy.
- Set patch deadlines for critical and high-risk vulnerabilities.
Day 4: MDM
- Enrol Windows and mobile devices into Intune, or Apple devices into Jamf.
- Enforce passcodes, encryption, supported OS versions, and remote wipe.
- Require device compliance for business email and file access.
- Create a BYOD policy that explains what the business can and cannot see.
Day 5: Hardening
- Remove local admin rights from standard users.
- Enable BitLocker or FileVault.
- Block risky macros and browser extensions.
- Apply CIS Benchmark-aligned baseline settings.
- Document exceptions and review them monthly.
FAQ
Most SMB endpoint security stacks cost about $3-$15 per endpoint per month. Basic protection and bundled Microsoft licensing may sit near the lower end, while advanced EDR/XDR, managed response, and multi-platform patching usually cost more. Budget separately for implementation time, policy configuration, and alert monitoring.
Yes, in most cases. Antivirus focuses on known malicious files, while EDR detects suspicious behaviour, lateral movement, ransomware activity, credential theft, and attacker tools. EDR also gives you response options such as isolating a device, investigating timelines, and understanding what happened.
Use Intune if your business is Microsoft 365-centric and has a mixed fleet of Windows, iOS, Android, and some macOS devices. Use Jamf if you are Apple-first and want deeper macOS and iOS management. Some businesses use both: Intune for Windows and conditional access, Jamf for Apple device management.
Enforce MFA, deploy EDR to all laptops and desktops, enable disk encryption, and block unmanaged devices from accessing business email and cloud storage. These controls reduce the most common paths from stolen credentials or compromised laptops to business-wide compromise.
Conclusion
Endpoint hardening does not need to be a six-month project. This week, you can inventory every device, deploy EDR/XDR, enforce patching, enrol devices into MDM, and apply baseline hardening using the ASD Essential Eight and CIS Benchmarks.
Start with the devices that matter most: owner laptops, finance computers, admin workstations, remote staff laptops, and any device with access to customer data. Then make the standard simple: every business device must be known, patched, encrypted, monitored, and managed.
Visit consult.lil.business for a free cybersecurity assessment.
References
- Australian Cyber Security Centre: Essential Eight
- Australian Cyber Security Centre: Strategies to Mitigate Cyber Security Incidents
- CIS Benchmarks
- NIST Cybersecurity Framework 2.0
- Microsoft Defender for Endpoint documentation
- CISA Known Exploited Vulnerabilities Catalog
Verifier warning: verifier could not run (PluginLlmTrustError).
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →Your Work Phone Just Became an Unlocked Door — How to Check if It's Been Fixed
Explained Like You're 10
TL;DR
- Google just fixed 129 security holes in Android phones — including one that hackers are already using right now [1]
- If your staff use Android phones to check work email or access business systems, an unpatched phone is like leaving the back door to your business unlocked
- Checking and fixing this takes about 2 minutes per phone
The Hole in Your Phone
Imagine every phone has thousands of tiny windows. Most are nailed shut. Every so often, someone finds a window that isn't — and before it gets fixed, they can squeeze through it to get inside.
That's what a security vulnerability is.
In March 2026, Google found — and fixed — 129 of these unlocked windows in Android phones [1]. That's a lot at once.
Two of them are the most serious:
The one already being used by hackers: There's a flaw in the graphics chip used by many Android phones (made by a company called Qualcomm). Hackers have already figured out how to use this flaw to get inside certain phones [1][2]. Google has confirmed real attacks are happening right now.
The one that needs no tapping or clicking: There's a second flaw so serious that a hacker could break into a phone just because it's connected to the internet — no dodgy link, no suspicious attachment, nothing. Just "phone exists on the internet, phone gets hacked" [1].
Why Your Work Phone Is Your Business's Problem
Here is the part that surprises a lot of business owners.
When Sarah from your team uses her personal Android phone to check her work email or log into your accounting software — her phone is now a door into your business.
It's like if your staff member kept the office Wi-Fi password on a sticky note in their wallet. If someone steals the wallet, they can get into your office. In the same way, if a hacker gets into a phone that's logged into your business systems, they can reach your business data.
Most businesses are really careful about keeping their office computers updated. Very few think about the phones.
The 2-Minute Check
Here is how to check if any phone is protected.
On any Android phone:
- Open Settings
- Scroll down to About Phone
- Tap Android Version (or Software Information on Samsung)
- Look for Android Security Patch Level
If the date shown is March 2026 or later — protected.
If it shows February 2026 or earlier — still at risk. (Update needed)
How to Update
On Android: Settings → System → System Update → Check for Updates
If an update is available, install it. Takes 10–15 minutes and a restart.
If no update is available yet: Some phone brands are slower to release Google's patches. If a work phone can't get the March update and it has access to your business systems — it's worth temporarily removing that access until it can be updated. This sounds strict, but it's the same thinking as "don't leave the front door unlocked just because the locksmith is busy."
The Bigger Picture for Your Business
Your business probably has a rule about keeping computers updated. This month is a good reminder that phones need the same treatment.
Here's a simple rule that works well for small businesses:
If a device accesses business systems, it needs to be running the latest security update — or it doesn't get access.
You don't need expensive software for this. You just need to check once a month, the same way you might check the locks before you leave the office.
The Australian Signals Directorate (Australia's cyber safety agency) consistently highlights outdated mobile software as one of the most common ways businesses get compromised [4].
FAQ
If your phone manufacturer has stopped releasing security updates (usually after 3–5 years for most brands), your phone will never get this fix. If that phone is accessing your business email or systems, consider replacing it — or using a different device for business that can receive updates. Google Pixel phones receive 7 years of updates now, which makes them a solid business choice.
No — this is specific to Android phones. iPhones have their own separate security updates, which Apple releases quickly. The same principle applies though: keep your iPhone updated too.
Focus on the ones that access the most sensitive systems first — whoever handles finance, customer data, or admin access. A quick message asking them to screenshot their security patch level screen takes 5 minutes for your whole team.
It's not that Android suddenly became a lot more vulnerable — it's that Google bunches up patches and releases them monthly. Some of these fixes were in development for months. The number looks scary but most are low-severity issues that would be hard to exploit in practice. The two we highlighted are the ones that genuinely need urgent attention.
Once a month is enough. Google releases security updates monthly. Set a reminder on the first Monday of each month to quickly confirm all work-accessed devices are current.
References
[1] Google, "Android Security Bulletin—March 2026," Android Open Source Project, Mar. 2026. [Online]. Available: https://source.android.com/docs/security/bulletin/2026/2026-03-01
[2] The Hacker News, "Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited," The Hacker News, Mar. 3, 2026. [Online]. Available: https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html
[3] Qualcomm, "March 2026 Security Bulletin," Qualcomm Technologies, Mar. 2026. [Online]. Available: https://docs.qualcomm.com/securitybulletin/march-2026-bulletin.html
[4] Australian Signals Directorate, "ASD Annual Cyber Threat Report 2023-24," Australian Signals Directorate, 2024. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2023-june-2024
[5] NIST, "SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise," National Institute of Standards and Technology, 2023. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final
[6] CISA, "Mobile Device Best Practices," Cybersecurity and Infrastructure Security Agency, 2024. [Online]. Available: https://www.cisa.gov/resources-tools/resources/mobile-device-best-practices
[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[8] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
Want someone to check whether your business's phones and devices are properly secured? Book a free 30-minute review with lilMONSTER — we'll look at what's accessible and give you a simple checklist to fix the gaps.