TL;DR

Most breaches land on endpoints first — unpatched laptops, unmanaged phones, desktops with no EDR. This checklist walks you through deploying EDR/XDR, automating patch management, and rolling out MDM across every device your business owns, with specific tools, real cost estimates ($3–$15/endpoint/month), and actions you can start today. It maps directly to the ASD Essential Eight and CIS Benchmarks so you can prove your posture to auditors, insurers, and clients.

Why Endpoint Hardening Matters Right Now

Threat actors are actively exploiting endpoints at scale. In June 2026 alone, ASD ACSC flagged ClickFix social-engineering attacks distributing Vidar Stealer through compromised WordPress sites targeting Australian infrastructure, while China-nexus actors were observed building covert networks of compromised devices inside organisational networks. A zero-day in Microsoft Defender ("RoguePlanet") granting SYSTEM privileges was publicly released the same week. If your endpoints are not hardened, patched, and managed, you are a soft target.

Endpoint hardening is not optional overhead — it is the single highest-ROI security investment an SMB can make. Here is how to do it in a week.

1. Deploy EDR/XDR on Every Endpoint

Antivirus is dead. Signature-based detection catches known malware but misses living-off-the-land techniques, fileless attacks, and credential theft. Endpoint Detection and Response (EDR) monitors process behaviour, memory, and network connections in real time. Extended Detection and Response (XDR) correlates endpoint signals with email, identity, and cloud telemetry.

Tool comparison for SMB deployments:

Tool Tier Approx. Cost Best For
Microsoft Defender for Endpoint P2 EDR + XDR via Defender portal ~$5–$12/device/month (bundled with Microsoft 365 E5/A5 or Business Premium) Windows-heavy shops already in the Microsoft ecosystem
CrowdStrike Falcon Go Cloud-native EDR ~$6–$15/endpoint/month Rapid deployment, minimal infrastructure, strong threat intel
SentinelOne Singularity Autonomous AI-driven EDR/XDR ~$5–$12/endpoint/month Hands-off remediation, rollback capabilities, multi-OS

Deployment checklist (Day 1–2):

  1. Inventory every endpoint. You cannot protect what you do not know about. Use a network scanner (Rapid7 InsightDiscovery free tier or Lansweeper) to find all laptops, desktops, servers, and VMs.
  2. Choose one EDR platform. Do not mix vendors on day one. Pick based on your existing stack — if you run Microsoft 365 Business Premium, Defender for Endpoint P2 is already included and there is no additional cost.
  3. Push the agent via GPO, Intune, or a deploy script. For Windows, an MSI or EXE installer can be distributed via Group Policy or Microsoft Intune. For macOS, use Jamf or Addigy. For Linux, Ansible or a shell script.
  4. Verify telemetry is flowing. Open the EDR console within 30 minutes of deployment. Confirm each device shows as "managed" and is reporting events. Set an alert for any device that goes silent for more than 24 hours.
  5. Enable automatic containment. Most EDR tools can isolate a compromised endpoint from the network with one click. Turn this on. It stops lateral movement dead.

Pitfall to avoid: Do not run legacy antivirus alongside EDR unless the vendor explicitly supports coexistence. Dual engines cause performance degradation and detection conflicts.

2. Automate Patch Management

The ASD Essential Eight lists "patch applications" and "patch operating systems" as two of its top mitigations — and for good reason. The majority of ransomware campaigns exploit vulnerabilities that had patches available for months or years.

CIS Benchmark mapping: CIS Control 7 (Continuous Vulnerability Management) and CIS Control 4 (Secure Configuration of Assets) both require automated patching within defined timeframes — critical patches within 14 days, high within 30 days.

