The adoption rate of Mac computers in the enterprise has steadily increased over the last decade as companies began introducing choose-your-own-device (CYOD) and bring-your-own-device (BYOD) policies. According to a recent JAMF survey, when given the choice, 72% of employees choose Macs over PCs. Due to its Unix-based architecture, macOS is generally considered to be a more secure alternative to Windows that, as the predominant operating system in the workplace, is the favourite target of hackers everywhere.
While it’s certainly true that Macs face fewer cyberattacks than their Windows-running counterparts, the myth of their invulnerability makes companies less worried about their protection and in consequence, they invest less or no money at all into their security.
However, as popular tools in managerial circles, Macs have become increasingly attractive targets for cybercriminals. Infiltration methods such as phishing do not rely so much on breaking into an OS through vulnerabilities as much as on the ignorance of users accessing infected attachments or malicious websites. Without the proper security tools in place to protect Macs in real-time, these attacks can go undetected, potentially causing long term damage to companies’ data security.
It is therefore essential for Macs to be protected from data breaches. Their security should no longer be ignored because of macOS’ structural soundness. Here are our top five suggestions for tools that can help Mac’s security in the workplace:
Apple added its own proprietary antivirus software, XProtect, to all Macs in 2009. XProtect which is automatically turned on uses a database of known threats that Apple updates regularly, to scan all applications and files for viruses and malware. If it detects a malware, users will get a notification and the download will be blocked.
XProtect works in conjunction with Gatekeeper, another macOS built-in solution that ensures that only applications or software that are digitally signed by an identified mac app store developer and have a certificate issued by Apple, can run on a Mac. Additional tools like Execute Disable (XD), Address Space Layout Randomization (ASLR), and System Integrity Protection (SIP) run in the background to prevent viruses from accessing critical files. macOS also has a firewall that can be used to monitor incoming and outgoing network traffic. This however must be enabled and configured manually.
While all these functionalities give Macs a sturdy first line of defence against the most well-known outsider threats, Apple is not a dedicated cybersecurity company. Its threat databases do not identify as many types of potential malware and viruses as third-party Mac antivirus solutions nor can they respond to new threats as quickly as companies specializing in security software. These gaps in Apple’s library and response times can often leave users exposed.
Most of the big players in the antivirus industry including BitDefender, Norton and Avast offer Mac versions of their solutions. Many of them also have 30-day free trial options and a few even offer free versions. When choosing an antivirus for Mac computers, companies should consider the impact it has on a machine’s speed as well as the types of threats it protects against.
In theory, macOS’s XProtect should block malware installations and the Mac Malware Removal Tool should catch anything that might have sneaked past XProtect and remove any dangerous files it finds. That being said, in its State of Malware Report 2021, Malwarebytes reported an increase of 61% of malware detections in Macs in 2020 compared to 2019. This is in line with trends observed by other security specialists: antivirus company Kaspersky found that 10% of all the Macs it monitored in 2019 were infected by the Shlayer Trojan, an ordinary type of malware that tricks users into installing adware.
Antimalware tools are therefore becoming more a necessity rather than a choice for Mac users. Many antiviruses also offer malware protection, but when it comes to fighting malicious threats, an all-in-one security suite might not be the best strategy. To quote the old adage: jack of all trades, master of none. It is therefore recommended that besides an antivirus, companies also consider an antimalware solution.
3. Data Loss Prevention
Data is not only vulnerable to outside threats, but also to the malicious intentions and the negligence of insiders. While there are several built-in Mac features that protect against certain types of data breaches such as FileVault and Open Firmware Password Protection, these offer no protection when the users themselves are the perpetrators.
This is where Data Loss Prevention (DLP) solutions for Macs, such as Endpoint Protector, come into play. Through predefined policies, DLP technology identifies, monitors and controls the movements of sensitive data such as personally identifiable information (PII), intellectual property(IP) or data protected under data protection regulations such as GDPR, HIPAA or PCI DSS.
DLP solutions prevent sensitive data from being transferred via insecure channels such as personal emails, messaging apps, file sharing and cloud services and more. They can also scan hard drives for sensitive information and delete or encrypt it when it is found on unauthorized users’ computers.
Through device control features, DLP tools can block the use of peripheral and USB ports as well as Bluetooth connection or limit their use to trusted devices. By using DLP solutions’ monitoring capabilities, companies can also discover bad security practices among employees that would need to be addressed in training or employees engaging in data exfiltration. You can read more about how to choose the best DLP solution for Macs here.
Encryption has long been hailed as a sound way to protect data in case of device loss or theft. FileVault, a native macOS tool, already allows Mac users to encrypt their hard drives. While it can be a daunting task in the beginning, once FileVault is active and the first drive encryption is completed, it will continue to encrypt new data and ensure that no one without a key can access it. The Apple File System (APFS) also brought integrated, granular encryption both at the file level and for entire volumes to Macs.
While this takes care of local hard drives, there is also the matter of file transfers to USBs. A specialized DLP tool like Endpoint Protector can help here too. With its Enforced Encryption feature, it can automatically encrypt any sensitive files when they are transferred onto USBs and ensure no one without an encryption key has access to them.
macOS does not naturally offer ransomware protection. However, an easy way to fight ransomware is to not play into the hands of cybercriminals by keeping data vulnerable or stored only on local hard drives. macOS already has a built-in backup tool, Time Machine, that can be set to run automatically in the background to continuously save copies of files, applications and system files to an external or secondary drive. However, these backups are unencrypted even if FileVault is enabled. They must therefore be encrypted separately.
The latest Macbooks also allow users to back up their data in the iCloud, but this can be problematic in an enterprise setting. Companies run the risk of confidential company data being synced into their employees’ iCloud accounts. It is, therefore, better for the iCloud backup option to be disabled.
While Apple strives to offer as many security features as possible natively within macOS, it does not have designated tools to fight human error. With hackers growing increasingly clever and greedy and the number of Macs in working environments continuing to rise, companies no longer have the luxury of relying on Macs’ perceived invulnerability, but must take steps to protect their data.
Frequently Asked Questions
Find out more.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.