Posted on 08/24/2015 5:05:14 PM PDT by Swordmaker
Apple's Macs, iPhones and iPads are common in the modern workplace, but relatively few of these devices comply with standard security requirements, according to a new survey.
Nearly half of all U.S. employees use at least one Apple device at work, but most of those gadgets lack common security protocols required by many enterprises, according to a new survey commissioned by Centrify, a company that sells enterprise security and management software for Apple products.
Last month, Centrify asked 1,004 business professionals about how they use computers and smartphones in the workplace. Respondents used a total of 1,309 Apple devices at work, including 191 Macs, 387 iPads and 731 iPhones, according to Centrify. All of the respondents were employed full-time at companies with at least 20 employees, from various industries including healthcare and financial services, according to Centrify.
The survey, which was conducted by Dimensional Research, found that 45 percent of respondents use at least one Apple device for work, to access corporate email, documents and business applications. Of those gadgets, 63 percent were employee-owned. More than half, or 51 percent, of all the users' Apple devices were secured by single-word passwords or numerical PINs, and 58 percent of those devices had no software or policies to enforce the use of stronger passwords. The survey also found that 56 percent of Apple device users shared their passwords with others, and only 17 percent had company-supplied password managers.
In addition, only 28 percent of respondents' Apple devices had company-provided device management solutions, and 35 percent of the people work for companies that enforce data encryption on Apple devices. Almost 60 percent of the Macs represented in the survey were used to access confidential company information, and 65 percent of those systems were used to access sensitive or regulated customer information, according to the survey.
The results spotlight the high usage rates of unmanaged Apple devices in the workplace, according to Centrify, and they reinforce the risks organizations face when IT professionals don't have the necessary resources to make sure devices comply with security policies.
The article is from someone who's apparently selling third-party software to help IT departments manage and enforce security policies on Apple devices. Why would they not like Apple devices in the Enterprise IT structure? They'd be out of business without them.
Apple’s “lack” of enterprise security is anything but
This rather terrible CIO story’s headline is “Most Apple devices lack proper security for the enterprise” and its even more “damning” sub-headline is:
Apple’s Macs, iPhones and iPads are common in the modern workplace, but relatively few of these devices comply with standard security requirements, according to a new survey.
But the article itself paints a different picture:
More than half, or 51 percent, of all the users’ Apple devices were secured by single-word passwords or numerical PINs, and 58 percent of those devices had no software or policies to enforce the use of stronger passwords. The survey also found that 56 percent of Apple device users shared their passwords with others, and only 17 percent had company-supplied password managers.
In addition, only 28 percent of respondents’ Apple devices had company-provided device management solutions, and 35 percent of the people work for companies that enforce data encryption on Apple devices. Almost 60 percent of the Macs represented in the survey were used to access confidential company information, and 65 percent of those systems were used to access sensitive or regulated customer information, according to the survey.
So, it’s not that Apple devices don’t comply with the security features, it’s that those companies’ IT department don’t enforce the offered security properly or at all. Which is a bit like calling a car unsafe because you choose not to use the brakes.
Apple used to get a lot of flack for not being business-oriented, but it’s pretty hard to argue that they’re not a major player in enterprise these days, especially given the deal Apple struck with IBM last year.
So it’s always wise to ask yourself: where, exactly, do these stories come from?
Nearly half of all U.S. employees use at least one Apple device at work, but most of those gadgets lack common security protocols required by many enterprises, according to a new survey commissioned by Centrify, a company that sells enterprise security and management software for Apple products. [emphasis added]
Shocker.
It is nice when other pundits come to the same conclusions you do. . .
The author of the article is NOT from the company selling the software. The survey is.
What’s the source of that article? The link says it doesn’t exist.
For that last one it says "Do not use this setting unless you use a program that requires it." In contrast Unix and MacOS store passwords in the most secure way possible: a salted one-way hash. As someone pointed out on stackexchange it would take 2000 years to crack an eight character password. All the other policies are feel-good window dressing with almost no practical security value. Real security comes from a simple and public implementation of secure storage (salted multiple-iteration hashes) and comparison (timeout and try-limited). There's no reason to enforce a length or complexity requirement other than very trivial ones (e.g. a small length requirement and blacklist).
You may have a point there, palmer.
A lot of that is what I call "busywork IT security junk" that doesn't really provide any more security except for IT jobs. . . It lets them show their non-IT superiors, who they don't really consider their "superiors," that they are "doing something" to justify what they are being paid. . . especially the busy work of requiring everyone, including the boss to change passwords every-so-often, whether they want to or not.
CIO Magazine, CIO.com. . . it's there right now at 11:30AM Tuesday.
By-the-way, the author of the article, Matt Kapok is, according to a link on his name, is a Senior Writer at CIO Magazine.
"Matt Kapko specializes in the convergence of social media, mobility, digital marketing and technology. As a senior writer at CIO.com, Matt covers social media and enterprise collaboration. Matt is a former editor and reporter for ClickZ, RCR Wireless News, paidContent and mocoNews, iMedia Connection, Bay City News Service, the Half Moon Bay Review, and several other Web and print publications. Matt lives in a nearly century-old craftsman in Long Beach, Calif. He enjoys traveling and hitting the road with his wife, going to shows, rooting for the 49ers, gardening and reading."
The comments at the article are, except one which is a spammer, all critical of the article.
The comment is linked to #22.
That just shows how ignorant you are of enterprise IT environments. Those password requirements are put into place to satisfy the IT security auditors that were hired by those "non-IT superiors".
Who support the IT people's jobs. . . and are invariably Windows oriented and biased to a man. I've run into them. It's still worthless busy work that gains no added security. . . for example, requiring people to change passwords too frequently merely forces them to write the new passwords down in some convenient place—always close to their computer and easily found, usually on a sticky note somewhere near their computer monitor, or even on the bottom of their keyboard, or taped to the pull out writing extension of their desk, with a list of previous passwords with lines through them—instead of memorizing them. I've seen this too many times. That's security?
No, that's the other end of the spectrum from not changing them at all. Anybody who thinks enforcing password policies for minimum password length and complexity, and requiring them to be change periodically is "worthless busy work that gains no added security" doesn't have any business advising anyone on enterprise IT security.
It's a site maintained by a group of long time tech pundits. . .
This is what the site says about itself:
About Six Colors
Jason SnellSix Colors provides daily coverage of Apple, other technology companies, and the intersection of technology and culture. Its founder and editor in chief is Jason Snell. That’s me!
I was the lead editor for Macworld for more than a decade. For a couple of years I also oversaw editorial operations for PCWorld, and launched TechHive and Greenbot. All told I worked for IDG for 17 years and Ziff-Davis for three before that. That adds up to two decades of doing technology journalism and covering Apple at close range.
During my time at Macworld, I covered every major Apple product release, including every version of OS X, the iPod, iPhone, and iPad, and much more. I’ve written breaking news, interviewed executives (including Steve Jobs), reviewed major products, written how-to articles, penned award-winning editorials, shot and edited videos, produced podcasts… you name it. I left IDG in 2014.
What part of the phrase: ". . . too frequently. . . " do you fail to comprehend?
So now we’ve got Jason Snell, and Dan Moren. Both of them are MacWorld writers. No surprise that they don’t fault the device for not having an enforcement mechanism, they just lay the blame on the IT department for failure to enforce.
How did you manage to not understand "too frequently" being the opposite end of the scale from "not at all"?
No, Tacticalogic, we have to pundits who know a lot more than you about the operation of UNIX and Mac that are aware it is not a device level function to enforce such policies. As one of the commenters on the CIO magazine article dismissed the "study" commented:
"Clickbait for sure!As an senior IT director at a Fortune 5 company I am deeply disappointed, for not only read the misleading headline, but that CIO would be used to essentially sell a companies' wares with a need proved by their own survey.
While Centrify talked to 1,000 users we have more than 27,000 personally owned (BYOD) iOS devices, which I welcome them to call, all managed using AirWatch which addresses all of the issues here...other than sharing passwords of course..I mean really Centrify?
Guess who is on my do not return call list! ;-)
AirWatch is an Atlanta-based provider of enterprise mobility management (EMM) software and standalone management systems for content, applications and email.
In July 2013, the company acquired Motorola Solutions's MSP (Mobility Services Platform) and extended management capabilities to ruggedized devices.
it easily supports iOS devices and provides such security management of remote devices.
More third party management software.
Biometrics is fine if done right. Apple can’t your fingerprints securely stored on your iPhone.
Yep, I’ve been there and had that done to me. I own my own mac with my own careful browsing etc and don’t need any “help” from corporate IT. I’ve used one password since around 1987 with minor variations and a second one for about 10 years.
Can you give me a good reason why my almost 30 year old password is no good anymore? The only one I can think of is someone gets ahold of discarded unix hard drives that had weak hashes back then. Even if they get the password it won’t do much good in a rainbow table nowadays since almost every hash is salted. I would argue that with the maturity of such techniques the need for changing passwords is basically gone.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.