Mac security series: Mac is inherently safer (doesn’t require frequent updates)

Apple designs some of the best computers and mobile devices on the planet. From the industrial design to the engineering efforts internally, their design sense also informs the underlying software that runs off their incredible hardware. That’s always been a core belief of Steve Jobs – extend the user’s experience throughout the entire product – internally and externally.

This design ethos also carries forward to Apple’s view on security and privacy, as evidenced in its commitment to both with each subsequent release. From the engineering of a closed system design which:

• Enforces as well as verifies the security of each component,
• the integration of the powerful T2 chip, infusing encrypted storage,
• secure boot and biometric capabilities. To the development team’s
• design of the Security Framework, securing the data apps use, but also
• controls access to your app and device resources, maintaining user privacy.

But what does that have to do with updating your Mac?

Well, Apple devices didn’t always include biometrics for encrypting your data or unlocking your device with your finger or a smile. They also did not include awareness that apps might use access to your microphone or webcam for anything other than chatting with work colleagues or friends and family. It was before this time that applications were downloaded from anywhere online, not specifically the Mac App Store or trusted developer’s website, but anywhere you happen to find the app you were looking for, installed it and we're off to the races. Did it matter that you were running an app that was several weeks, months or years old? Not unless a newer version had a feature you were looking to take advantage of.

This was a time when Apple was popular, but nowhere near the level of adoption that we see today. Where Apple was a niche product, catering to students and creative professionals, or simply those that preferred the Apple esthetic over the competition.

I still don’t get what this all has to do with updating?

Sheesh, you’re impatient today.

Ok, simply put, this all ties together because we couldn’t get to where we are today without the lessons learned from the past. Those lessons being vulnerabilities in software lead to exploits and later compromised devices. Software downloaded from unknown, potentially unscrupulous sources have been known to tamper with apps, allowing them to run malicious code on your devices and/or abusing the access granted to the app to gather information on you – the user. By tapping into your camera feed, eavesdropping on your verbal conversations, copying text-based exchanges alongside other personal data, or monitoring your whereabouts through GPS. It all gets sent elsewhere and without your consent, effectively spying on “every move you make”.

Despite making arguably the best computers on the planet with security and privacy inherently baked into their products, updates to macOS, iOS, iPadOS and the apps that run on them – all stem from the very real-world need to keep your devices up to date with respect to patches that fix bugs and holes in the software. This is important so that you, your devices, your data and your privacy – both at work and personally – are continually protected against known risks and threats.

“I am inevitable”

Imagine if Tony Stark had opted to stop innovating after designing his first Iron Man suit of armor, the MK I. Eschewing all ideas of updating it with newer, more powerful and efficient technologies, deeming it to be adequate as-is. How would he have fared against Thanos years later in the MK I? Compared to the far more advanced Mark LXXXV, we saw him barely able to snap his fingers at the end of Avengers: Endgame. In the MK I? The fight would’ve been over before it even got started.

And that’s really the gist of updating your Apple devices and applications right there. Any attempt to protect yourself, users, devices and sensitive data would be moot against modern risks and threats that continue to evolve as time waxes on. We wouldn’t stand a chance against the numerous threats, likely compromising your computer within minutes of powering them on – dubbed the 12-minute heist in 2005, by Sophos.

In the case of updates, it holds several meanings. It’s important, not just because of the number of new features that are typically linked to new major point releases of system and app software. Those are often exciting for users, bringing fresh, productivity-boosting features and those that they’ve long clamored for to make life a little more enjoyable, sure. But it’s the underlying changes, the introduction of security and privacy frameworks, for example, that really shape how we as users and admins alike utilize and manage our technology.

After all, if I told you that a new app, titled “A” is the best app in the world! It will reduce the amount of work you have to do each day; it will eliminate all your worries and the developers of the app will even pay a salary every year to use it daily. Sounds promising, no?

The only trade-off is that everything you do – and I do mean everything – is constantly being monitored, surveyed and shared with the developer’s parent company and their subsidiaries. That data in all shapes and forms are sold and resold to the highest bidder, hosted online for all to see and discussed on each social platform worldwide. Would you put yourself at risk like that, open to identity fraud, criminal actions against you, endangering your family and loved ones around you every second of every day, all with exactly zero forms of privacy. Would you do it?

Chances are the average person would not. So, why keep up with the protections offered by keeping your devices updated regularly for your personal devices or admins, and scheduling patch management cycles in the enterprise? Because it is:

• Necessary to keep devices protected from known threats.
• Essential to the integrity and confidentiality of your data.
• Imperative to the stability of your device or the entire fleet.
• Paramount to maintaining your privacy (or that of your users).
• Mandatory to a defense in depth cybersecurity plan.
• Requisite to managing risk across your organization.
• Indispensable to maintaining a strong security posture.

“I…am…Iron Man”

Did you know that in the Security 360: Annual Trends Report by Jamf, the Jamf Threat Labs identified a whopping “39%of organizations allowed devices with known OS vulnerabilities to operate in a production environment with no restrictions to privileges or data access.”?

Fun fact: According to forecast figures by Ericsson and The Radicati Group, there are an estimated 6,640,000,000 smartphones worldwide.

Simply accounting for smartphones – not computers – 39% of vulnerable smartphones worldwide would equate to 2,589,600,000 devices. As a user or an administrator that manages devices for an organization, how confident are you that your device(s) isn’t among the 39%?

Broken down further, the Security 360: Annual Trends Report also indicates that “7% of work devices continued to access cloud storage services after being compromised”. This doesn’t mean devices were vulnerable but known to be compromised by threat actors. Using the original number of smartphones worldwide as a base, the 7% equivalent comes out to 464,800,000 devices. Far smaller than the 39% above in the billions – with a B – but still worrisome as this number inches ever closer to half a billion (still with a B) devices that are compromised, yet still accessing organizational resources and putting them at risk for a data breach.

As the role of technology in modern-day computing has seen a seismic shift in both an increased reliance on mobile devices, accompanied by an equally groundbreaking shift to remote and hybrid work environments, users depend on their macOS- and iOS-based devices more than ever for work and play. It’s their lifeline to a disjointed world, to collaborating with coworkers, celebrating life’s little victories while being socially distant and virtually anything and everything in between.

Keeping devices updated is tantamount to practicing safe Internet while complying with best security practices. Users need a dependable, reliable device to remain productive from anywhere, at any time; Organizations must not suspect – but know concretely that the devices accessing their resources are updated, configured properly and only able to communicate to sensitive company resources over secured connections if they wish to mitigate risk while adapting to modern computing’s dynamic changes to maintain safe and secure business continuity.