TL;DR
Endpoint hardening is your highest-ROI security investment this quarter. Deploy an EDR/XDR solution ($3–$15/endpoint/month), automate patching with tools like Automox or PDQ Deploy, and enforce device policies through Intune or Jamf MDM. Follow the ASD Essential Eight and CIS Benchmarks as your baseline. Most of this checklist can be implemented in under a week.
Why Endpoint Hardening Comes First
Attackers rarely breach your firewall — they walk in through an unpatched laptop, a personal phone checking work email, or a desktop running a two-year-old browser. Endpoints are where your network meets human behaviour, and that intersection is where 70%+ of compromises originate. If you only have budget for one security initiative this year, make it endpoint hardening.
1. Deploy EDR/XDR on Every Endpoint
Antivirus is dead. Modern threats — fileless malware, living-off-the-land attacks, credential stealers — bypass traditional signature-based detection. You need Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR), which uses behavioural analysis, process telemetry, and threat intelligence to catch what signatures miss.
Recommended tools for SMB budgets:
| Tool | Price (per endpoint/month) | Best For |
|---|---|---|
| Microsoft Defender for Endpoint P2 | ~$5–$7 (included in M365 E5 / available standalone) | Microsoft-heavy environments |
| CrowdStrike Falcon Go | ~$5–$8 | Small teams wanting enterprise-grade detection |
| SentinelOne Singularity Core | ~$5–$10 | Autonomous AI remediation, low false positives |
| Microsoft Defender for Business | ~$3–$5 (bundled in M365 BP) | Very small businesses (<300 seats) |
Deployment quick wins:
- Start with a pilot group of 5–10 endpoints. Validate agent compatibility, performance impact, and alert noise before full rollout.
- Configure centralised logging — all EDR alerts should flow to a single dashboard or your SIEM. Siloed alerts are useless.
- Enable automatic remediation for high-confidence detections. Manual response on every alert will burn out your team within a month.
2. Automate Patch Management
The ASD Essential Eight explicitly calls out two controls: patch applications and patch operating systems. Both require exploitable vulnerabilities to be patched within 48 hours for internet-facing services, and within two weeks for everything else. Manual patching at that cadence is unsustainable — automate it.
Tools:
- Automox ($1–$3/endpoint/month): Cloud-native patching for Windows, macOS, and Linux from a single console. Set patch policies by device group and let it run on schedule. Ideal for hybrid fleets.
- PDQ Deploy + PDQ Inventory (~$500/year flat for up to 100 endpoints): On-premises Windows-only. Great if you have a Windows shop and prefer not to send telemetry to a SaaS console.
- Microsoft Intune Update Rings (included with Intune licences): Native Windows patching with deployment rings — pilot, broad, critical. No extra cost if you're already licensing Intune for MDM.
- Jamf Pro patch management (included in Jamf Pro): macOS-specific. Pushes Apple software updates and third-party patches to managed Macs.
Patch policy template:
- Internet-facing systems: patch within 48 hours of release.
- Critical workstations (finance, admin): patch within 7 days.
- General endpoints: patch within 14 days, enforced automatically.
- Staging ring: 5% of fleet receives patches 48 hours before broad deployment to catch regressions.
ISO 27001 SMB Starter Pack — $147
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for SMBs worldwide.
Get the Starter Pack →3. Roll Out MDM for Every Device — Including Personal Phones
If any employee checks work email or accesses business data on a personal device, that device is an endpoint. Mobile Device Management (MDM) gives you the ability to enforce security policies, push configurations, segregate work data from personal data, and remotely wipe if a device is lost or stolen.
Platform choices:
- Microsoft Intune (~$6/user/month, included in M365 E3/E5): Best for Windows + mixed environments. Integrates natively with Entra ID (Azure AD) for conditional access — block email access from non-compliant devices automatically.
- Jamf Pro (~$7–$12/device/month): Industry standard for macOS and iOS management. If your fleet is Apple-heavy, Jamf is the right call. Deep integration with Apple Business Manager for zero-touch provisioning.
- Google Workspace MDM (included in Workspace licences): Basic but functional for Android + iOS. Sufficient if your needs are limited to enforcing screen lock, encryption, and remote wipe.
MDM rollout checklist (implement this week):
- Enroll all company-owned laptops and desktops into MDM.
