TL;DR

Most business breaches start at an endpoint—laptops, desktops, or mobile devices that are unpatched, unmonitored, or missing modern anti-malware controls. This post gives you an actionable checklist to harden every endpoint this week: deploy EDR/XDR, automate patching, roll out MDM, and apply ASD Essential Eight and CIS Benchmark baselines. Costs for an SMB typically run $3–$15 per endpoint per month, and many quick wins can be configured in under an hour.

Why Endpoint Hardening Matters Right Now

Endpoint compromise remains the single most common entry point into a business network. Australian organisations are currently being targeted by social engineering campaigns such as ClickFix distributing Vidar Stealer through compromised WordPress sites, and by China-nexus covert networks of compromised devices. Separately, Android banking trojans like Rokarolla are targeting hundreds of banking and crypto applications, showing that mobile endpoints are no longer a secondary concern.

If you can harden laptops, desktops, servers, and mobile devices this week, you remove the low-hanging fruit that most threat actors rely on.

1. Deploy EDR or XDR on Every Endpoint

Antivirus alone is not enough. Endpoint Detection and Response (EDR) records process activity, detects behavioural anomalies, and lets you isolate a compromised device remotely. Extended Detection and Response (XDR) extends that visibility across email, identity, and cloud workloads.

Recommended tools and realistic costs for SMBs:

  • Microsoft Defender for Endpoint — bundled with Microsoft 365 E3/E5 or Business Premium; very cost-effective if you already run Microsoft 365. Standalone P1/P2 starts around $3–$5 per endpoint per month.
  • CrowdStrike Falcon Go — cloud-native EDR with managed threat hunting at the Falcon Pro/Enterprise level. SMB pricing typically $8–$15 per endpoint per month depending on modules.
  • SentinelOne Singularity — autonomous EDR with rollback and managed detection and response add-ons. Core starts around $8–$12 per endpoint per month.

This-week action plan:

  1. Audit every endpoint that accesses business data—Windows, macOS, Linux, mobile, and any BYOD devices.
  2. Pick one EDR/XDR platform and pilot it on five devices before full rollout.
  3. Enable tamper protection so attackers cannot uninstall the agent.
  4. Configure automatic isolation rules for high-confidence detections.
  5. Assign someone to review alerts daily, or purchase the managed detection and response tier.

2. Automate Patch Management for Operating Systems and Applications

Unpatched applications and operating systems are exploited in the majority of successful attacks. The ASD Essential Eight specifically calls out patch applications, patch operating systems, and user application hardening as foundational controls.

Recommended patching tools:

  • Microsoft Intune — strong for Windows and modern mobile devices, patch rings, and Windows Update for Business controls.
  • Automox — cross-platform cloud patch management for Windows, macOS, and Linux; agent-based, with prebuilt and custom policies.
  • PDQ Deploy & Inventory — Windows-focused, fast on-prem deployment, excellent for software updates across desktop fleets.

This-week action plan:

  1. Enable automatic OS updates on all devices. For Windows, set quality updates to install within 7 days and feature updates within a controlled ring.
  2. Identify your top 10 most-used applications—browsers, Office, PDF readers, Zoom/Teams, VPN clients—and set them to auto-update.
  3. Remove or restrict legacy software that is no longer patched. Internet Explorer, old Java versions, and unsupported Office releases are common culprits.
  4. Run a vulnerability scan this week using your EDR, patch tool, or a free scanner to find missing updates.
  5. Document a patch SLA: critical patches within 48 hours, high patches within 7 days, everything else within 30 days.

3. Roll Out Mobile Device Management (MDM)

Mobile endpoints carry email, MFA apps, Slack, VPN credentials, and customer data. If a phone or tablet is lost, rooted, or running an outdated OS, it becomes a doorway into your business.

Recommended MDM tools:

  • Microsoft Intune — best fit for Microsoft-centric SMBs; enforces device compliance, app protection policies, and conditional access.
  • Jamf Pro / Jamf Now — the standard for Apple fleets; handles macOS and iOS device enrollment, configuration profiles, and app distribution.
  • Google Workspace MDM / Samsung Knox — solid for Android-heavy environments, with containerisation and remote wipe.

This-week action plan:

  1. Enroll every business-owned device into MDM before it gets network access.
  2. Require a device passcode or biometrics, encryption enabled, and OS not older than N-1 major version.
  3. Block jailbroken or rooted devices from accessing corporate email and SaaS apps.
  4. Configure remote wipe and lost-device tracking.
  5. Apply application allowlisting for sensitive apps such as banking, MFA, and VPN.

