Your enterprise security does not live in isolation — the threat environment extends across all your colleagues, partners, and friends.
That's why it’s very concerning that so many businesses continue to fail to meet basic security hygiene standards, according to the latest Security 360 report from Jamf.
Data is gold, which attackers recognize — even many in business don’t. Every stolen address, email, phone number, name, or even passport number is an ID attack waiting to happen, a path to enable a more complex phishing scam, or just an opportunity to call someone up and claim the target has a problem with their computer that they can help them with.
A victim’s story
A friend of mine fell victim to that last pervasive security attack this week. Fooled by the professionalism of the caller and shunted between various fake colleagues, they gave the convincing hackers remote access to their computer, credit card data, and more. As I write this they are changing passwords, wiping the attacked device, and filing police reports.
This stuff happens, sometimes to people you know. And it could happen to you.
We can’t be sure how they tracked this friend of mine. We can’t tell which vast pot of stolen data they looked at. (There is some evidence that criminals like to target older people with digital crime.)
There is a temptation to look at the story of my poor chum and dismiss the threat as unlikely. You're into tech, take security seriously, and use Apple products in your business. But complacency is a security weakness.
Complacency has consequences
That critical point shines bright and loud in Jamf’s report. Based on a sample group of 15 million mobile devices, PCs, and Macs, the report points out a slew of concerning statistics:
- 40% of mobile users and 39% of organizations are running a device with known vulnerabilities.
- Jamf tracks 300 malware families on macOS and found 21 new families on the Mac in 2023.
- Trojans are growing in popularity, accounting for 17% of all Mac malware instances.
- Phishing attempts were 50% more successful on mobile devices than on Macs.
- 20% of organizations were impacted by malicious network traffic.
Michael Covington, vice president of portfolio strategy at Jamf, said in a statement:
“The data in our report shows that Mac and mobile fleets have fared reasonably well over the past 12 months, but that result is largely due to sheer luck; with a growing list of malicious tactics emerging and with organizations demonstrating poor security hygiene overall, the year ahead is likely to be bad for business if trends do not change.”
Practice good security hygiene
What kind of strategies should enterprises that rely on Apple devices follow to stay safe? The same strategies as on other platforms, albeit from a point of more strength. Some best practices mentioned in the report include:
- Use integrated management and security products to maximize the available policy controls while minimizing the number of agents you must maintain.
- Harden endpoints by following industry or regional best practice recommendations.
- Manage threat exposure by maintaining an up-to-date operating system and application releases and patches.
- Implement multi-layered, defense-in-depth protections.
Even these simple protections are sometimes undermined by the age-old opinion that Apple devices are immune to attack. The rapidly increasing velocity of security upgrades emerging from Apple proves this isn't the case.
The myth of Apple security
Citing a recent report on Hacker News, Jamf notes: “57% of Mac users either agree or hesitate to disagree with the statement ‘Malware does not exist on macOS.'” In addition, “every third Mac user believes their data is of no interest to cybercriminals.”
Neither statement is correct, but belief in that ill-fated canard means shocking vulnerabilities exist even across Apple-based business:
- FileVault is disabled on 36% of devices.
- Firewalls are disabled on 55% of Macs.
- 3% of devices had the lock screen disabled.
- 5% of devices have a vulnerable application installed.
Returning to my friend, she clearly fell victim to a professionally run and well-executed social-engineering based scam. She doesn’t know what data they took while they remotely accessed her Windows computer, or what malware might have been left behind; she’s changing all her passcodes, but that may not be enough. As an individual with limited computer skills, she’s finding it onerous to take all the steps required, is concerned she may make things worse, and fears being ripped off.
This makes it a truly anxious time for her — there is no such thing as a victimless crime against an individual — but it also illustrates the extent to which poor security awareness has consequences. And those consequences scale to the size of your business.
Batten down the hatches
Even today, too many business users who really should know better are not taking enough steps to secure themselves, employees, and partners.
That’s not good at all when even Apple itself has warned:
“The total number of data breaches more than tripled between 2013 and 2022 — exposing 2.6 billion personal records in the past two years alone — and has continued to get worse in 2023.”
“It’s time for organizations to get their modern device estates in order by embracing industry best practices and building a defense-in-depth strategy for the hybrid workforce,” Covington said.
With the unravelling of international consensus on just about everything, it’s unlikely the digital security situation will improve before it gets worse. Every Apple-using enterprise must batten down the hatches for digital security — after all, the age of quantum attacks has already arrived, and even the smallest weakness will be all the flaw they need.
Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.