What are the actual security risks of OS X for businesses?

Security lagging behind

Another issue is endpoint security and David Flower, EMEA managing director of Bit9 + Carbon Black, says in the enterprise this is lagging behind Windows.

"Despite the fact that Mac OS X is becoming increasingly popular for enterprises, there are still significantly fewer security solutions available to protect it. The built-in security mechanisms for Macs are as good as those for Windows, but to combat today's advanced threats, the ecosystem needs to be stronger," he says.

Flower adds that most security solutions in the Mac ecosystem are signature-based, which just isn't sufficient for dealing with advanced threats. "Signature-based defence works well against known, documented threats, but just can't handle today's Advanced Persistent Threats (APTs)," he says.

He says that it is crucial that companies bear in mind that hackers are deliberately targeting them. "They'll be looking for any vulnerabilities or weak links in the security chain. Despite being less familiar with Mac endpoints than they are with Windows, they may well target them because there just isn't as much security to bypass," says Flowers.


Keeping on the latest version of OS X is crucial

Is Yosemite safer?

Munro says that updating OS X to the latest version, Yosemite, is crucial to avoid some vulnerabilities. Also, knowing which version a Mac is running would be helpful too.

"If you have no idea what OS X version a Mac device is running, and how well updated it is, it could well be vulnerable to the Firewire/Thunderbolt encryption bypass attack, enabled by the Inception tool. Recent OS X and FileVault versions are okay, but older versions (Lion 10.7.2 or previous) are open to this abuse. So updating is crucial," he says.

Password problems hit Active Directory

Munro says that with Macs something as straight forward as a password refresh can cause real headaches.

"One corporate environment I was in recently had a Mac/Windows base that used Active Directory (AD) for managing users," he says. "They had a large amount of problems getting Macs to change passwords on password expiration. This meant that all of their Mac users ended up with static passwords, of which most of them were the default set by the helpdesk. This lead to half the users in AD with a password of 'Password1'. So, there will be issues with integration between different technologies – make sure this is worked out before it goes live."

Protecting your organisation's Macs from threats

What an organisation does to protect its Macs from secuirty risks depends on how many there are in the network, according to Munro.

"If there are only a smattering of devices then you should audit them by hand. Review OS versions, check patch freshness, review apps etc. and draw up a simple policy for maintenance and use," he says.

Munro adds that if there are more than a handful of Macs then an enterprise really should have the policies and software in place to diminish the risk.

"In our experience it is the organisations with huge numbers of Windows boxes and just a few Macs that suffer the biggest problems in this respect. If I wanted to target such an organisation the least supported/most neglected desktop OS would be my favoured vector," he observed.