- Create a BYOD profile that segregates work data (email, files) from personal apps — use containerisation, not full device control, for personal devices.
- Enforce: screen lock ≤5 minutes, full-disk encryption, minimum OS version, disable USB debugging on mobile.
- Configure conditional access: no compliance, no access to company data.
4. OS Hardening with CIS Benchmarks
EDR and patching address what's new. CIS Benchmarks address what's already misconfigured. The CIS Benchmarks are vendor-specific configuration guidelines (Windows 11, macOS Sonoma, Ubuntu 22.04, iOS, Android) that close default insecure settings — disabling SMBv1, requiring BitLocker, restricting local admin rights, enforcing secure boot.
How to apply them fast:
- Download the relevant CIS Benchmark PDF from cisecurity.org (free, registration required).
- Use Intune Configuration Profiles or Jamf Configuration Profiles to push hardened settings — don't rely on manual GPO or local policy edits.
- For Windows, start with CIS Level 1 (basic hardening, minimal breakage risk). Level 2 is stricter and may impact application compatibility — test before broad rollout.
- Validate with CIS-CAT Lite (free scanning tool) or a commercial configuration assessment tool like Tenable.sc.
Top 5 CIS hardening controls to apply day one:
- Disable SMBv1 and LM/NTLMv1 hashing.
- Enable full-disk encryption (BitLocker for Windows, FileVault for macOS).
- Remove local admin rights from standard users.
- Enable secure boot and TPM attestation.
- Disable AutoRun/AutoPlay on all removable media.
FAQ
Do I need EDR if I already have antivirus? Yes. Traditional AV uses signature-based detection, which misses fileless attacks, zero-days, and living-off-the-land techniques. EDR uses behavioural detection and process telemetry to catch threats that have no known signature. If budget is tight, Microsoft Defender for Business bundles AV + EDR at ~$3–$5/endpoint/month.
Can I manage personal (BYOD) phones without invading employee privacy? Yes. Use MDM containerisation — Intune App Protection Policies or Jamf's BYOD workflows create a segregated work container on the personal device. You control the work data (email, files, apps) and can wipe only that container if the employee leaves. You cannot see personal apps, photos, messages, or browsing history.
What's the minimum viable endpoint security stack for a 10-person business? Microsoft Defender for Business (EDR + AV) + Intune (MDM + patch rings) + BitLocker/FileVault enforced via MDM. Total cost: ~$8–$12/user/month. This covers detection, patching, device management, and encryption — the four controls that stop the majority of SMB-targeted attacks.
How often should I patch? Critical and internet-facing vulnerabilities: within 48 hours. High severity: within 7 days. Everything else: within 14 days. Use automated patching tools (Automox, Intune Update Rings) to enforce these timelines — manual patching will not keep pace.
Conclusion
Endpoint hardening is not a project — it's a continuous practice. But the initial lift can be done in a week: deploy EDR on every device, automate your patch cycles, enroll everything into MDM, and apply CIS Benchmark Level 1 settings. That combination addresses the attack vectors that compromise most small and medium businesses. Start with the quick-win checklist above, measure your coverage, and iterate.
Ready to find your gaps? Visit consult.lil.business for a free cybersecurity assessment — we'll map your current endpoint posture against the ASD Essential Eight and give you a prioritised action plan.
References
- ACSC — Essential Eight Maturity Model
- Center for Internet Security — CIS Benchmarks
- Microsoft — Defender for Endpoint documentation
- CrowdStrike — Falcon Go product page
- NIST — SP 800-83 Guide to Malware Incident Prevention and Handling
Verifier warning: verifier could not run (PluginLlmTrustError).
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →Your Work Phone Just Became an Unlocked Door — How to Check if It's Been Fixed
Explained Like You're 10
TL;DR
- Google just fixed 129 security holes in Android phones — including one that hackers are already using right now [1]
- If your staff use Android phones to check work email or access business systems, an unpatched phone is like leaving the back door to your business unlocked
- Checking and fixing this takes about 2 minutes per phone
The Hole in Your Phone
Imagine every phone has thousands of tiny windows. Most are nailed shut. Every so often, someone finds a window that isn't — and before it gets fixed, they can squeeze through it to get inside.
That's what a security vulnerability is.
In March 2026, Google found — and fixed — 129 of these unlocked windows in Android phones [1]. That's a lot at once.
