Three Ways to Secure Macs at Work: Lessons from 'MacDefender'
For a long time, one of the strongest points for using Apple computers in your business as opposed to a Windows-based PC has been the suggestion that the Mac platform is somehow inherently more secure
It's a talking point of Macolytes everywhere, and even Apple got into the game with its "Mac vs. PC" series of commercials. And for the most part, it's been supported by the ridiculously low number of malware attacks that Mac users have endured compared with Windows users.
But with "MacDefender" malware making the rounds, the Mac doesn't seem quite so invincible right now. Malware on the Mac is not an entirely new phenomenon. There have been other cases, mostly proof-of-concept, in the past. And security software vendors have been sounding the alarm for some time about the potential for Mac malware. But then, that's what security vendors do.
Is it time for Mac-running businesses to panic over security? No. But if you've invested in Macs for your organization, there are some common-sense steps to make sure your users are as secure as possible.
Because Macs have enjoyed malware-free status for so long, some of the most basic, common-sense concepts of personal computer security may be lacking among your Mac users, particularly if you're an all-Mac shop where your users haven't watched the security habits of PC users at work.
But even if they have, it's worth the time to remind them of the basics, like "When in doubt, don't click," and other tactics to avoid being sucked in by attacks that require user participation. MacDefender isn't exactly a virus; it's more of a social engineering attack. The malware works by infecting Web sites and presenting users with what appears to be a virus scan showing their system is infected. The fake virus scan then "helpfully" offers the "opportunity" to download MacDefender to "clean" the "infected" system.
This isn't an attack you necessarily need an elaborate defense strategy to defeat. You simply need common sense. A refresher or even some forwarded links on how to avoid malware, phishing attacks, and the like can go a long way.
Be careful to inform users that there are risks out there, and of the common-sense ways to avoid getting trapped, but don't lay it on too thick. You want to be firm enough to set up company policy, protect your users, and break through any "But Mac's don't get viruses" protests that may still persist. But you don't want your users needlessly scared that everyone is out to get them when they're online.
2. Avoid the Mac App Store
Yes, it's one of the most-touted new features in recent releases of the Snow Leopard OS and is bound to be the preferred distribution point for Lion later this year, but there are signs that Apple's sometimes-glacial pace of updating third-party software available via the Mac App Store may be putting users at risk.
Security blogger Joshua Long notes that some popular Mac applications--the Web browser Opera and Amazon's Kindle among them--are taking a long time to be updated in the Mac App Store. In many cases, Apple's insistence on testing every release of every piece of software in h the App Store may be a good thing when it comes to security.
But when something slips through the cracks--as a critical fault did with a recent version of Opera--users who purchased Opera via the Mac App Store are still waiting for the update to fix the security hole. Those who downloaded the browser independently of the Mac App Store have likely downloaded the update that fixes the issue. But because Apple insists that versions of software submitted to the Mac App Store remove all forms of auto-update and leave the distribution of software updates to Apple, that's not an option.
Until Apple gets in gear and starts pushing security updates out the door of the Mac App Store more quickly, you may want to go with standalone download versions of important applications like Web browsers, even if it means you have to go the trouble of initially dragging and dropping the app to your Applications folder yourself.
3. Invest in Anti-malware Software (If You Must)
I almost hate to include this item on the list, because I said before and I really mean that this isn't the time to panic. Yet, running blindly to a security software vendor, credit card in hand, certainly sounds like panicking.
But ultimately, even when you've educated your users, found peer groups for support, and updated your software to the best of your ability, you may decide that to make sure your business' Macs are really safe, you want to install and run antivirus software.
But if you do, take the time to do the research, and set a policy company-wide. You don't want to let it vaguely be heard that Mac users should have antivirus software to protect themselves but leave the door open for users themselves to seek such protection, lest they should find themselves unwittingly undermining everything you're trying to accomplish by selecting that "MacDefender" software..
There are plenty of anti-malware offerings for the Mac from most of the usual suspects of the PC antivirus world, including Symantec, McAfee, Kaspersky Lab, Trend Micro, Panda Security, and Sophos. If your company is a mixed Mac-and-PC environment, you can go with the same company that provides your PC antivirus software for consistency and ease of vendor relationship management.
If costs are a concern, there are plenty of free versions of legitimate Mac OS X antivirus software, including Intego, ClamXav, and Sophos. But if you've decided to be proactive enough to protect all the Macs in your company with antivirus, it's probably worth the additional time and expense to find and purchase the best possible fit in anti-malware software for your business' needs.