Tool options:

  • Microsoft Intune (included with Microsoft 365 Business Premium at ~$22/user/month) handles Windows and macOS patch rings natively. Create a pilot ring (5% of devices), a broad ring (2–3 days later), and an exemptions ring for critical systems.
  • Automox — cloud-native patching for Windows, macOS, and Linux. Starts around $3–$6/endpoint/month. Excellent for mixed-OS environments.
  • PDQ Deploy + PDQ Inventory — on-premises Windows patching. One-time licence (~$900–$1,500) plus annual renewal. Best for shops that want full control and no cloud dependency.

Quick-win patch actions (Day 3–4):

  1. Audit current patch levels. Run a report from your existing management tool or use systeminfo / wmic qfe on Windows, softwareupdate --history on macOS. Identify anything more than 30 days behind.
  2. Enable automatic OS updates. On Windows 10/11, set the Update Ring via Intune or GPO to "Semi-Annual Channel" with a 7-day deferral. On macOS, enforce softwareupdate --schedule on via MDM.
  3. Patch third-party applications. Adobe Reader, Chrome, Firefox, Zoom, and VPN clients are the most commonly exploited. Automox and PDQ Deploy handle these out of the box. If you have nothing, start with the free Ninite Updater for a basic sweep.
  4. Define and enforce patch SLAs. Critical vulnerabilities (CVSS 9.0+) patched within 48 hours. High (7.0–8.9) within 14 days. Everything else within 30 days. Document this — your cyber insurer will ask for it.
  5. Remove admin rights. This single change eliminates over 80% of endpoint-based malware execution paths. Use LAPS (Local Administrator Password Solution) for Windows or restricted accounts on macOS.

3. Roll Out MDM for Every Mobile Device

If your employees access company email, files, or systems from a phone or tablet, that device is an endpoint. Unmanaged mobile devices bypass every network control you have ever implemented.

MDM platform choices:

  • Microsoft Intune — included with Microsoft 365 Business Premium. Manages iOS, Android, Windows, and macOS. The default choice if you are already in the Microsoft ecosystem.
  • Jamf Pro — purpose-built for Apple fleets. ~$4–$7/device/month. Deep macOS/iOS management, Self Service app catalogue, zero-touch deployment.
  • Google Endpoint Management — included with Google Workspace Business Standard and above. Adequate for basic Android and Chrome OS management.

MDM rollout steps (Day 4–5):

  1. Enrol company-owned devices first. Use Apple Business Manager or Android Enterprise for zero-touch enrolment. Devices are supervised the moment they are unboxed.
  2. Set a minimum OS version policy. Block devices running OS versions more than two major releases behind. iOS 16 and Android 13 should be the floor as of mid-2026.
  3. Mandate a 6-digit PIN and biometric unlock. Disable simple 4-digit PINs. Require Face ID / fingerprint as a secondary factor.
  4. Enforce encryption and remote wipe. Confirm FileVault (macOS) and device encryption (Android/iOS) are enabled. Configure remote wipe capability for lost or stolen devices.
  5. Separate work and personal data. Use managed app configurations (Intune App Protection Policies or Jamf) so company data stays in encrypted containers. If an employee leaves, you wipe the work container — not their personal photos.

4. Harden the OS Using CIS Benchmarks

EDR and patching catch what gets through. Hardening reduces the attack surface so less gets through in the first place.

CIS Benchmarks provide OS-specific hardening guides — hundreds of configuration items for Windows 10/11, macOS, Ubuntu, and more. You do not need all of them on day one.

Quick-win hardening actions (Day 5–7):

  • Windows: Disable LLMNR and NBT-NS (prevents LLMNR poisoning attacks). Disable PowerShell v2 (only keep v5.1+ with constrained language mode). Enable Windows Defender Credential Guard. Block executable files from AppData and temp folders via AppLocker or WDAC.
  • macOS: Enable Gatekeeper and XProtect. Restrict kernel extensions to approved vendors. Disable automatic login. Require FileVault with institutional recovery key escrow.
  • Network-level: Segment IoT and guest devices onto separate VLANs. Block RDP from the internet — use a VPN or bastion host instead. Deploy DNS filtering (Cloudflare Gateway free tier or Quad9) to block malware domains at the resolver.
  • All devices: Disable USB auto-run. Remove unused browser extensions. Uninstall Flash (should be gone by now — verify) and Java unless a business application requires it. If Java is required, keep it patched to the day.

