Apple devices have been sneaking up on businesses, and now the tsunami is here. IDC predicts a 20% increase in business use of Macs this year – and at companies like Cisco, 59% of new hires choose Macs over PCs. Employees across industries also use iPhones and iPads to access corporate resources. So, it’s not surprising cybercriminals are increasingly targeting corporate Apple devices or that CIOs are worried about the potential challenges in controlling how AI is used, whether directly on devices with Apple Intelligence or leaking key data to various AI platforms.
Also Read: How Understanding Customer Needs Fuels Product Success
While Apple devices are built to be secure, they require continuous maintenance and management. The myth that they are impenetrable has caused many organizations – particularly those that are traditionally Windows-based – to overlook timely Apple OS updates, patch management, and security compliance. Doing so now is foolhardy and dangerous.
Increasing Cyber Vulnerability
Cybercriminals who target enterprises traditionally focused on Windows devices because that’s what the overwhelming majority of employees used. However, with more Apple devices in the enterprise and arguably higher valued data on those devices, cybercriminals have taken notice.
Malware targeting Macs has increased 50% since 2023. Phishing campaigns targeting iPhone users are also on the rise, with attackers texting users and attempting to solicit their Apple IDs and penetrate personal as well as corporate data.
Many organizations are lulled into security complacency, however, due to Apple’s reputation for robust, built-in device security features and its steadfast commitment to security practices. For instance, their devices are built with a multi-layered security model that integrates both hardware and software protections to keep users and their data safe. Apple also delivers patches for critical security vulnerabilities between software updates to help IT organizations that manage their devices boost security against known emerging threats.
However, all this only goes so far. For example, a recent study found security controls on macOS prevented only 23% of simulated cyberattacks. IT leaders need to be much more vigilant.
AI Adds to Concerns
AI clearly promises to have positive impacts on wide-ranging aspects of business. 75% of knowledge workers around the world already use AI in some form or another—from standalone ChatGPT to AI built into popular software, such as Microsoft Co-Pilot, and on devices such as Apple Intelligence, which will be delivered in the newest iOS, macOS, and iPadOS versions.
While these are exciting developments, many organizations are rightly concerned. There are privacy and security risks that come from unintended data sharing when employees use AI tools hosted on external servers—such as when Samsung employees using ChatGPT unwittingly leaked trade secrets. Perhaps it’s no surprise, then, that 72% of US CISOs are worried generative AI could result in security breaches.
There’s also the risk of non-compliance with internal corporate policies and external regulations such as NIST, DISA STIG, CMMC, GDPR, CCPA, and HIPAA. Plus, there is reason to be cautious about intellectual property risks stemming from using AI tools to generate code, text and designs, raising questions about who owns the output. And, of course, there’s the potential for decisions to be made based on faulty information, as AI models are only as good as the data that feeds them.
As a result, some businesses, government agencies, and educational institutions don’t allow AI on devices. Even still, employees and students use AI tools in the “shadow”, without the IT department’s approval, oversight, or knowledge. Other organizations are open to AI but want to fully understand its implications before deciding when, or even whether, to enable it. They all need more control than they have.
Also Read: An Evolutionary Approach to Artificial Intelligence
Best Practices for Apple Device Security
To keep up with the rapidly changing Apple security landscape, organizations need 24/7 enforcement to protect devices in real time. With today’s distributed IT landscape—and large remote workforces—a zero-touch, zero-trust environment is also a must.
IT leaders can use Apple-specific mobile device management tools to ensure their teams can remotely and automatically enact the following while reducing their burden:
- Enforce strong password standards, make MFA non-negotiable, and blacklist apps that have known security gaps or that violate corporate policies. This helps ensure that stolen or lost devices and weak passwords won’t put sensitive data in the hands of unauthorized users and bad actors
- Monitor devices to ensure security software, patches, and apps are up to date and check for vulnerabilities in real time
- Immediately block or wipe macOS, iOS or iPadOS devices if users unwittingly install malware or devices are at risk of being otherwise compromised
- Use activation lock recovery to regain control over the device
- Restrict Wi-Fi access to only pre-configured wireless access points without having to share passwords
- Create, share, and enforce policies pertaining to AI to minimize organization’s exposure to IP lawsuits, poor decisions, and competitive disadvantage; and reduce the chance of students and professors unwittingly plagiarizing and then failing courses and losing jobs
- Effortlessly enforce adherence to evolving compliance benchmarks, which helps eliminate potential fines and reduce security and data privacy breaches.
Compliance Tips
Compliance benchmarks take the guesswork out of cybersecurity. They provide an exact roadmap on which industry, governmental, and cybersecurity best practices to apply.
- Understand Obligations
In some instances, businesses don’t have much choice in the matter. Insurance providers may require an organization’s Apple fleet to follow certain standards. Some industries also have to meet specific benchmarks to pass audits.
- Assess Needs
Even organizations that don’t have auditory or legal compliance requirements still want their devices to be protected. To decide which benchmarks and baselines to follow, consider how many devices the company manages, intellectual property risks, and whether users handle sensitive information like social security numbers or medical documents.
- Don’t Overdo It
There are multiple compliance benchmarks and baselines — each with potentially hundreds of cybersecurity best practices to follow. To truly maintain a zero-trust environment, it might be tempting to implement every single recommendation.
However, implementing too many can turn machines into bricks. Plus, end users won’t be happy or productive with severely reduced functionality.
Start with the essentials, then move up the ladder only as necessary.
For instance, regardless of industry, it’s best to follow the Center for Internet Security (CIS) Level 1 compliance benchmarks. The framework includes 88 rules, compared to roughly 200+ in frameworks that highly security-conscious organizations follow. For instance, healthcare must abide by HIPAA. Some government agencies and vendors need to follow DISA STIG and CMMC. Those whose users handle highly confidential information should pull from the NIST catalog.
Apple devices have crossed the chasm. They’re an integral and growing part of the business world. Now is the time for IT leaders to ensure their teams can effectively and effortlessly secure and manage them.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
