How to protect your business from data breaches caused by lost or stolen devices

It’s a beautiful fall Friday afternoon, and the IT team is ready to end another work week with happy hour at a new brewery across the street from the office. The week was great. There were a few small challenges, but this team was able to handle everything – no critical tasks will carry over to the following week.

But at 4:32 pm, a call from the company’s CFO changes everything.

He was at an airport getting ready to fly home after a busy week of business meetings. While conducting a final review of the company’s proposed budget for the coming year, the airline crew announced his name and asked him to come to the gate counter. Frustrated, she put her MacBook down on the seat and headed to the gate counter just a few feet away to see what was going on, fearful of another flight being cancelled.

Luckily it was just a quick request to change seats, which he immediately agreed to. However, when he returned to his seat, he couldn’t find his MacBook. It was stolen! A terrible incident, but what was even worse was the fact that she wasn’t sure if she had locked the screen before leaving the MacBook unattended, which could expose critical company data and access to the person who now He owns his MacBook.

He was about to search for security at the airport when the airline announced the last call to board his flight. What happens now?

Depending on how the MacBook was implemented, this scenario can produce drastically different results. If the MacBook was properly managed and hardened, the potential losses may only be the price of a new MacBook (and the company might have a real chance of getting the device back later on).

However, if the MacBook is not properly handled and hardened, the potential for loss could be in the millions of dollars. Especially if the thief can access sensitive and confidential data, including the personally identifiable information of employees and customers.

So what can IT teams do to be prepared when this scenario occurs?

1. Apple Business Manager

The first preventative step is to make sure that all work Apple devices are part of the company’s Apple Business Manager account. Every business that uses Apple devices can (and should) have a company-controlled Apple Business Manager account.

With this account, all new devices purchased by the company from Apple or authorized resellers can be immediately and automatically assigned to the company’s mobile device management (MDM) solution. This ensures that each device is automatically and remotely managed by enterprise MDM, eliminating the need for any manual configuration when the device is first powered on.

This step is more than just convenience, it provides a high level of security by ensuring that all company devices are managed remotely. Even if the device is wiped for some reason, the device will always automatically reconnect to the company’s Apple-specific MDM solution.

Currently, even devices not purchased from Apple or an Apple Authorized Reseller can be manually added to Apple Business Manager using a free app called Apple.

2. Leading MDM only at Apple

Having Apple Business Manager is a great first step, but without connecting it to a specific Apple MDM solution, it won’t help much. In the same way, the wrong MDM solution can also create more problems for the IT team.

Remote management of Apple devices is nothing like managing devices running other operating systems, such as Windows or Android. Based on that, a universal recommendation from Apple IT administrators is to always use a leading MDM solution exclusively from Apple. This will ensure that your business always has access to the remote management features and capabilities available for Apple devices. Plus, using an Apple-only MDM provider gives you the confidence that the way these tools were built will allow you to get the most out of the Apple devices used at work.

IT teams should be happy to know that you can find a leading MDM exclusive to Apple for as low as $1 per month per device.

With good Apple-only MDM, a business can take a number of actions to protect and recover lost or stolen devices, such as remotely wiping device data to limit the possibility of data loss, enabling device-based activation lock , get the location of the device, retrieve details of the last connected IP and SSID, and much more.

As you can see, just having an Apple-only MDM company can drastically reduce the chances that a lost or stolen work device will have devastating consequences.

3. Apple Specialized Hardening and Compliance

It is well known that Apple’s operating systems are the most secure operating systems on the market. But what does that mean?

It means that an Apple operating system, such as macOS, is heavily equipped with excellent security controls and settings that can be configured to achieve a relevant degree of protection against unwanted physical and remote access. This is what security experts refer to as “hardening” a computer.

But what are all those controls and settings? How should you configure them correctly to make the Mac stronger while keeping in mind the needs of each business? And once those settings are applied, how do you ensure that end users don’t change them, on purpose or accidentally, or that future updates don’t tamper with them?

All of the above are valid questions with complex solutions, and the more devices your business has, the more challenging this task can be.

Some great examples of hardening controls that can add a relevant layer of protection when a work device is lost or stolen are:

  • Enforce screen saver (with password) after a short period of inactivity with an automated session lock – This control will ensure that if a device is not used for a few minutes, the MacBook will automatically lock the session and require the user’s password local to unlock him. This control adds a layer of protection and should be implemented and monitored by all companies.
  • Enforce a complex password policy and a limit of 3 consecutive failed attempts: without this control, the person who has the device will have unlimited password attempts. This drastically increases the chance that the thief or bad actor will guess the password using techniques like social engineering. However, if the number of attempts is restricted to 3 with the account locked out once this limit is reached, the chances of someone guessing the password and gaining access to the device are greatly decreased.
  • Enforce disk encryption – The enterprise IT team must ensure that all information on each work device is fully protected with strong encryption to add a final layer of security to the device. For example, in the above scenario, if FileVault (Apple’s highly secure, native macOS disk encryption feature) was configured and applied correctly, once the device is locked out of the user’s session, all data is encrypted and not you can access it without the key. . Even if the SSID of the device is removed and it is connected to another device for a physical removal.

These are just a few of the many recommended device hardening controls that businesses should constantly apply and monitor. However, verifying compliance with all recommended security controls while fixing non-compliant devices is something that cannot be done manually, no matter how many members your IT or security team has.

By adopting a good hardening and compliance tool specialized for Apple devices, this task can go from impossible to fully automated. Good Apple-specific enforcement and enforcement tools include ready-to-use libraries of intuitive security controls. Once an IT team selects which configurations to implement, the solution will work 24/7 to check every device with all controls enabled and automatically remedy any identified issues.

On their own, Apple devices offer a potentially high level of security, even when lost or stolen. However, the effectiveness of security features on Apple devices depends on the tools and policies adopted by an IT team.

Going back to our airport example, if the IT team followed the above steps correctly, they can probably thank the CFO for raising the issue and advise them to remain calm, that the device was properly protected, and that they should enjoy their flight. to home.

The IT team would be sure that the data was encrypted and the session was locked. All they would have to do is click a couple of buttons to remotely wipe the device and enable Activation Lock. A new MacBook could then be shipped to the CFO on Monday, and they would still have a good chance of locating the stolen device.

Some specialized Apple endpoint software providers offer something called the Apple Unified Platform. Mosyle, the leader in modern Apple endpoint solutions, is the standard for Apple’s unified platforms through its Mosyle Fuse product.

Mosyle Fuse integrates Apple-specific, automated MDM, next-generation antivirus, hardening and compliance, privilege management, identity management, app management, and patching (with a full library of fully automated apps not available on the App Store). ) and an encrypted online privacy and security solution.

By unifying all solutions on a single platform, businesses not only simplify the management and protection of Apple devices used at work, but also achieve a level of efficiency and integration that is impossible with standalone solutions.

FTC: We use automatic affiliate links that generate income. Further.