Macs are gradually gaining popularity in the enterprise world and deploying a data loss prevention solution on these devices is becoming a pressing question.
macOS devices are becoming an ever more prominent presence in the workplace. This is chiefly due to two trends: bring your own device (BYOD) and employee choice policies. The first allows employees to bring their own devices onto the company network, while the second lets them choose which device they will be using in the workplace. A survey conducted by Jamf showed that, in the 580 organizations that participated, 72% of employees chose Macs and a further 75% chose iPhones when given the option. Another interesting fact to mention is that when comparing all the implied costs, like software and hardware updates, management and support, it turns out that Macs have a significantly lower total cost of ownership (TCO) than PCs.
Apple has shown its commitment to making Macs a viable alternative to PCs in the workplace, with security features specifically aimed at enterprises. As Macs become more and more common in office environments, they can also become prime sources for data loss. While PCs running on Windows are more likely to fall victims to malicious outsiders because they make easier targets than devices running on macOS’s Unix-based architecture, neither OS protects sensitive data such as Personally Identifiable Information (PII) or Intellectual Property (IP) from their users. In the age of data protection regulations, workstream collaboration (WSC) platforms and massive data breaches, companies’ worst security vulnerabilities are often their own employees.
Luckily, there are Data Loss Prevention (DLP) solutions that help companies monitor and control sensitive data flows on their company networks. These solutions prevent data leakage and data theft by scanning data in motion and data at rest, restricting the unauthorized use of removable devices, provide encryption options and more. While there are fewer offerings on the market of DLP tools for Macs, there are a few things organizations should consider when shopping for a DLP solution. Here are the most important five:
1. Zero-day support
With Apple rolling out one major macOS upgrade every year and updates on an almost monthly basis, zero-day support is essential for any company using Mac endpoints in the workplace. This means choosing DLP solutions that ensure zero-day support, namely product compatibility before the official launch of new updates and versions of the macOS.
Without zero-day support, companies risk not only errors and the dreaded Kernel panics, but a lapse in their data loss prevention strategy. This not only puts their data at risk, but if DLP tools are used as an active part of compliance policies with data protection regulations such as HIPAA, GDPR, PCI DSS etc., it can also lead to noncompliance and steep fines.
2. Minimum device performance impact
One of the main fears concerning the adoption of DLP tools company-wide is the sort of impact they will have on both the speed of devices they are monitoring and employees’ productivity.
Endpoint DLP solutions generally operate on a server-client architecture which means a client must be installed on a device for DLP policies to be applied. For that reason, it is essential that the products companies choose have a small digital footprint and a minimum impact on device performance.
3. Easy to update
Updates can be an irritating and constant interruption in employees’ daily work. They can become especially troublesome in the case of DLP solutions when admins are the ones pushing client software upgrades and updates.
It is important therefore that these can be easily applied, without requiring device reboot or reinstallation. In this way, updates can run smoothly in the background without ever bothering employees in their work.
4. Test for Kernel Panics
Kernel panics happen when Macs encounter a critical error and automatically shut down. The frequency of kernel panics depends on what’s causing the error: it can happen once every few weeks or every time a Mac is booted up. 90% of the time software conflicts are to blame.
Consequently, it is crucial that, when testing DLP products prior to purchase, companies test the client software to make sure it does not cause Kernel panics in the Macs it’s installed on.
As Apple works on improving macOS’s security features and addressing the demands of enterprises, companies must not ignore its growing importance in the workplace and ensure they have a solid plan for protecting data stored on Macs.
5. Feature parity between operating systems
Most company networks run on multiple operating systems. Mac-only work environments are rare and are usually confined to the creative industries or small organizations. Bigger companies will oftentimes run on both Windows and macOS, sometimes adding Linux to the mix as well.
While organizations might be tempted to choose exclusively macOS-aimed DLP products, it’s important to keep in mind that an administrator needs to manage the DLP solution network-wide and having multiple solutions can prove a time-consuming and complicated task.
At the same time, because Microsoft Windows continues to be the network of choice in the business environment, DLP offerings for it are the most advanced and varied on the market, with macOS counterparts often being limited and treated as an afterthought. When choosing a product, organizations must check that there is feature parity between DLP tools for Windows and macOS to safeguard sensitive information easier and more efficiently. In this way, companies get the same level of protection for data, whether on a Windows PC or Mac.
Endpoint Protector by CoSoSys is an enterprise-grade DLP solution that offers cross-platform Device Control, Content Aware Protection, eDiscovery and Enforced Encryption. If you’re looking for an industry-leading solution to ensure that your sensitive data stays safe on your Macs, we invite you to get in touch with us and learn how we can support you in your efforts.
Frequently Asked Questions
Data is not only vulnerable to outside threats, but also to malicious intentions and the negligence of insiders. While there are several features inside Macs themselves that protect against certain types of data breaches such as FileVault and Open Firmware passwords, these offer no protection when the users themselves are the perpetrators.
This is where DLP solutions for Macs come into play. Through predefined policies, they can keep track of sensitive data, block or log its transfer or delete or encrypt it when found on the Macs of unauthorized users. It can also help you monitor all ports and devices on Macs, flagging any suspicious activity.
Read more about challenges and solutions in Mac environments.
Understanding what types of data your organization has and what level of protection each type requires is a critical first step. You also need to understand where that data resides, how and where it’s being used, and by whom.
A comprehensive Data Loss Prevention should have capabilities that will automatically discover, monitor, and protect your data across your network.
It should also help you gain visibility into where your data goes and who is using it, which will in turn help you better understand what protection you need and where as well as identify any gaps that might exist in your current processes.
Some DLP systems require lengthy and complex deployment plans that demand highly specialized skills to build. Be sure that you know what a typical deployment timeline is for each DLP software you are evaluating, but also what professional services will be required to get your DLP plan up and running.
You also must understand the ongoing, operational resources that will be needed to manage the solution. How easy is it to make policy changes as needed, what kind of training will be required for your team and end users, and does it meet your reporting needs?
Understanding what your company’s data security needs are in these key areas, and what can deliver a potential DLP, will help you identify the solution that best fits your environment and resources available.
Endpoint DLP solutions generally operate on a server-client architecture which means a client must be installed on a device for DLP policies to be applied. For that reason, it is essential that the products companies choose have a small digital footprint and a minimum impact on device performance.
Endpoint DLP solutions generally operate on a server-client architecture which means a client must be installed on a device for DLP policies to be applied. For that reason, it is essential that the products companies choose have a small digital footprint and a minimum impact on device performance.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.