Skip to main content

Endpoint Protection

Every laptop, desktop, phone, and tablet used for business is a potential entry point for attackers. Endpoint protection means ensuring each device is secured, updated, and monitored.

Keep all devices updated

Unpatched software is one of the most common ways attackers gain access to business systems. Most breaches exploit vulnerabilities that had patches available for months.

  • Enable automatic updates on all operating systems (Windows, macOS, iOS, Android).
  • Ensure all business software — not just the OS — is kept current, including browsers and office applications.
  • Retire devices that no longer receive security updates — running unsupported software is a significant risk.
  • Create a simple asset register of all devices used for business and their update status.

Malware protection and firewalls

Cyber Essentials requires all devices to have malware protection and a firewall enabled. For most businesses, the built-in tools are sufficient when properly configured.

  • Windows Defender and macOS XProtect are free, effective, and built-in — ensure they're enabled and updating.
  • Enable the built-in firewall on all devices (Windows Firewall or macOS Application Firewall).
  • For businesses with multiple devices, a centralised endpoint protection platform makes management easier.
  • Ensure malware protection signatures update automatically — definitions that are days old won't catch new threats.

Full disk encryption

Encrypting devices means that if a laptop or phone is stolen, the data on it is unreadable without the correct credentials. This is particularly important for mobile workers.

  • Enable BitLocker on Windows business devices — it's free and built-in to Windows 10/11 Pro and Enterprise.
  • Enable FileVault on macOS — it's built-in and straightforward to enable.
  • iOS and modern Android devices encrypt automatically when a PIN or password is set.
  • Store encryption recovery keys securely — ideally in a password manager or enterprise key management solution.
  • Encryption protects data at rest — it doesn't protect against malware on a running, unlocked device.

Mobile Device Management basics

If staff use phones or tablets for work — especially their own personal devices — Mobile Device Management (MDM) allows you to enforce policies and remotely wipe devices if they're lost or stolen.

  • MDM tools allow you to require a PIN, encrypt devices, and remotely wipe them if needed.
  • Microsoft Intune (included with many Microsoft 365 business plans) provides MDM for small businesses.
  • Ensure staff know to report lost or stolen work devices immediately so remote wipe can be triggered.
  • Establish a clear BYOD (Bring Your Own Device) policy — staff should know what business data they can and can't store on personal devices.

When an employee leaves

Offboarding — the process of removing access when an employee leaves — is a critical but often overlooked security step.

  • Disable accounts and revoke access on the day an employee leaves — not after they've cleared their desk.
  • Recover business devices, ensure they're wiped, and remove any business data from personal devices.
  • Change shared passwords — Wi-Fi, cloud services, and any accounts the employee had access to.
  • Review any automated processes or integrations that used the employee's credentials.
  • Keep a record of what access each employee has from day one — it makes offboarding far simpler.

Ready to protect your business?

Start free — no credit card needed