08 Feb Hard Drive Encryption for Your Macs is Free From Apple – Why Aren’t You Leveraging its Protection?
2014 and 2015 have been monumental years when it comes to data breaches and the costs incurred by the business entity for those breaches. According to a study released by IBM and the Ponemon Institute, the average total cost of a data breach increased to $3.79 million dollars in 2015.
While Sony Pictures Entertainment, JPMorgan Chase, Target, Ashley Madison, and the U.S. government are high-profile customers, it only takes one forgotten laptop in the back of taxi cab or left in the airplane back pocket to put you in the sites of a possible attack.
Now, data breaches have many causes. Hacking, whether by brute force or social engineering (think skimming or phishing attacks) incidents are by far the most popular means for getting to your personal or corporate data. However, in second place, coming in at 15% of all data breaches, is the category of employee negligence – of which is included lost/stolen devices.
What’s crazy is that while you can’t prevent people from being forgetful, or prevent humans from stealing from one another, you can prevent your data from being accessible if one of your devices ends up in this situation.
So how is that done? It’s done by encrypting the hard drive so it’s contents cannot be read without the decryption key; which is your logon password, so it’s not like your end users have to remember anything unique. And, conveniently for you, built directly into OS X, for free, is FileVault – the premier hard drive encryption tool for your Mac. All you have to do is enable it and reap the benefits of its protection.
Without an encrypted drive, all one would need to read all of the data from a stolen/lost laptop would be a screw driver, a $20 hard drive enclosure, a computer and about 30 minutes of free time. Do you know of anyone that might have all four of those ingredients?
We all do, right? Retrieving data from a device is not rocket science.
Okay, knowledge of why you need to encrypt your hard drives is only going to take you so far. How to encrypt every Mac you have is just as important, if not more so. Built into LANDESK Security Suite 2016, released on Friday, February 5th, is the capability to not only enable FileVault remotely, but to capture the backup encryption key just in case your users forget their logon password—and we all know that for some people, remembering their password is as complicated as rocket science.
Follow the brief steps below or watch this walk through video to learn how to leverage LANDESK to encrypt your Macs and manage your FileVault keys. Then, sit back and rest a bit easier knowing when the next laptop from your corporation is lost or stolen, you’ll know the data is encrypted and safe from prying eyes.
- Launch the LANDESK Console
- If not yet done, upgrade the Mac agent to the 2016 LANDESK agent
- Select Security and Compliance and then open the Patch and Compliance Window
- For convenience, change the ‘All Types’ dropdown button to Security Threats
- Find the security threat ‘FileVaultActivation-10 ID’, right click on it and create a Repair task
- Note: Ensure you’re downloading Apple Mac Security Threats in the “Download Updates” portion of the patch manager tool if you don’t see the FileVaultActivation-10 ID.
- Apply your desired task settings, decide if you’re going to make it required or make available via LANDESK Workspaces, add your targets and schedule the task.
- Once the client devices receive the task, a prompt will display letting the user know encryption has been enabled asking the user to restart so that the process can commence at the next login event.
- At the next login event, the active user will be enabled for FileVault. The machine will then restart.
- Login to the pre-boot screen with the authorized account.
- The authorized user can now use the machine, however it may be a bit slow as the encryption processes finishes. Status can be seen by going to Settings > Security & Privacy and clicking on the FileVault tab.
- If additional users on the device need to be enabled, the first FileVault authorized user will need to enable the accounts by clicking on the Enable Users button on the FileVault tab in Security and Privacy. The account passwords for the additional accounts will need to be entered to complete this step.
- If desired, run an inventory scan to see the updated FileVault status in inventory. This step is optional as the regular inventory scanner schedule will send the updated status change automatically.
- Return to the LANDESK Console and go to Configuration > Client Data Storage to view the key stored for the client.