TL;DR

A bring-your-own-device (BYOD) program without minimum endpoint controls is an open door to your business data. This checklist covers the six non-negotiable controls every 10–50 headcount Australian SMB needs — no full MDM budget required — plus a sample policy section you can adapt today.​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌‌‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌

Why BYOD Hygiene Is No Longer Optional

Most Australian SMBs now run on a mix of personally owned laptops, phones, and tablets. That is operationally convenient but creates an endpoint hygiene gap that attackers exploit relentlessly. In 2026, the attack surface has shifted: adversaries increasingly target identity and sessions rather than infrastructure. OAuth token theft, consent phishing, and adversary-in-the-middle (AiTM) attacks bypass multi-factor authentication entirely once a single unmanaged device is compromised. A personal phone used for work becomes the weakest link — and attackers know it.

The good news: you do not need a six-figure MDM deployment. Six minimum controls, consistently enforced, close the gap for SMBs.​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​

​‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌‌‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌

The 6-Point BYOD Endpoint Hygiene Checklist

1. Device Compliance Policy — The Four Non-Negotiables

Every device accessing company data must meet a written compliance baseline:

  • OS version minimum: iOS 16+ / Android 13+ / Windows 11 23H2+ / macOS 14+. Unsupported OS versions receive no security patches.
  • Disk encryption enabled: FileVault (macOS), BitLocker (Windows), or device encryption (iOS/Android) must be active.
  • Screen lock enforced: Auto-lock at 5 minutes maximum, minimum 6-digit PIN or biometric.
  • No jailbreak or root: The device must pass platform integrity checks. Jailbroken devices are blocked outright.

Document these four requirements in your acceptable use policy and verify compliance at onboarding. No exceptions.

2. MDM-Lite: Baseline Enforcement Without the Price Tag

Full MDM (Workspace ONE, full Intune suite) is overkill at 10–50 seats. Use the lightweight tier that ships with your existing stack:

  • Microsoft 365 Business Premium: Includes Intune Plan 1 for device compliance policies, conditional access, and basic app protection.
  • Google Workspace Business Plus: Includes endpoint management for Android and iOS with work profile enforcement.
  • Apple-only fleet: Kandji or Jamf Now for zero-touch deployment starting around AU$5–8/device/month.

Configure one conditional access rule immediately: require a compliant device before granting access to Microsoft 365 or Google Workspace. That single rule blocks 90% of opportunistic access.

3. Separate Work Data: The Container Approach

Personal apps and work data must never share the same sandbox. The two paths:

Platform Mechanism
Android Work Profile — creates an isolated container with separate apps, encryption, and lifecycle. Work data is wiped independently of personal data.
iOS / macOS Managed Apple ID with User Enrolment — separates work data into a managed volume. Personal Apple ID remains untouched.

Do not allow users to access company email, Teams, or SharePoint through personal app instances. Push the Outlook and Teams apps into the managed container and block copy-paste between work and personal profiles.

4. Remote Wipe Capability — Without Touching Personal Data

Every BYOD device must be enrolled such that you can selectively wipe only company data when someone leaves — or when a device is lost. On Android, the Work Profile wipe removes the container and all corporate apps in under 30 seconds. On iOS, User Enrolment allows Managed Apple ID de-provisioning without touching the personal photo library, messages, or apps. This is the single requirement that makes employees willing to enrol — they keep their privacy, you keep your data.

Test the wipe process on a volunteer device during onboarding. If you discover at termination that it does not work, it is already too late.

5. No BYOD for Privileged or Admin Accounts

This rule is absolute: privileged accounts — domain admin, global admin, finance system superuser, root — must never authenticate from a personally owned device. Those accounts live on company-issued, fully managed hardware only.

Why it matters: a compromised personal laptop with cached admin tokens gives attackers the keys to the kingdom without a single exploit. As Mandiant documented in early 2026, attackers use stolen sessions from unmanaged endpoints to move laterally across SaaS platforms silently. One personal device housing admin credentials undoes every other control on this list.

6. Monthly Mini-Audit Checklist (15 Minutes)

Print this or drop it into a recurring calendar invite. Run it the first Monday of every month:

  • Review device compliance report in Intune / Google Admin — any non-compliant devices?
  • Check for new enrolments. Any device that joined without authorisation?
  • Verify conditional access policy is still active (policies silently break during tenant changes).
  • Confirm remote wipe test passed against at least one test device.
  • Review the privileged account list — any BYOD device still showing admin sign-ins?
  • Check OS version compliance: any devices running an unsupported version? Block them.

