Macs in the office: Success breeds security FUD

By all means, secure your Macs -- but don't get taken for a ride when you do so

Here in San Francisco and Silicon Valley, Macs are standard equipment at most tech firms, though not so much in other industries, save publishing and graphics arts. Still, Mac sales have continually increased as PC sales have continually declined, so Macs are no longer rare in corporate offices. They're fairly common in executive suites, the modern-day status symbol equivalent to the old IBM ThinkPad.

The best evidence I have of that is the increase in scary pitches from security vendors claiming the Mac's growth means IT must now secure it with the same kinds of straitjackets required to safeguard a Windows PC.

They sense a possible market, and if there's one thing a security vendor knows how to do, it's jump on the latest trend and find a fearful aspect to exploit.

I've seen the same fearmongering about smartwatches, such as the Apple Watch, which apparently signals doom for businesses everywhere. (Accenture was the latest offender.) Never mind they have little to no access to corporate systems, and when they do it's through a manageable smartphone.

But that kind of FUD is knee-jerk for security vendors and consultants. Security vendors do this with anything and everything new. It makes you want to stay in bed, but that's a security threat too.

In that context, the scare stories about the Mac are par for the course ... except that the Mac is a course they keep coming back to play, ever more vigorously.

Security vendors have wanted the Mac to take off in business for some time, so they can sell more products to IT or at least make up for the decline PC sales. And there have long been security products for the Mac.

Problem is, not many people buy them. The reason is rationale: You don't really need them.

But because the Mac continues to grow, security vendors' hope springs eternal. Consider the pitch I go this week from Webroot, an antimalware provider:

Although Macs claim a smaller percentage of market share than PCs -- and have default settings configured in a way that makes it more difficult to break into the system -- they are not (contrary to popular belief) impervious to cyberattacks. Increasingly, the Webroot Threat Team has observed that it's no longer about if you have a Mac or don't have a Mac. Simply put, malware has evolved to prey on the people, not the program.

If you read it carefully, it doesn't actually claim the Mac has a security problem, but strongly implies it. When I asked for proof that the alleged threat was Mac-specific, I got back the real answer: that this has not to do with the Mac or any platform. Here's Webroot's own admission:

These approaches are not unique to the Mac platform, and have been used for years as methods of malware distribution on the Windows platform, as well as for mobile OSes. Moving forward, we can expect to continue to see these types of approaches, in addition to other new creative methods of malware distribution that may arise, therefore exercising prudence when obtaining and installing software is crucial to staying protected from these types of attacks.

Well, duh.

It's of course completely true that Macs are not impervious to security threats, but they're much less vulnerable, as Webroot admits. It's easy -- and cheap -- for IT to make Macs even less vulnerable to app-based attacks, the venue that phishing, fake apps, malware-infested BitTorrent apps, and the like all use.

How? Use OS X's security policies, available since 2012's OS X Mountain Lion (and added to 2011's OS X Lion at the same time), to deny installation of any app not signed by a validated Apple developer. Or, for greater protection, to deny installation of any app not downloaded from Apple's Mac App Store.

You can apply the policies via OS X Server, via several MDM servers such as MobileIron's and VMware AirWatch's (and you probably have MDM already for your mobile devices), or via various Mac management tools such as those from JAMF and Microsoft (yes, Microsoft). Chances are you already have the tools you need.

Educate your home users on this (default) Mac security setting, and consider bringing home Macs used regularly for business into your management program -- as you likely do for personal smartphones and tablets. (Or supply a second Mac for remote access, if you don't want to manage users' personal equipment.)

This is not hard or expensive -- at least, it needn't be. Simply because a PC takes a lot of work and money to secure doesn't mean a Mac does. By all means, secure your Macs, but don't get taken for a ride when you do so.

Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform