Consultant Erik Eckel advises enterprise Mac administrators to focus more on security practices such as timely patching and user training due to the increasing number of threats to Mac systems.
Most every IT department knows the security risks e-mail and the Internet pose, and most take considerable steps to lock down vulnerable Windows systems. Enterprise Mac administrators need to take precautions against users accidentally or purposefully introducing malware via e-mail or Internet use, too. Just because Macs aren't subject to the same number or intensity of self-replicating viruses and worms doesn't mean they aren't vulnerable to security holes or privacy concerns that can place corporate data or financial information at risk.
Although viruses, spyware, Trojans, worms and other threats typically target the Windows platform, Macs still face vulnerabilities and threats. Security analysis by Secunia, reported in July in its Half Year Report 2010, reveals Apple ranks first in the number of reported vulnerabilities. Secunia notes that the majority of attacks (approximately 80 percent) result from remote sources and further comments that there is "no security without updating."
Enterprise administrators, justifiably fearing introducing incompatibilities or other issues, typically test many security updates and patches prior to deployment in production environments. That takes time, time in which Mac users remain vulnerable to a serious security threats.
Education is the best defense against social engineering, phishing and similar attacks that often target e-mail for propagation. Further, these vulnerabilities frequently plague Web users, as well. Infected sites change almost hourly. But Mac users, many likely to feel safer using Apple's Safari over Microsoft's Internet Explorer Web browser, aren't totally safe, either.
By ensuring users understand e-mail systems and Internet services are to be used only for business purposes, and that sensitive, proprietary or confidential information should never be shared via e-mail or insecure Web sites, administrators can better protect their organization's networks, systems and data. Policies offer the opportunity to do just that. Should problems arise, written policies also provide HR staff with necessary documentation to build a case for disciplining a troubled staff member, justifying a written write-up or even terminating a habitual offender.
Paper-based policies may appear inconsequential or just a paper exercise, at least on first look, to IT professionals favoring hardened networks. But formal e-mail and Internet usage-policies offer a wonderful complement to automated systems that sometimes prove imperfect.
The first goal should be to educate users. That's as true for Windows organizations as it is for a Mac outfit. Mac users benefit when official policies and procedures are clearly explained in writing. As hard as it is for some IT professionals to believe, many users simply become overwhelmed when trying to make heads or tales of phishing attacks and social engineering efforts. Training is the key, and a good policy is the first step in ensuring all users at least hear a consistent message of what constitutes acceptable or proper use of an organization's IT infrastructure.
Susan Hansche, when a CISSP working as a senior manager for Troy Systems, wrote "employees are the single, most important asset in protecting the IT system." Writing a chapter for The Auerbach Press' The Privacy Papers, she added "users who are aware of good security practices can ensure that information remains safe and available."
Don't get lulled into a false sense of security. Mac users, just like everyone else, need basic instruction as to best business practices when it comes to using e-mail and the Internet. Policies offer an excellent method of communicating acceptable behavior. Even if the systems and software Mac users use are more secure, organizations can only benefit by ensuring users understand the associated risks and are instructed as to best practices for avoiding trouble.