Two of them are the most serious:
The one already being used by hackers: There's a flaw in the graphics chip used by many Android phones (made by a company called Qualcomm). Hackers have already figured out how to use this flaw to get inside certain phones [1][2]. Google has confirmed real attacks are happening right now.
The one that needs no tapping or clicking: There's a second flaw so serious that a hacker could break into a phone just because it's connected to the internet — no dodgy link, no suspicious attachment, nothing. Just "phone exists on the internet, phone gets hacked" [1].
Why Your Work Phone Is Your Business's Problem
Here is the part that surprises a lot of business owners.
When Sarah from your team uses her personal Android phone to check her work email or log into your accounting software — her phone is now a door into your business.
It's like if your staff member kept the office Wi-Fi password on a sticky note in their wallet. If someone steals the wallet, they can get into your office. In the same way, if a hacker gets into a phone that's logged into your business systems, they can reach your business data.
Most businesses are really careful about keeping their office computers updated. Very few think about the phones.
The 2-Minute Check
Here is how to check if any phone is protected.
On any Android phone:
- Open Settings
- Scroll down to About Phone
- Tap Android Version (or Software Information on Samsung)
- Look for Android Security Patch Level
If the date shown is March 2026 or later — protected.
If it shows February 2026 or earlier — still at risk. (Update needed)
How to Update
On Android: Settings → System → System Update → Check for Updates
If an update is available, install it. Takes 10–15 minutes and a restart.
If no update is available yet: Some phone brands are slower to release Google's patches. If a work phone can't get the March update and it has access to your business systems — it's worth temporarily removing that access until it can be updated. This sounds strict, but it's the same thinking as "don't leave the front door unlocked just because the locksmith is busy."
The Bigger Picture for Your Business
Your business probably has a rule about keeping computers updated. This month is a good reminder that phones need the same treatment.
Here's a simple rule that works well for small businesses:
If a device accesses business systems, it needs to be running the latest security update — or it doesn't get access.
You don't need expensive software for this. You just need to check once a month, the same way you might check the locks before you leave the office.
The Australian Signals Directorate (Australia's cyber safety agency) consistently highlights outdated mobile software as one of the most common ways businesses get compromised [4].
FAQ
If your phone manufacturer has stopped releasing security updates (usually after 3–5 years for most brands), your phone will never get this fix. If that phone is accessing your business email or systems, consider replacing it — or using a different device for business that can receive updates. Google Pixel phones receive 7 years of updates now, which makes them a solid business choice.
No — this is specific to Android phones. iPhones have their own separate security updates, which Apple releases quickly. The same principle applies though: keep your iPhone updated too.
Focus on the ones that access the most sensitive systems first — whoever handles finance, customer data, or admin access. A quick message asking them to screenshot their security patch level screen takes 5 minutes for your whole team.
It's not that Android suddenly became a lot more vulnerable — it's that Google bunches up patches and releases them monthly. Some of these fixes were in development for months. The number looks scary but most are low-severity issues that would be hard to exploit in practice. The two we highlighted are the ones that genuinely need urgent attention.
Once a month is enough. Google releases security updates monthly. Set a reminder on the first Monday of each month to quickly confirm all work-accessed devices are current.
References
[1] Google, "Android Security Bulletin—March 2026," Android Open Source Project, Mar. 2026. [Online]. Available: https://source.android.com/docs/security/bulletin/2026/2026-03-01
[2] The Hacker News, "Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited," The Hacker News, Mar. 3, 2026. [Online]. Available: https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html
[3] Qualcomm, "March 2026 Security Bulletin," Qualcomm Technologies, Mar. 2026. [Online]. Available: https://docs.qualcomm.com/securitybulletin/march-2026-bulletin.html
[4] Australian Signals Directorate, "ASD Annual Cyber Threat Report 2023-24," Australian Signals Directorate, 2024. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2023-june-2024
[5] NIST, "SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise," National Institute of Standards and Technology, 2023. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final
[6] CISA, "Mobile Device Best Practices," Cybersecurity and Infrastructure Security Agency, 2024. [Online]. Available: https://www.cisa.gov/resources-tools/resources/mobile-device-best-practices
[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach
[8] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
Want someone to check whether your business's phones and devices are properly secured? Book a free 30-minute review with lilMONSTER — we'll look at what's accessible and give you a simple checklist to fix the gaps.
