Most Mac users don’t spend much time worrrying about computer viruses, but many companies wonder if they need to install anti-virus software on their corporate Macs. Nope, at least according a recent Forrester Research report that says the performance degradation caused by most AV technology outweighs the malware risks on a Mac. But that doesn’t mean Mac security isn’t a concern.
Not Windows Vs. Mac
The advice comes not because Macs are inherently more secure than Windows PCs. They’re not. Rather, the advanced viruses and Trojans most likely to infect Macs are seldom spotted by today’s AV software, which is more effective at catching run-of-the-mill malware distributed by less sophisticated hackers. The majority of those malicious apps are still aimed at Windows, so AV technology is more effective on those systems.
“Some companies have done just fine having no anti-virus at all on their Mac population,” said David Johnson, a Forrester analyst and author of the report on managing Macs in the Windows-dominated computing environment found in most businesses.
Mac & Windows: Equally Secure
For years, Apple marketed the Mac as more secure than Windows PCs, driving a longstanding debate between fans of the two personal computer platforms. The majority of security experts today agree that the systems are roughly equally secure, with the Mac’s biggest defense being its much smaller market share. Unless targeting specific companies or industries, cybercriminals typically launch hundreds of millions of malware-carrying spam to the biggest target, hoping to snare a tiny fraction of the recipients.
Johnson’s practical advice stems more from the dismal architecture of today’s AV technology than any desire to rekindle the security debate. “It (AV) needs architectural changes,” he said. “It should be completely unobtrusive and transparent, and that has not been the case for some of the anti-virus tools out there.”
In his report, Johnson derides AV software as “notorious resource hogs.” Scanning typically begins immediately after boot-up and continues for minutes while employees sit idly by. “Add this time up every day for a year, and it’s man-days worth of lost productivity for each computer,” the report complains.
The lost productivity eclipses any benefit from AV technology on the Mac, according to IT administrators Forrester interviewed. Instead, the researcher recommends making use of other tools that are less intrusive and work for many companies. Which steps a company takes will depend on the level of security needed.
6 Recommended Anti-Virus Alternatives
One easy-to-use tool is the personal firewall that ships with the Mac operating system. The software can be configured on a per-application basis to allow some ports to remain open to inbound connections. In addition, it can be configured enterprise-wide on a policy basis.
Another security mechanism is Gatekeeper, which ships with Mountain Lion, the latest version of Mac OS X. The malware prevention tool can be set to ensure that only software from Apple’s Mac App Store or vendors with Apple-issued credentials can be installed.
Skipping AV technology means other tools will be needed to combat infections. A strong automated recovery tool set, such as Archiware and Crashplan, is needed, so a Trojan-infected Mac can be restored to a pre-infection state that includes the users’ files and settings. Forrester see this option as much faster and easier than the AV alternative of finding and removing malware. “Modern Trojans require anti-malware vendors to develop extraordinary countermeasures, which can take weeks or even months to develop, test and deploy,” the report says.
Patching is key to preventing run-of-the-mill malware from infecting known vulnerabilities, so Forrester recommends Mac tools like Casper Suite or Absolute Software to keep systems up to date. In addition, tools like Centrify are available to apply group policies for password strength, automated lockout and other security measures.
For companies in highly regulated industries, endpoint data loss prevention (DLP) software is available, if really needed. Like AV technology, DLP is resource intensive and can cause significant frustrations to end user. “DLP should be reserved for highly regulated vertical [market]s or for specific groups in which the consequences of data loss far outweigh the productivity costs,” Forrester advises.
Finally, the analyst firm recommends companies use Apple’s native disk encryption tool to encrypt the Mac’s entire hard drive. While such tools are often resource intensive, users have reported little impact from using Apple’s technology.
Still The ‘Wild West’
No one is saying allowing Macs into a Windows environment is risk free. While the methods to deal with problems are different, security is critical on both platforms, and companies do need to pay as much attention to employees’ Macs as to the company’s Windows PCs.
“In too many cases, the thinking is lock down all the Windows boxes, but the Mac users are left on their own. It’s kind of a Wild West where anything goes,” said Aaron Freimark, chief technology officer for Mac service provider Tekserve. “But you’re subject to vulnerabilities too.”
So skip the anti-virus technology and pay close attention to the alternatives.