FAQ

How much does endpoint hardening cost for a 50-person business? Expect $3–$15/endpoint/month for EDR, $0–$6/endpoint/month for patch management (Intune may already be included in your Microsoft 365 licence), and $0–$7/device/month for MDM. For a 50-device fleet, budget $300–$1,400/month total. Microsoft 365 Business Premium ($22/user/month) bundles Defender for Endpoint, Intune, and Azure AD P1 — often the most cost-effective single-vendor path.

Can we deploy EDR alongside existing antivirus? It depends on the product. Microsoft Defender for Endpoint replaces Windows Defender AV with a managed EDR version — no conflict. CrowdStrike and SentinelOne both require you to disable or uninstall third-party AV first. Check vendor coexistence documentation before deploying.

What about BYOD devices — do we have to manage personal laptops and phones? You should at minimum enforce MDM enrolment for any device accessing company email or cloud apps. Use containerised management (Intune App Protection Policies without device enrolment for personal phones, or full enrolment for laptops). If an employee refuses MDM enrolment, they should access company resources only via a managed VDI or web browser — never via native apps with cached credentials.

How do we prove our posture to auditors or insurers? Export your EDR console's managed-device count and coverage report. Generate a patch compliance report from your patch management tool showing mean time-to-patch. Provide MDM policy configuration screenshots. Map your controls to ASD Essential Eight maturity levels or CIS Controls v8 Implementation Groups. Most cyber insurers now ask specifically for EDR deployment percentage and patch SLAs — having these reports ready can reduce premiums.

Conclusion

Endpoint hardening is not a year-long transformation project — it is a series of deliberate actions you can start this week. Deploy EDR on every device within 48 hours. Automate patching for operating systems and third-party applications. Roll out MDM for every phone and tablet that touches company data. Hardening the OS configuration closes the remaining gaps. Together, these steps address three of the ASD Essential Eight controls and map directly to CIS Benchmarks that auditors and insurers expect.

Start with the inventory. Everything else flows from knowing what you have.

Ready for expert guidance? Visit consult.lil.business for a free cybersecurity assessment tailored to your environment, fleet size, and budget.

References

  1. ASD Essential Eight Maturity Model — Australian Cyber Security Centre
  2. CIS Controls v8 — Center for Internet Security
  3. ClickFix Distributing Vidar Stealer — ASD ACSC Advisory
  4. Microsoft Defender RoguePlanet Zero-Day — BleepingComputer
  5. CIS Benchmarks — Operating System Hardening Guides

Your Work Phone Just Became an Unlocked Door — How to Check if It's Been Fixed

Explained Like You're 10

TL;DR

  • Google just fixed 129 security holes in Android phones — including one that hackers are already using right now [1]
  • If your staff use Android phones to check work email or access business systems, an unpatched phone is like leaving the back door to your business unlocked
  • Checking and fixing this takes about 2 minutes per phone

The Hole in Your Phone

Imagine every phone has thousands of tiny windows. Most are nailed shut. Every so often, someone finds a window that isn't — and before it gets fixed, they can squeeze through it to get inside.

That's what a security vulnerability is.

In March 2026, Google found — and fixed — 129 of these unlocked windows in Android phones [1]. That's a lot at once.

Two of them are the most serious:

The one already being used by hackers: There's a flaw in the graphics chip used by many Android phones (made by a company called Qualcomm). Hackers have already figured out how to use this flaw to get inside certain phones [1][2]. Google has confirmed real attacks are happening right now.

The one that needs no tapping or clicking: There's a second flaw so serious that a hacker could break into a phone just because it's connected to the internet — no dodgy link, no suspicious attachment, nothing. Just "phone exists on the internet, phone gets hacked" [1].

Why Your Work Phone Is Your Business's Problem

Here is the part that surprises a lot of business owners.

When Sarah from your team uses her personal Android phone to check her work email or log into your accounting software — her phone is now a door into your business.

It's like if your staff member kept the office Wi-Fi password on a sticky note in their wallet. If someone steals the wallet, they can get into your office. In the same way, if a hacker gets into a phone that's logged into your business systems, they can reach your business data.

Most businesses are really careful about keeping their office computers updated. Very few think about the phones.

The 2-Minute Check

Here is how to check if any phone is protected.

On any Android phone:

  1. Open Settings
  2. Scroll down to About Phone
  3. Tap Android Version (or Software Information on Samsung)
  4. Look for Android Security Patch Level

If the date shown is March 2026 or later — protected.

If it shows February 2026 or earlier — still at risk. (Update needed)

How to Update

On Android: Settings → System → System Update → Check for Updates

If an update is available, install it. Takes 10–15 minutes and a restart.

If no update is available yet: Some phone brands are slower to release Google's patches. If a work phone can't get the March update and it has access to your business systems — it's worth temporarily removing that access until it can be updated. This sounds strict, but it's the same thinking as "don't leave the front door unlocked just because the locksmith is busy."

The Bigger Picture for Your Business

Your business probably has a rule about keeping computers updated. This month is a good reminder that phones need the same treatment.

Here's a simple rule that works well for small businesses:

If a device accesses business systems, it needs to be running the latest security update — or it doesn't get access.

You don't need expensive software for this. You just need to check once a month, the same way you might check the locks before you leave the office.

The Australian Signals Directorate (Australia's cyber safety agency) consistently highlights outdated mobile software as one of the most common ways businesses get compromised [4].

FAQ

If your phone manufacturer has stopped releasing security updates (usually after 3–5 years for most brands), your phone will never get this fix. If that phone is accessing your business email or systems, consider replacing it — or using a different device for business that can receive updates. Google Pixel phones receive 7 years of updates now, which makes them a solid business choice.

No — this is specific to Android phones. iPhones have their own separate security updates, which Apple releases quickly. The same principle applies though: keep your iPhone updated too.

Focus on the ones that access the most sensitive systems first — whoever handles finance, customer data, or admin access. A quick message asking them to screenshot their security patch level screen takes 5 minutes for your whole team.

It's not that Android suddenly became a lot more vulnerable — it's that Google bunches up patches and releases them monthly. Some of these fixes were in development for months. The number looks scary but most are low-severity issues that would be hard to exploit in practice. The two we highlighted are the ones that genuinely need urgent attention.

Once a month is enough. Google releases security updates monthly. Set a reminder on the first Monday of each month to quickly confirm all work-accessed devices are current.

References

[1] Google, "Android Security Bulletin—March 2026," Android Open Source Project, Mar. 2026. [Online]. Available: https://source.android.com/docs/security/bulletin/2026/2026-03-01

[2] The Hacker News, "Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited," The Hacker News, Mar. 3, 2026. [Online]. Available: https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html

[3] Qualcomm, "March 2026 Security Bulletin," Qualcomm Technologies, Mar. 2026. [Online]. Available: https://docs.qualcomm.com/securitybulletin/march-2026-bulletin.html

[4] Australian Signals Directorate, "ASD Annual Cyber Threat Report 2023-24," Australian Signals Directorate, 2024. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2023-june-2024

[5] NIST, "SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise," National Institute of Standards and Technology, 2023. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final

[6] CISA, "Mobile Device Best Practices," Cybersecurity and Infrastructure Security Agency, 2024. [Online]. Available: https://www.cisa.gov/resources-tools/resources/mobile-device-best-practices

[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[8] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

Want someone to check whether your business's phones and devices are properly secured? Book a free 30-minute review with lilMONSTER — we'll look at what's accessible and give you a simple checklist to fix the gaps.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation