10 Simple Mac Security Tips Every Business Should Use
by Elaine Evans, on Oct 30, 2020 4:33:23 PM
It’s Cybersecurity Awareness month and we wanted to give business stakeholders simple ways that they can start to make their Apple IT more secure.
The first half of the features are built into macOS. The second half are some other considerations and third party tools. All of them are made to be suggestions that will increase your organization's security without too complex to execute.
Many of these can be enforced and monitored by the use of an MDM tool. If you don’t have an MDM tool, we recommend that you have a policy written since all of these suggestions can be done manually.
If you’re interested in learning more about managing macOS remotely with an MDM tool (or having IT experts that know how to do this), get in touch.
Features Built into macOS:
1. Enable Filevault
Filevault is full disk encryption built right into your Mac. Meaning, if someone gets access for your hard drive, the data will be encrypted. There’s no reason not to use Filevault; just make sure that the user has their recovery key because if they forget their login password and recovery key, then those local files are all but lost (see backups below).
To do: Issue a company policy or use your MDM to ensure that all Macs have Filevault enabled.
Apple Support article here.
2. Password Protect Your Macs
This seems like a really big “duh,” but you’d be surprised: some team members may really dislike the idea of having to type a password every time they need to log in to their Mac.
To do: Issue a company policy or use your MDM to ensure that all devices that have access to company data have a complex password in place.
Bonus: with an MDM you can usually set complexity requirements, enforce password regular updates, or even use AD credentials for logging into your Macs.
3. Use Gatekeeper
Gatekeeper is made to prevent you from accidentally downloading malicious software onto your Mac. macOS will look to make sure apps are signed by an identified developer and not altered.
To do: Issue a company policy or use your MDM to ensure Gatekeeper is being used. For businesses, we recommend you check to allow apps downloaded from “The App Store and identified developers” since many of us use software like Adobe, Zoom and others that are not available in the App Store.
Apple Support article here.
4. Log Out After Inactivity
Forcing log out is a security best practice endorsed by pretty much every security framework. This is so that if someone walks away from their computer that company data is not left unprotected. The period of time best suited before forcing log out can depend on your industry and workforce makeup.
To do: Issue a company policy or use your MDM to ensure Macs are forced to log out after a certain period of time of inactivity. Note that you can also put more aggressive log out timeframes on more sensitive users/devices.
Apple Support article here.
5. Turn on Automatic Updates for Apps and macOS
Apple releases regular security updates to patch vulnerabilities in macOS. Many data breaches come from “unpatched” vulnerabilities being exploited. Luckily, Apple has made turning on automatic updates super easy.
Note that if the update requires a reboot, you need to follow the prompt in the dialog box to complete the update. Also, most OS updates require that the computer is turned on and connected to power.
To do: Issue a company policy or use your MDM to ensure Macs have automatic updates turned on. Bonus: MDMs will allow you to “force” security updates in case an end user is perpetually deferring it.
Apple Support article here.
Third party solutions and other considerations:
6. Back Up Your Macs
Back ups of your team’s Macs will give you peace of mind and protect valuable work and business data. Even if your employees are not supposed to be using their local storage, chances are that they do.
Everyone used to back up their Mac using Time Machine to an external hard drive. Now you can make sure your Macs are backed up by using a cloud provider like Crashplan or Backblaze. These solutions will allow you to back up your Mac and even restore single file versions if needed.
To do: Invest in a backup solution that is regular and automated so you don’t have to rely on employees to plug in an external hard drive. Have regular alerts setup to make sure that backup statuses are healthy.
7. Get Endpoint Protection for Malware, Ransomware, and More
“Macs don’t get viruses” is a myth. With their growing popularity, Macs are more vulnerable to attacks than ever. While Apple takes a lot of care to build in amazing security features, you need to be continuously scanning and remediating your Macs for ransomware, malware and other malicious attackers. It’s not worth the greater financial and reputation risk to not purchase an endpoint protection solution for your Macs.
Note that antivirus software is not always created equal for Macs and Windows. Some companies invest in protecting the Mac platform and for others it’s more of an afterthought. Jamf Protect is a newer to market Mac security product that is made exclusively for Mac OS.
To do: Invest in an endpoint protection solution for your Macs (next generation anti-virus) that continuously scans and alerts you to possible attacks.
8. Complete Regular Security Awareness Training for Your Team
Let’s face it: you can have amazing technology and policy in place, but if your end user falls for a scam or malicious attack, you are extremely vulnerable. Many people just aren’t familiar with what to look for and best practices.
The good news is this can be easily trained: What are the telltale signs of a phishing email? How does data privacy affect their job functions (are they plain text emailing SSN or CC numbers?)?
To do: Put a Security Awareness Training (SAT) program in place and regularly test your employees. There are platforms out there that make it easier than building one from scratch.
9. Get DNS Level Security
With people working remote more than ever, your employee’s internet traffic is not always secured behind your office firewall. This means that they are more susceptible to attacks and more likely to accidentally visit malicious sites. However, you can bring secure network traffic to your remote workers by using DNS level security.
To do: Deploy and configure DNS level security with a product that can mimic similar setting to your in office firewall.
10. Turn on MFA for All Accounts
You can secure physical Macs all day long, but nowadays people are using so many cloud based applications that you need to make sure accounts are secure in order to keep data secure. Turning on multi-factor authentication will help prevent hackers from accessing accounts with stolen credentials. They will need to use a secondary authentication source (usually an authentication app on an approved device) in order to log into an account.
To do: Look through your applications and user accounts to make sure that MFA is enforced at the admin level down to the entire user base wherever possible.
Summary
There are plenty of free and other simple action items that you can put into place today in order to create more security for your business. These suggestions are just the beginning, but they'll help you set a foundation for your organization. For more on securing your remote workforce, download our checklist.
If security is a top of mind concern for your organization right now, reach out to our team to talk through how we support and secure business and departments that run on Apple every day.
Springboard IT are your Apple Experts. We helped hundreds of organizations put in best practices and have these types of conversations regularly with our client. Let us help you secure your company.
Photo credits:
Photo by Emile Perron on Unsplash