4. Apply OS and Application Hardening Baselines

Hardening is not just about buying tools; it is about turning off risky defaults. CIS Benchmarks give you step-by-step configuration guidance for Windows, macOS, Linux, iOS, and Android. The ASD Essential Eight adds Australian context for application control, patching, and macro settings.

Quick-win hardening checklist for laptops and desktops:

  • Enable full-disk encryption (BitLocker on Windows, FileVault on macOS, LUKS on Linux).
  • Disable auto-run and autoplay for removable media.
  • Turn off Office macros from the internet unless digitally signed and required.
  • Remove local administrator rights from standard users.
  • Enable firewall and block inbound connections by default.
  • Disable SMBv1, LLMNR, and NetBIOS over TCP/IP.
  • Enforce screen lock after 5 minutes of inactivity.
  • Disable Bluetooth and Wi-Fi when not in use on high-risk devices.

Quick-win hardening checklist for mobile devices:

  • Require automatic OS and app updates.
  • Disable USB debugging and unknown-source app installation.
  • Enforce app permissions hygiene: camera, microphone, location, and contacts only where justified.
  • Separate business and personal apps using work profiles where available.
  • Require MFA for all cloud services, ideally using a device-bound authenticator.

5. Tie It Together with Governance and Verification

A checklist is only useful if someone owns it and checks it monthly.

This-week governance steps:

  1. Name an endpoint security owner, even if that is the business owner or an outsourced IT provider.
  2. Create an asset register: device type, owner, OS version, EDR agent, MDM enrollment, and patch status.
  3. Run a monthly compliance report from your MDM and EDR to spot drift.
  4. Review new device onboarding so hardening happens before first login.
  5. Test your incident response: can you isolate a device, wipe a phone, and revoke a cloud session in under 15 minutes?

FAQ

Do I need both EDR and antivirus?

Modern EDR includes antivirus, but adds behaviour detection, threat hunting, and response actions. For business use, replace standalone antivirus with EDR rather than running both side by side.

How much should an SMB budget for endpoint security?

A realistic SMB range is $3–$15 per endpoint per month for EDR/XDR, $2–$8 for patch management, and $2–$10 for MDM. Bundled platforms such as Microsoft 365 Business Premium with Intune and Defender can reduce the total cost.

Can we use free tools instead?

Free tools exist—Microsoft Defender on consumer Windows, built-in mobile encryption, and OS-level update settings—but they lack central management, reporting, and rapid response. Free is fine for one-person operations; once you have staff and customer data, invest in managed tools.

What about BYOD devices?

BYOD should only access business data through MDM-managed work profiles or mobile application management containers. If a device cannot be enrolled, it should not have business email, files, or SaaS access.

Conclusion

Endpoint hardening is not a six-month project. This week you can enable encryption, turn on automatic updates, deploy an EDR trial, and enroll devices in MDM. Each control removes an attack path that real adversaries—whether distributing Vidar Stealer through WordPress, running China-nexus device networks, or pushing Android banking trojans—are actively exploiting.

Start with your highest-risk devices first: executives, finance, IT administrators, and anyone with remote access. Then expand to the full fleet. Document what you did, assign an owner, and verify monthly.

Need help prioritising what to fix first? Visit consult.lil.business for a free cybersecurity assessment.

References

  1. ASD Essential Eight
  2. CIS Benchmarks
  3. ACSC Advisory — ClickFix distributing Vidar Stealer via WordPress
  4. ACSC Advisory — Defending against China-nexus covert networks of compromised devices

Verifier warning: verifier could not run (PluginLlmTrustError).

Your Work Phone Just Became an Unlocked Door — How to Check if It's Been Fixed

Explained Like You're 10

TL;DR

  • Google just fixed 129 security holes in Android phones — including one that hackers are already using right now [1]
  • If your staff use Android phones to check work email or access business systems, an unpatched phone is like leaving the back door to your business unlocked
  • Checking and fixing this takes about 2 minutes per phone

The Hole in Your Phone

Imagine every phone has thousands of tiny windows. Most are nailed shut. Every so often, someone finds a window that isn't — and before it gets fixed, they can squeeze through it to get inside.

That's what a security vulnerability is.

In March 2026, Google found — and fixed — 129 of these unlocked windows in Android phones [1]. That's a lot at once.

Two of them are the most serious:

The one already being used by hackers: There's a flaw in the graphics chip used by many Android phones (made by a company called Qualcomm). Hackers have already figured out how to use this flaw to get inside certain phones [1][2]. Google has confirmed real attacks are happening right now.

The one that needs no tapping or clicking: There's a second flaw so serious that a hacker could break into a phone just because it's connected to the internet — no dodgy link, no suspicious attachment, nothing. Just "phone exists on the internet, phone gets hacked" [1].

Why Your Work Phone Is Your Business's Problem

Here is the part that surprises a lot of business owners.

When Sarah from your team uses her personal Android phone to check her work email or log into your accounting software — her phone is now a door into your business.

It's like if your staff member kept the office Wi-Fi password on a sticky note in their wallet. If someone steals the wallet, they can get into your office. In the same way, if a hacker gets into a phone that's logged into your business systems, they can reach your business data.

Most businesses are really careful about keeping their office computers updated. Very few think about the phones.

The 2-Minute Check

Here is how to check if any phone is protected.

On any Android phone:

  1. Open Settings
  2. Scroll down to About Phone
  3. Tap Android Version (or Software Information on Samsung)
  4. Look for Android Security Patch Level

If the date shown is March 2026 or later — protected.

If it shows February 2026 or earlier — still at risk. (Update needed)

How to Update

On Android: Settings → System → System Update → Check for Updates

If an update is available, install it. Takes 10–15 minutes and a restart.

If no update is available yet: Some phone brands are slower to release Google's patches. If a work phone can't get the March update and it has access to your business systems — it's worth temporarily removing that access until it can be updated. This sounds strict, but it's the same thinking as "don't leave the front door unlocked just because the locksmith is busy."

The Bigger Picture for Your Business

Your business probably has a rule about keeping computers updated. This month is a good reminder that phones need the same treatment.

Here's a simple rule that works well for small businesses:

If a device accesses business systems, it needs to be running the latest security update — or it doesn't get access.

You don't need expensive software for this. You just need to check once a month, the same way you might check the locks before you leave the office.

The Australian Signals Directorate (Australia's cyber safety agency) consistently highlights outdated mobile software as one of the most common ways businesses get compromised [4].

FAQ

If your phone manufacturer has stopped releasing security updates (usually after 3–5 years for most brands), your phone will never get this fix. If that phone is accessing your business email or systems, consider replacing it — or using a different device for business that can receive updates. Google Pixel phones receive 7 years of updates now, which makes them a solid business choice.

No — this is specific to Android phones. iPhones have their own separate security updates, which Apple releases quickly. The same principle applies though: keep your iPhone updated too.

Focus on the ones that access the most sensitive systems first — whoever handles finance, customer data, or admin access. A quick message asking them to screenshot their security patch level screen takes 5 minutes for your whole team.

It's not that Android suddenly became a lot more vulnerable — it's that Google bunches up patches and releases them monthly. Some of these fixes were in development for months. The number looks scary but most are low-severity issues that would be hard to exploit in practice. The two we highlighted are the ones that genuinely need urgent attention.

Once a month is enough. Google releases security updates monthly. Set a reminder on the first Monday of each month to quickly confirm all work-accessed devices are current.

References

[1] Google, "Android Security Bulletin—March 2026," Android Open Source Project, Mar. 2026. [Online]. Available: https://source.android.com/docs/security/bulletin/2026/2026-03-01

[2] The Hacker News, "Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited," The Hacker News, Mar. 3, 2026. [Online]. Available: https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html

[3] Qualcomm, "March 2026 Security Bulletin," Qualcomm Technologies, Mar. 2026. [Online]. Available: https://docs.qualcomm.com/securitybulletin/march-2026-bulletin.html

[4] Australian Signals Directorate, "ASD Annual Cyber Threat Report 2023-24," Australian Signals Directorate, 2024. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2023-june-2024

[5] NIST, "SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise," National Institute of Standards and Technology, 2023. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final

[6] CISA, "Mobile Device Best Practices," Cybersecurity and Infrastructure Security Agency, 2024. [Online]. Available: https://www.cisa.gov/resources-tools/resources/mobile-device-best-practices

[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[8] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

Want someone to check whether your business's phones and devices are properly secured? Book a free 30-minute review with lilMONSTER — we'll look at what's accessible and give you a simple checklist to fix the gaps.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation