Few people will contest that macOS is more secure than Windows, however that actually condones a common problem. Based on a decade of supporting law firms using Apple computers, it is very common for Mac using lawyers to be far too lackadaisical towards security. They figure Macs are more secure, so they don’t need to worry. This is a misconception that’s had me standing on my soapbox for years trying to dispel.
Below are 10 tips to increase security on your Macs, whether you are a solo attorney or large team of Mac-wielding attorneys and support staff shared with me by our Principal Systems Administrator, Tobias Morrison. This is in no way comprehensive but is a great place to start. Although Tobias has automated the majority of items on this list for clients, the breakdown below is purposefully not complex or advanced, so that anyone reading this can work through it as a checklist.
- Enable FileVault
Just because you have a password login enabled on your laptop, does not mean your files are completely protected. Many tech-savvy individuals could easily open your computer, remove the drive and plug it into another computer, and have full access to its’ data.
With FileVault, as soon as your Mac is shut down, its entire drive is encrypted and locked up. Only when an authorized user turns on the Mac and logs in are the drive’s contents unlocked.
Since October 2014, Apple has enabled FileVault as the default setting as of Yosemite 10.10. To check if it is enabled, go to System Preferences > Security & Privacy and click on the FileVault tab. If it is not yet enabled yet, enabled it and store the Recovery Key in your Passwords Manager. (Don’t have one of those!? Read on).
- Lock your computer screen
If your computer is on and you walk away from it to refill your coffee or use the restroom, you should be locking your screen every single time. Locking the screen leaves everything running and exactly as it is, but just enables your password to protect your sensitive files from prying eyes.
Screen saver lock after a short timer.
This automates the process, helping to some degree, but only should be used as a backup. This requires a 2 step process to enable. First, go to System Preferences > Desktop & Screensaver and click on Screen Saver tab. Set your desired “Start after” time.
Next go to System Preferences > Security & Privacy. Under the General tab, check the box that says “Require Password <immediately> after sleep or screen saver begins.” I recommend using immediately as the response for the most security.
3 Ways to Manually Lock Your Screen
More important than setting a default timer to lock your screen is getting into the habit of locking your screen every single time you walk away from your computer.
- One of the easiest ways is to click on the Apple in the menu bar and choose “Lock Screen”
- If you’re a keyboard type of user, you can accomplish the same thing using: Command + Control + Q
- Last but not least (my preferred method) if you have one of the new MacBook Pros with the TouchBar, you can add the lock button to your TouchBar. Go to System Preferences > Keyboards. Click on “Customize Control Strip…” Look for the Screen Lock icon and drag it to your TouchBar. Now it’s a quick click away. You also have the added bonus on these systems to use TouchID, so unlocking is a breeze.
- Encrypt local backups – Time machine and Cloned
We have moved away from local backups for the most part, favoring cloud based-backups. That being said I still have a local backup for my personal data, all business files are in the cloud with redundant backups and versions.
If you are making local backups either via Time Machine or a local clone using SuperDuper or CarbonCopyCloner, ensure you have encryption enabled. Same reason as enabling FileVault; if someone gets your backup drive, without this enabled, they can access all your data.
Time Machine is simple. Go to System Preferences > Time Machine. With your backup drive connected, click on ‘Select Disk…” Check the box that says ‘Encrypt backups.” [I did not have my backup hard drive attached when screen shot was taken, hence it being greyed out.]
For the clone options mentioned above, you’ll need to research for step by step instructions online.
- Enable built-in Firewall
In previous versions of macOS, the Firewall option was very annoying to use. For this reason, it was never widely embraced. While discussing the latest security tips with Tobias, he explained to me that the Firewall had been enabled for quite some time. In short, Apple fixed it and made it non-intrusive. Apple’s built-in Firewall prevents unauthorized applications, programs and services from accepting incoming connections. Another security layer that once activated, will help protect you.
Go to System Preferences > Security & Privacy and click on the Firewall tab. Click on “Turn On Firewall”
- Enable Stealth Mode
This is an advanced feature in the Firewall mode, and is optional. This makes you invisible on a network. Apple describes it as “Don’t respond to or acknowledge attempts to access this computer from the network by test applications using ICMP, such as Ping. In the same Firewall tab you were previously on, click the lock in the bottom left corner to authenticate, click on “Firewall Options” and check the box at the bottom.
AirDrop lets you choose between enabling it for just your contacts or for everyone. "Contacts" requires more work, as you and the person you want to AirDrop with both have to be logged into iCloud and be in each other's Contacts. "Everyone" is easier but means random people you don't know can send you files. For increased security, switch this to “Contacts Only,” if you never use it, Select “No One” to turn it off completely.
Launch the Finder on your Macs. Click on AirDrop in the left navigation. Select Off to disable AirDrop, Contacts Only to enable only your contacts to AirDrop you, or Everyone to let everyone AirDrop you.
- VPN – encrypt.me
There’s plenty of talk about needing a VPN out there making the need quite apparent. However, there are so many solutions, most users opt by not making a choice at all. Encrypt.me is our preferred option. It automatically enables itself when you are on an unsecure network. Starbucks or an airport for example. You don’t need to remember to activate it or go through lengthy connection processes. You install it and it protects you. For $10 a month one account can protect all the devices that user owns. They also have family and team plans, as well as annual discounts.
- Don’t advertise services unless you are using them.
By default, macOS enables several sharing options, such as Printer sharing, Internet Sharing, and File Sharing. If you have no need to have these services advertise themselves, you can disable them altogether. If you’re uncertain whether you are using something, you most likely don’t need it.
Go to System Preferences > Sharing.
In our case, my company uses tools for Remote Login and Remote Management, so those are enabled.
- Long time user? Make sure you do not have auto-login enabled or a user account without a password.
A big security-risk is Automatic login. When enabled, you turn on your computer and it would log you in automatically, a clear security risk. If you have this enabled, disable now. Go to System Preferences > Users & Groups. Click on Login Options. Then switch automatic login to OFF.
In earlier version of macOS, back when it was still OSX, you could create an admin account and leave the password blank. If you can leave the password field blank and hit enter and login, this means you. While this is no longer possible with macOS, we’ve run into this on rare occasion. In the same Users & Groups screen as above, click on your user, then “Change password…”
- Mobile Device Management Solution
You simply MUST have a way to secure the data on your mobile devices, which includes your iPhone, iPad AND you laptop. If it’s just you and no one else, iCloud will suffice. Login all your devices with the same Apple ID, and enable Find My iPhone/iPad/Mac on all your devices. In case of loss or theft, this will enable you to locate, lock and erase your device.
Assuming you are logged into iCloud already, go to System Preferences > iCloud. Go down the list until you see Find My Mac. Check the box. Voila!
Now if your firm is more than just you, iCloud will not be suitable for your needs. You want to ensure you have a tool in place to locate, lock and erase all devices. Two simple solutions to get up and running with are JAMF Now and Simple MDM. JAMF Now is free for 1st 3 devices, then $2 per device/month. Simple MDM is $3 per device/month. Both are highly respected solutions that are simple to deploy and put into place.
There you have it, ten tips to increased security for Mac users. Please, don’t read this and forget about it. I suggest you start with blocking off 1 hour to increase security. Bring out this list and see how many you can complete in that time frame. If needed, block off another hour to complete the rest. While more things can be done, this will significantly move the needle for protecting your firm and taking the proper security measures needed as a Mac using attorney.
The original post by Tom Lambotte is on the Clio blog at https://www.clio.com/blog/security-tips-mac-attorneys/