Fifteen minutes. Miss it twice and you have a breach condition, not a checklist.

Sample BYOD Policy Section (Adapt for Your Handbook)

Bring Your Own Device (BYOD) Policy — Extract

  1. Eligibility: BYOD is permitted for standard-access roles only. Privileged account holders (IT admin, finance system admin, executive with unrestricted access) must use a company-issued device.
  2. Enrolment: Before accessing any company system, the device must be enrolled in [Microsoft Intune / Google endpoint management] and pass the compliance baseline: current OS within one major version, disk encryption active, screen lock of 6+ digits or biometric, and platform integrity check passed.
  3. Work Data Separation: All company data must reside within the managed Work Profile (Android) or Managed Apple ID volume (iOS/macOS). Storing company data in personal apps, local downloads, or unmanaged cloud storage is prohibited.
  4. Remote Wipe Consent: The company reserves the right to remotely wipe only company data and the managed container upon termination of employment, reported device loss, or confirmed security incident. Personal data, apps, and media will not be affected.
  5. Audit: Devices are subject to monthly compliance review. Repeated non-compliance (two consecutive months) results in revocation of BYOD access.
  6. Incident Reporting: Lost or stolen devices used for work must be reported to IT within 4 hours.

FAQ

Q: Does the Essential Eight require MDM for BYOD? The ACSC's Essential Eight Maturity Level 1 does not explicitly mandate MDM, but it requires multi-factor authentication, patched operating systems, and application control — all of which become unverifiable on unmanaged personal devices. At Maturity Level 2, you need to centrally manage device configuration. MDM-lite satisfies that requirement.

Q: Can we just use a written policy without enforcing it technically? No. A written policy without conditional access enforcement — blocking non-compliant devices at the identity provider — is a piece of paper. Attackers do not read your policy.

Q: What if an employee refuses to enrol their personal device? They do not access company data from that device. Issue a company-owned handset or restrict them to webmail on a managed browser only (session-only, no offline data). The business decides the risk appetite; the employee does not get a veto.

Q: Is Intune included in Business Premium or do we pay extra? Microsoft 365 Business Premium (~AU$33/user/month) includes Intune Plan 1 with device compliance policies, conditional access, and app protection. No additional licence required for the controls in this checklist.

Conclusion

BYOD endpoint hygiene is a process, not a purchase. Start with the four compliance non-negotiables, enrol every device into your existing MDM-lite tool, separate work data, lock down privileged accounts, and run the 15-minute monthly audit. Those six controls give a 10–50 headcount SMB 80% of enterprise endpoint security at a fraction of the cost.

Need help designing controls that fit your business — not a vendor's brochure? Visit consult.lil.business for a free 30-minute cybersecurity assessment tailored to Australian SMBs.

References

  1. ACSC — Bring Your Own Device (BYOD) Guidance
  2. Microsoft — Intune Device Compliance Policies for SMB
  3. NIST SP 1800-22 — Mobile Device Security: Bring Your Own Device (BYOD)
  4. Mandiant / The Hacker News — Vishing Attacks Stealing MFA to Breach SaaS Platforms (Jan 2026)
  5. Digital Biz Talk — OAuth Redirect Abuse Bypasses MFA (Mar 2026)

TL;DR

  • Bad guys are using AI robots to write fake emails that trick people
  • These emails look real and can fool anyone—even careful people
  • You can protect your business with special keys, good training, and smart computer defenses

What Are AI Hackers?

Imagine a robot that can write thousands of fake letters in one second. That's what AI hackers do—except they send fake emails instead of letters.

Bad people used to have to write these fake emails themselves. They made mistakes. They had bad spelling. They wrote things like "Dear Sir" instead of using your name. Most people could spot them easily.

Now bad guys use AI to write the emails for them. The AI spells everything perfectly. It uses your real name. It knows where you work. It can even write in your language perfectly. These fake emails are much harder to spot.

How Many More AI Attacks Are Happening?

A lot more. In 2025, there were 89% more AI attacks than in 2024 [1]. That means almost twice as many.

Think of it like this: if 10 bad guys tried to trick you last year, this year 19 bad guys might try. And each one of those bad guys can send thousands of tricky emails because their AI robot writes them all automatically.

Why Your Business Should Care

You might think: "I'm not a big company. Why would hackers target me?"

Here's the thing: AI makes it cheap and easy to target everyone. The bad guys set up their AI robot once, and it sends fake emails to 1,000 small businesses in the time it used to take to target just one big company.

Your business doesn't have to be famous to be a target. You just need to have email and money or information that bad guys want.

How AI Hackers Try to Trick You

The Perfect Fake Email

Let's say you run a bakery. An AI hacker's robot might:

  • Look at your website and learn you sell wedding cakes
  • Find your name on your "About Us" page
  • Write an email that says: "Hi Sarah! I saw your beautiful wedding cakes online. I'm planning my daughter's wedding and would love to order. Can you click this link to see my inspiration board?"

The email looks perfect. Good spelling. Your real name. References your actual business. But the link goes to a fake website that steals your password.

The Speed Problem

AI robots work super fast. They can:

  • Research your company in seconds
  • Write a fake email that sounds real
  • Send it to you and 1,000 other businesses
  • All before lunch

Human hackers can't work that fast. AI robots never get tired. They never take breaks. They keep going and going.

How to Protect Your Business

Use Special Keys (Not Just Passwords)

Passwords are easy to steal. Special keys that you plug into your computer or phone are much harder to steal. They're called security keys or passkeys.

Think of it like your house key. You can't tell someone your house key over the phone. They have to physically have the key. Security keys for computers work the same way—bad guys can't trick you into giving them up over email [2].

The "Double-Check" Rule

Here's a simple rule that stops almost every attack: if someone asks for something important over email, check with them a different way.

Example:

  • You get an email from your boss asking you to transfer money
  • Before you do it, call your boss (or walk to their office)
  • Ask: "Did you really send this email?"

If it's fake, your boss will say no. Problem solved.

This works because AI robots can trick your email, but they can't trick your phone call or face-to-face conversation.

Teach Your Team What to Look For

Most attacks succeed because someone clicks something they shouldn't. Teach your team:

  • If an email creates urgency ("ACT NOW!"), slow down and check
  • If an email asks for sensitive info (passwords, money), verify through another channel
  • If something feels even a little bit off, ask someone else to look at it

Get Help from Computer Defenders

Just like you have a lock on your front door, you need locks on your computer systems. These are special programs that:

  • Watch for weird behavior on your network
  • Block dangerous emails
  • Alert you when something seems wrong

Good computer defenses can detect AI attacks because they notice patterns that humans miss.

What Happens If You Get Attacked?

When bad guys break into a business's computers, they might:

  • Steal customer information (names, addresses, credit card numbers)
  • Lock your files and demand money to unlock them (called ransomware)
  • Read your private emails and documents
  • Pretend to be you and trick your customers

This costs businesses a lot of money—on average, about $4.88 million when it happens [3]. For a small business, that could mean going out of business.

The Good News

You don't need to be scared. You just need to be prepared.

Most attacks happen because of simple mistakes:

  • Someone clicks a link they shouldn't have
  • Someone uses a weak password
  • Someone doesn't have security protections turned on

Fix those things, and you're already safer than most businesses.

What You Can Do Right Now

Here's your action list:

  1. Turn on special security keys for important accounts (like email and banking)
  2. Make a rule: never send money or passwords without double-checking through another channel
  3. Install good computer security software
  4. Back up your files regularly (keep copies somewhere safe)
  5. Teach your team what to watch for

FAQ

Not unless you give it access. The AI hackers we're talking about use AI to write fake emails, not to read your real ones. But if someone tricks you into giving them your password, they can read whatever they want.

No. You need basic protections and smart habits. Think of it like locking your doors—you don't need to be a locksmith, you just need to use the lock.

No. Security protections are getting better too. The key is using the right tools and following good practices. AI changes the threat, but good security still works.

Sometimes you can't tell just by looking. That's why the "double-check rule" works so well—if something important is being asked, verify through a different channel (phone call, in-person, different app).

Yes. Anyone with an email account can be targeted. That's why teaching kids about online safety early is so important—they'll face these threats for the rest of their lives.

What Can You Do?

Worried about AI-powered threats but don't know where to start? lilMONSTER helps businesses build practical defenses that work against AI-enhanced attackers. We focus on layered security, smart identity protection, and training that actually prepares your team for modern threats.

Get in touch: https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=ai-cyberattack-surge-eli10

References

[1] CrowdStrike, "Global Threat Report 2026," CrowdStrike, 2026. [Online]. Available: https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-global-threat-report-findings/

[2] FIDO Alliance, "How Security Keys Work," FIDO Alliance, 2025. [Online]. Available: https://fidoalliance.org/how-fido-works/

[3] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[4] Google, "Advanced Protection Program," Google, 2025. [Online]. Available: https://www.google.com/advanced-protection

[5] National Cyber Security Centre, "Phishing Guidance," NCSC, 2025. [Online]. Available: https://www.ncsc.gov.uk/guidance/phishing

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation