One could make the argument that the most dangerous place to be is on the internet. People face more security threats per day by accessing emails and browsing the internet than doing anything else.
Phishing emails, malware, scams, identity theft, and tracking are just some to the risks that we all face on a daily basis, and all of them come from the same place: the internet.
Apple is leading the way in terms of big technology companies committed to protecting internet users from these threats. From providing the most secure operating systems available for business use, to enforcing strict privacy rules among technology companies, just by choosing to use an Apple device, companies are already in a better position to protect themselves from online risk.
However, there is only so much Apple can do to protect users. Even with the most secure endpoints available to business users, Apple’s devices still operate on the open internet. People connect to open Wi-Fi networks. People access websites that may attempt to set cookies for tracking purposes. They connect to cloud services that store and process sensitive data. Mac users can download apps from any website, giving hackers ways to sneak malware onto a work device.
Because of this, as with any connected device, Apple’s products are still vulnerable to online risks. It’s just the reality of using devices on the open web.
In general, the online risks can be classified in three main categories:
Privacy Risks
Online privacy should be top of mind for everyone, and it should be a topic of conversation for every business owner in every industry, even outside of those who work in technology.
In just a few years, our mindsets around data privacy and security has shifted, we went from not even being aware that our data was being captured by those “free” cool apps and websites just to be used maliciously or commercialized later, to a mindset where users are literally fighting for their privacy, closing social media profiles, and materially impacting companies whose business models are based on tracking.
However, there’s still a lot of ways to track user activity online, and when the user is also an employee at work, the risks are even more critical. Hotels, airports, coffee shops, and even internet service providers can (and possibly are) tracking every website visited by users and trying to transform this information into insights that can be explored or sold for extra revenue.
This brings other relevant security risks if we consider that the networks may also be used by malicious agents trying to gain insights about companies. They might be sitting back, learning about the company solutions that are used, websites accessed and much more. Then they can use this intel later as part of a target attack.
The only protection against these risks is to make all online activity on work devices totally protected so no one can see what websites are being accessed. One way of doing this is by using a VPN but that approach normally comes with trade-offs such as low internet speed, unstable connections, and the need to always remember to connect before starting a task.
A better solution for companies using Apple devices is to enforce encrypted DNS resolvers. In simple terms, encrypted DNS will hide the websites accessed by a specific device from someone inspecting the network traffic. When combined with filtering capabilities, it can also offer powerful protection against online services used for online tracking. Also, because Encrypted DNS can be enforced directly at the operating system, it will protect the device regardless of where the device is and the connected network.
Current versions of iOS, iPadOS and macOS all support Encrypted DNS solutions so companies can take advantage of it immediately. However, it’s important to select a provider with specialization on Apple devices so Encrypted DNS can be correctly enforced on each work device without the need for any manual action by the end-user and without the risk of generating any impact to the regular device use by employees.
Compliance Risks
Staying compliant with government regulations, applicable laws, and internal policies on a distributed IT environment is a big challenge for IT admins and information security professionals. Many may find themselves asking, how can I ensure employees are not using work devices to access illegal online content or web sites that will violate internal policies? How can I guarantee employees are not using the company owned device for downloading pirated content?
All these behaviors, while performed by the employee, can generate relevant risks and responsibilities to companies because they were executed by using corporate devices. Therefore, companies must ensure employees are avoiding online piracy, inappropriate content, and anything else the organization needs for compliance.
The only way to achieve this is by enforcing a web filtering solution on all work devices that will perform well on Apple devices and be enforced all the time, regardless of any end-user action. Once again, selecting solutions specifically built for Apple devices is highly recommended. With these solutions IT admins are able to completely automate the deployment, enforcement, and maintenance of web filtering remotely. Top providers will offer powerful ready-to-go filters and use AI for website categorization, so companies can filter any website category and fully customize the web filtering is needed.
Security Risks
We started this article off stating that nowadays, the most dangerous place you can be is the internet. Threats are everywhere and new methods to fool users to click on malicious links are invented every day. On top of that, the internet grows at an extremely fast pace, adding tens of thousands of new domains and websites daily. Making it very difficult to distinguish what is safe from what is a threat.
The best companies can do to protect their endpoints and employees from online threats is to enforce a powerful online security solution.
Good solutions leverage artificial intelligence to scan millions of websites daily looking for security risks, and based on the results, block any access to domains identified as being used for malicious activity, including fraud, malware distribution, phishing, spam URLs, spyware and others. Additionally, sophisticated solutions will allow IT admins to block domains based on other elements such as domain age and hosting country.
Once more, it’s very important to select a solution that specializes in Apple devices, so threats that specifically target Apple devices, such as macOS malware distribution points, will be prioritized as part of security research efforts and artificial intelligence training.
Now that it’s clear how critical are the privacy, compliance and security risks involved in letting employees to freely navigate the internet without any protection, let’s discuss how to select the best solution for your Apple fleet.
When evaluating and selecting your provider for online security for your Apple devices used at work, some requirements are very critical:
1. Specialization in Apple devices: the first thing to consider is if the solution is specialized for Apple devices. Everything from how to architect and develop the solution, installation and enforcement methods, and knowledge on specific online threats for each operating system are very different between Apple devices and devices running other operating systems, like Windows. It’s always recommended to avoid generic multi-platform solutions that “also work on Apple devices”. Those providers are normally serving more devices running other operating systems than Apple which consequentially makes them prioritize the other operating systems.
2. Zero-touch online security deployment: what’s the point of finding a great solution if you can’t install it at scale? A good solution will have optimized deployment flows that allow companies to remotely and automatically install and authenticate products on each device without any user interaction. This is highly important, or the company will always need to rely on manual actions by the end-user to ensure the devices are being secured. Everyone in IT knows that a good portion end-users will forget to configure and enable security solutions, while others will avoid them on purpose so they can freely use the device. In both cases, the result is that the employees and the company won’t be protected.
3. Automated enforcement: similar to deployment, it’s also very important that the solution can’t be disabled or removed by the end-user. There are plenty of well-known excuses end-users provide to justify why the security tools on their devices were disabled. Some will say that they tried to access a website and it was blocked so they disabled the tool to gain access to it (yes, it happens all the time). Others will say that an operating system update disabled it, or just use the “master” excuse of saying the solution has a “bug”. Once again, it doesn’t matter the reason why a security solution is not running. The only thing that matters is that if it’s not running it’s not protecting. So, make sure the selected solution is capable of enforcing itself automatically and that the end-user can’t simply disable or uninstall it.
4. Integration with your Apple MDM for device isolation: compromised or non-compliant devices should be automatically isolated, so they can’t contaminate other devices and company resources. Having an automated way to collect information related to the online activity of each device and automate actions to remediate or isolate the impacted devices is a must have feature. Make sure the solution you select can be integrated with an Apple MDM solution so events coming from your online security solution can be used to automate actions through the MDM.
5. Large Scale: online security solutions will normally intermediate all the online activity of a device – not just the websites that the user manually opens while using the browser. Because of that, the volume of activity demanded from the online security solution is massive and any minor performance issue will trigger material impacts on the use of each device, from slow online navigation to total internet usage disruption, impacting employees and the company. On the other side, scaling applications and infrastructure is a challenging process for new online security companies, and it can only be done correctly during the progression of number of protected devices.
During the journey from 10,000 to 1,000,000 protected devices, the new online security provider probably will need to rethink and reimplement material aspects of the solution and infrastructure. While that happens, it’s expected that end-users will experience painful disruptions. For this reason, always ask your provider about the scale of their operation to ensure that it’s prepared to handle large number of devices without any disruption to your employees and business. A good benchmark here is the mark of 1 million managed devices. At this scale, the provider probably already addressed the main challenges experienced with growth and achieved stability.
Companies using Apple devices at work can look for integrated products for security and management specialized on Apple devices. The most modern approach to this is called Apple Unified Platform.
An Apple Unified Platform will integrate different specialized solutions in a single product, including features designed to ensure online privacy, security and compliance on Apple devices.
Mosyle, a leader in the Apple Unified Platform approach, offers an Encrypted DNS Privacy & Security solution as part of Mosyle Fuse, an Apple Unified Platform that integrates Apple-specific MDM, endpoint security, online security, identity management and application management for businesses.
Mosyle’s Encrypted DNS Privacy & Security solution is the only online security solution with a natively integrated Apple-only MDM, allowing a level of automation, effectiveness and performance that can’t be matched by standalone multi-platform solutions.
So, if you have Apple devices being used at work and is not yet enforcing any online security solution, this is something you should address soon. Costs can be really affordable, and the benefits far exceed the investment.
Image Credit: Pexels
FTC: We use income earning auto affiliate links. More.
Comments