Mac already has a lot of security tools built-in and can prevent virus and malware infections much better than Windows. You can read about all of these tools in detail on Apple’s app security overview.
That said, not all Mac security preferences are enabled by default. You’ll want to do a regular review of them when you’re reinstalling or updating the system and if you’re setting up a new Mac. Great security is no good if it’s disabled.
In this blog post, we focus on Mac cyber security and leave Windows and other operating systems to someone more knowledgeable.
Mac Cyber Security Checklist
This checklist for Macs is split into five sections:
- Access Security (logins and passwords) – 5 checks
- Firewall & Sharing – 5+ checks
- macOS Updates – 5 checks
- Software Updates – 5+ checks
- System Integrity (Filevault, Gatekeeper, and similar) – 5 checks
This is an 80-20 checklist. It will cover the 20% of tasks you can do to prevent 80% of problems.
Instead of manually going through this list, you can also install the Pareto Security app (only $17 for Personal licenses) that checks all of this for you in a few seconds and does it on a daily basis.
If you want to do it on your own, follow the Mac cyber security checklist below.
With these preferences, we’re preventing easy login to our Mac when someone gets physical access to it. This can prevent annoyances like children playing on your company’s Slack to more serious issues like a thief getting access to your business files.
Automatic login is off
This preference disables automatic login which allows anyone to log into your Mac without a password. We strongly recommend you have this setting disabled, even if your computer is mostly at home. If your computer is stolen, they will be able to access everything immediately. And if you have children, then you don’t want them playing on your administrator account.
If you have other people using your Mac, we recommend creating non-admin accounts for them.
Password after inactivity
This preference requires entering a password after Mac wakes from sleep or screen saver. In combination with automatic screen saver, it locks your computer after inactivity and requires the password to log back in.
Password to unlock preferences
This requires an admin password to unlock any system preferences. As such, it prevents other users from changing important preferences and that includes malicious programs that can launch under a different user.
Screen saver shows in 5 min
With the screen saver showing automatically and the password after inactivity preference, your Mac automatically locks and prevents easy login if someone gains physical access.
For developers: SSH keys require a password and use a strong encryption
If you use SSH with key encryption, then the keys should have a password or hardware key authentication. In case the device is stolen, it’s a lot harder to rebuild the keys that are protected this way.
A strong key size is required to prevent brute-forcing of the private key or at least delay it.
Firewall & Sharing
These preferences prevent (malicious) remote access to your Mac. This is to prevent bots that scrape the Internet for vulnerabilities to gain access to your computer.
Firewall is on with enabled stealth mode
Firewall prevents contact from other computers on the Internet or on your network, but still allows access through the firewall for your apps. This is a must as it has almost no impact on your regular work while blocking potentially malicious requests to your computer.
Enabling stealth mode means your computer does not respond to ping requests.
Remote Login and Management are off
Remote Login and Management allow you to log into and manage your computer remotely, or that someone else can do it. There are legitimate uses, like your company administrator helping you set up your Mac, but it should also be disabled most of the time.
Sharing is off
Mac offers easy sharing of files, media, printers, Bluetooth, and many other services. While all of these can be useful when you’re in an office or at home, they should be disabled most of the time. You don’t want to share some files at home, only to have them still publicly available in a coffee shop.
These settings include:
- Screen Sharing
- Media Sharing
- Printer Sharing
- Remote Apple Events
- Internet Sharing
- Bluetooth Sharing
macOS updates include not only system updates but also many security configurations, like malware definitions, security patches, and certifications.
The settings are:
- Check for updates
- Download new updates when available
- Install macOS updates
- Install app updates from the App Store
- Install system data files and security updates
App Store apps are up-to-date
Apps downloaded from the App Store are managed there. You can manually update them, or better yet enable auto-updates. You can do that by going to App Store’s Preferences and checking Automatic Updates.
Browsers are up-to-date
Browsers are your main contact with the internet and as such it’s important that you always use the latest version. Launch all your browsers every now and then and make sure they’re up-to-date. We would also recommend having them auto-update.
Messaging apps are up-to-date
Messaging apps are another contact with the outside world and potentially malicious actors. So you’ll want to keep them updated as well. A few examples are Zoom, Slack, or Facebook’s Messenger.
Boot is secure
If you use non-signed apps or test a lot of them, you might have disabled Mac’s security checks. Every now and then you’ll want to make sure the security workings are still in place.
FileVault is on
Without disk encryption, your files on the computer can be accessed without requiring a login to the computer. The person would not be able to access the operating system but they can still extract all files, documents, photos, and any sensitive data from your disk.
Even if your computer is always at home, the encryption takes no time on Big Sur and macOS versions and it can be automatically disabled with your iCloud account, so there is no reason not to have it.
Gatekeeper is on
Gatekeeper helps protect from malicious apps by not allowing installation of unnotarized applications. Gatekeeper is always on unless you disable it through the command interface. You can run
spctl --status in your Terminal and the result should be
Time Machine backup
Backups are a must. They allow you to go back and find deleted files, restore a stolen Mac, and just have a general peace of mind that your files are available on at least two devices.
With Mac, backups are so easy, it’s a crime not to have Time Machine set up. All you need is an external disk that you choose as a Time Machine disk and you’re good to go. Just make sure you plug it in at least every week. And if you have it regularly connected to an external disk drive, check the automatic backup as well.
When you’re creating the Time Machine disk make sure you encrypt it. The same rules apply as for using Filevault for your Mac.
WiFi connection is secure
Unsecure WiFi is defined as one where the connection between your Mac and the access point is not encrypted. This usually happens on public hotspots. In those cases, you’ll want to use a VPN (Virtual Private Network), or it’s strongly recommended you avoid doing sensitive things – like sending important emails, accessing bank accounts, or shopping.
Other Security Considerations for Mac Users
With the above, you’ve covered the 80%. Here are a few more tasks if you want to be more thorough in your cyber security.
While Mac has Keychain as a password manager, it leaves a lot to be desired. If you are sharing passwords with your coworkers, employees or family, you’ll want to use a better password manager. There are two main options: 1Password and DashLane, both with similar features and offer easier control of your passwords.
A note on antivirus software on Macs
There are many antivirus and anti-malware options out there. However, for us, as a company of almost 10 Mac devices and with most of us with them for more than a decade, we haven’t ever had issues with viruses.
It is completely up to you. If you feel you might benefit from antivirus protection and you don’t trust your browsing habits, then feel free to purchase one. But if you know the risks when it comes to clicking links and plugging in USB keys, then the chances of getting a virus are really slim.