Security is a broad topic with many shades of gray. Spend five minutes with a security expert and you might be scared into living off the grid, on a remote island, in a small cave. How else will you guarantee safety from hackers, phishers, and common malware hooligans?
Because I’m not a security expert I feel comfortable talking about security in more practical terms. I neither dismiss security (it’s a cornerstone of our business), nor do I like to see it hinder the ability to get a job done. Security is about reducing risk. We each have different levels of risk we’re willing to accept, but basic security precautions should not be ignored.
At my company, we have the privilege of working with Mac and iOS users across a broad range of offices. We work with single independents, large corporations, and everything in between. Surprisingly, we often witness a total disregard for basic security. This lack of concern transcends all client types. We see it in small offices that feel they have very little to secure, and in large corporations where Mac & iOS users are overlooked, either because IT doesn't know they exist, or because IT lacks the knowledge (or time) to hold them accountable.
What used to be stored and locked away safely in the office is now capable of floating around the world. Today we’re able to access, modify and carry with us data from almost anywhere. This shift, from securing a few documents in a single location to securing the life history we carry around in our pocket, is a new development. It makes sense, on a personal level, that our education and awareness of these new security concerns have fallen behind. When it comes to corporations, Mac and iOS devices are also relatively new, so there is not a lot of historical knowledge and experience in securing these devices.
Think of all the information you touch daily from your Mac, iPhone, or iPad. Does any of this contain data that would concern you if it were exposed? Does it contain usernames, passwords, credit card numbers, private company or confidential client information? We all have some of this information and we need to take measures to secure it.
Feel I might be exaggerating? Security threats are occurring on a daily basis. Some examples include:
Publicly accessible file servers are hit with break-in attempts every day! We see this even in small offices. (Ask your IT team to check your server logs to confirm.)
Mobile devices getting lost or stolen. FCC.gov reports this trend is sharply on the rise.
Passwords get hacked. Facebook reported in 2011, that they see 600,000 compromised logins each day!
- Credit cards get stolen. Target got hacked in 2005 and again, late 2013.
Still not convinced that investing in security is critical to your business? Then take this simple pledge...
"I [Your Name] do acknowledge that by ignoring basic security recommendations I am putting my business, my clients and my personal information at risk.”
We don’t have time in a single article to cover everything required to secure your business, so let’s focus on a few basics.
Step 1: Become aware.
Start thinking about what you need to protect. Think about the data you carry around. Think about where it's stored, how it's secured, and who has access to it — clients, vendors, employees … hackers!? Think about your data at work, at home, while you're traveling or working from the coffee shop on a public WiFi network. What do you need to protect, and from whom? A common list of areas is banking and credit card information, proprietary company documents, and private client information.
Step 2: Forget your passwords.
I know only a few of my own passwords — one to log in to my Mac, one for my iPhone, and one to unlock 1Password (on Mac and iOS). Use a password manager, and common sense, to forget your passwords and accomplish the following:
Stop using the same password for everything.
Use randomly generated, unique passwords.
Store passwords securely (shred the sticky notes).
Never (ever!) share passwords with someone you don’t trust.
Do not type a password into an unknown or suspicious website.
Step 3: Use Two-Factor Authentication everywhere.
Two-Factor, or Multi-Factor — also known as 2-Step Verification — are all methods that require you to provide additional verification factors to gain access to your accounts. No matter what the service calls it, you need to use it. 2FA ensures that even if a bad actor gains access to your login credentials, they can still be stymied by not having access to your additional authentication factor. 1Password supports Multi-Factor Authentication very nicely. Do it!
Step 4: Lockdown your Mac.
Require a password at login by turning off Automatic login (System Preferences > User & Groups > Login Options).
Require a password after sleep or when the screen saver begins (System Preferences > Security & Privacy > General).
Enable FileVault 2. This will encrypt the contents of your entire drive and help keep your data secure.
Run as a Standard User (even if you know the Admin User credentials). Details on why and how to accomplish this are here, http://frgt.co/stand-user.
Password protect your backups. (You do backup, right!?) We use Druva for secure backups. If you use Time Machine be sure to enable the “Encrypt backups” option. If a backup is stolen and not encrypted then the data can easily be restored to another computer.
Step 5: Secure your mobile devices.
Adding a password is very easy (Settings > General > Passcode Lock). Also, set up Find My iPhone so you can remotely erase your device if it’s ever lost or stolen. With iOS 7 or later, this will also enable Activation Lock, making it harder for anyone to use or sell your device. Even small businesses can guarantee passwords are used and remote wipe is an option by leveraging the ActiveSync features of Microsoft Exchange or by using a Mobile Device Management (MDM) solution, like our very own Apple Toolkit.
Step 6: Protect your data.
If the data you're trying to protect is in-house, then it's common practice to protect it behind a firewall. Don’t unnecessarily expose a server (or any other device) publicly. Use a virtual private network (VPN) connection to gain secure remote access to your office.
Secure your wireless network with WPA2 encryption (and a secure password!). For further protection, avoid routers with Wi-Fi Protected Setup (WPS). Also, consider using a wireless Guest network that has no access to your secured network. Finally, be very cautious when using public wireless networks. Do not assume they are safe. You’re sharing a connection with strangers. If you must work from a public location then route everything through a Privacy VPN connection to encrypt your data.
If you also store data in the cloud, then consider using a cloud-based identity and access management solution like Okta.
Get Started Today!
These six basic steps to improving your Mac & iOS security are not all easy (passwords are a pain) but they are important and you can accomplish most of them in the next hour. Start now! Focus on what’s important to you. Be aware and reduce your risk. Good luck!