5 Steps to Secure Data on Macs in the Enterprise
Over the last twenty years, Macs have cemented their place in the enterprise, first as a specialized tool for professionals in the creative fields, then as a device of choice in the office. The introduction of choose-your-own-device (CYOD) and bring-your-own-device (BYOD) policies have greatly benefitted Macs’ presence in the enterprise. A recent JAMF survey revealed that, when given the option, a staggering 72% of employees chose Apple devices over PCs.
Apple also showed its commitment to enterprise-ready Macs through its efforts to boost the operating system’s security. With macOS Big Sur, the company began deprecating kernel extensions in favor of new system extensions that allowed code to be executed only in a controlled user space. This move eliminated a popular attack vector for macOS which targeted the operating system through malicious kernel extensions such as rootkits.
Although at first glance Macs come with a higher price tag than PCs, according to an IBM report, companies can save $273 – $543 per Mac deployed compared to PCs. There are several reasons for this. For one, Macs are built with high-end specs that are meant to last a long time. They do not require a separate license for macOS but come with the operating system preinstalled. Macs include built-in solutions which PC users may need to purchase separately. Among them, encryption tool FileVault and antimalware software XProtect. But one of the biggest reasons for the difference in ownership cost between Macs and PCs is the amount of helpdesk support inquiries they generate.
IBM, which has deployed nearly 200,000 Macs, reported that their IT support helpdesk receives twice as many support calls for PCs than for Macs. Additionally, only 5% of support tickets opened for Macs require an in-person visit versus 27% for PCs. Companies running Macs, therefore, spend less on IT staff and support services, significantly reducing the total cost of ownership.
With the adoption of Macs in the enterprise increasing, so does the risk of data security incidents. Although more secure by design thanks to their solid Unix-based architecture, there is one threat Macs are just as vulnerable to as PCs: users themselves. From human error, negligence with sensitive data, and security fatigue to the intentional disclosure or theft of confidential data, insiders account for 23% of all data breaches. A further 7% of malicious attacks have insiders as a root cause and another 17% are due to attacks such as phishing and social engineering which target employees directly.
Here are five steps companies can take to mitigate these threats and keep their sensitive data secure:
1. Encrypt hard drives
Data stored on Macs isn’t automatically encrypted. Many users are not aware that they need to enable encryption themselves. Apple’s native encryption solution, FileVault, secures Macs’ hard drives requiring users to input a password whenever they start up their Macs. Should a device be stolen, FileVault prevents the data at rest on a turned-off Mac from being extractable in any effective way. Turning on FileVault also enables the remote wipe feature of Find My Device, an added safety precaution in case of theft.
IT administrators can enable FileVault for all users at once using an enterprise management application such as Jamf that leverages Apple’s build-in Mobile Device Management framework and additional software to remotely manage Macs.
2. Manage iCloud backups responsibly
For individuals, having data such as contacts, settings, calendars, bookmarks, and photos backed up on iCloud can be useful and ensure a smooth transition to new Apple devices in the future.
However, when individuals use their Macs in an enterprise setting, companies run the risk of confidential company data being synced into their employees’ iCloud accounts. Companies should therefore disable the iCloud backup option and the iCloud document sync on enterprise Macs. IT administrators can also enforce encrypted backups.
3. Use a VPN on public networks
Requiring the use of a Virtual Private Network (VPN) outside the office is vital for the protection of sensitive data from attackers using unsecure public networks to intercept communications and gain access to confidential data. With a VPN, a secure connection is created, adding a protective encryption layer to all data transferred to and from a Mac.
4. Encrypt the Time Machine Backup
The Time Machine backup is a built-in feature that keeps an up-to-date copy of all files on a Mac and helps users restore their Macs in case of hardware failure. However, the backup is unencrypted. Even if FileVault is enabled, Time Machine backups are not encrypted by default. IT administrators must therefore encrypt backups separately.
5. Address insider threats with DLP
To protect data from insider threats, businesses should implement Data Loss Prevention (DLP) solutions. DLP tools use predefined and custom policies and complex content inspection and contextual scanning of data to identify, monitor, limit or block the transfer of sensitive data. Whether it’s personally identifiable information (PII) protected under data protection laws such as GDPR, HIPAA, or CCPA or confidential information such as proprietary algorithms or patents, DLP technology, when applied on the endpoint, can protect sensitive data whether employees are in the office or working from home.
Its monitoring capabilities, which flag any attempts to violate policies, can help companies identify malicious insiders and problem areas that may need to be addressed in data security employee training. DLP solutions also allow companies to control peripheral and USB ports, blocking or limiting the use of removable devices to company-issued ones. Some, such as Endpoint Protector, even include Enforced Encryption features which ensure that any files copied onto a USB device connected to a Mac are automatically encrypted.
Frequently Asked Questions
There are few Data Loss Prevention (DLP) solutions exclusively dedicated to Macs. When choosing a DLP for Mac, companies must be very careful and check that the same features are offered for Mac as they are for Windows as many developers offer a stripped-down version of their product for Mac, not the full range of features they offer for Windows.
Another important point to look out for is that the DLP product they choose offers zero-day support. With Apple rolling out one major macOS upgrade every year and updates on an almost monthly basis, zero-day support is essential for any company using Mac endpoints in the workplace. This means choosing DLP solutions that ensure zero-day support, namely product compatibility before the official launch of new updates and versions of the macOS. Find out more about how to choose the best DLP solution for Mac.
Before employees can work from home, it is essential that encryption is applied to all devices, whether laptops, mobile phones, or removable devices such as USBs. Most modern computers and phones have encryption built-in, but it needs to be activated and configured.
Companies must also ensure that their data protection policies will continue to operate remotely, whether work devices are connected to the company network or the internet or not. Continuous data protection is essential for both compliance with data protection legislation and data security. Companies should therefore choose Data Loss Prevention (DLP) solutions that apply policies directly on the endpoint and do not require an internet or company network connection to be active.
Read more about securing data on macOS while working from home.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.