Security lessons from a Mac-only fintech company

Apple remains a highly secure choice for enterprise professionals, but security threats remain and the environment requires sophisticated endpoint management tools, according to Build America Mutual (BAM) CTO David McIntyre.

The Mac only bank

BAM, one of the leading U.S. municipal bond insurers, has insured more than $65 billion since its launch in 2012. It also has the rare distinction of being a fintech firm that is completely based on Macs.

In fact, it has been an Apple-based enterprise since the start.

“The founders all use Macs at home,” McIntyre explained. “We said, ‘Let’s try to build a financial firm that uses Macs.'”

When the company launched, it also found that most of its potential employees used Macs, so it made even more sense to standardize around Apple’s platforms. “We thought it would be easier and would let a small team support the employees,” he said.

McIntyre spoke at last week’s Jamf JNUC event to talk about the recently announced Jamf Protect endpoint security solution, as noted here and here.

The challenge his company faced is that it deals with financial transactions valued at billions of dollars for huge clients – and is based in New York, which has legendarily tough cybersecurity regulations.

This means BAM must use the best security protection it can get.

The Apple security environment

The company has learned as it grows – among other lessons, it has found that the security environment for even Apple’s platforms is increasingly complicated.

“Five years ago, security was probably 10% of the jobs” of the company’s system admins, said McIntyre.

“Now probably 50-60% of their time is spent on cybersecurity,” he added, “not just because of cybersecurity regulations, but also because we’ve become a lot more aware of the security environment. It’s a thing that keeps me up at night.”

Despite the size of its business, BAM is a small firm with just two system admins to handle the technical needs of its 100 employees.

Apple has a great reputation for security, and usually moves fast to address platform-based threats. But those aren’t the only exploits that exist.

Regular security and OS updates and speedy response to most identified challenges mean the platform is innately robust. But while virus checkers and firewalls can provide permiter protection, most security researchers now agree that the threat environment demands more complete insights into device and machine security.

The Mac malware challenge

Mac malware does exist – and while Apple’s platform has lots of built-in protection, the biggest security vulnerability tends to be the humans using the computers and the applications they choose to install on them. “One common way malware is distributed is by embedding it in a harmless-looking app,” Apple states on a support page.

When BAM started in business, it relied only on Apple’s security. “We’d always relied on software updates,” said McIntyre. “I hadn’t realized the need for endpoint protection.”

He came to understand the need for tougher protection as his awareness of the big picture around Mac security grew, and as the number of attempts made against Apple’s platforms made against Apple’s platforms continues to increase.

Chrome browser plug-ins: ‘A real Wild West’

BAM now uses Jamf’s new endpoint security solution, which has already protected it against threats.

McIntryre told the JNUC audience about one of these:

“A few months ago, we had an alarm go off on Jamf Protect and at the same time our network stopped working,” he said.

“It turned out that one of our employees had downloaded the number one Chrome plug-in.”

The offending plug-in turned out to be a popular parcel tracking app that had “50,000” reviews, he said. Half of those reviews were positive, while the others described similar problems as his company faced, he said, calling it “malware.”

BAM was able to isolate the problem and create a new set of rules to manage Mac security. These rules extended to the development of a white list of approved Chrome plug-ins.

“We actually realized that Chrome browser plug-ins were a real Wild West,” he said.

Securing the human

Of course, not every Mac user has access to powerful enterprise security solutions. But the lessons should be the same as they always have been in cybersecurity:

• Never install software, except from a trusted source.
• Beware of installing browser/app plug-ins. Even though the software you are using may have passed through Apple’s stringent App Store security vetting processes, any additional plug-ins/extensions supported by it may not be secure, as allegedly happened at BAM.
• Applications such as Little Snitch and tough endpoint security protection (including use of secured routers) may help.
• Use of VPNs can help prevent various ‘man in the middle’ attacks.

For more security tips for Mac users read this guide. (The report needs updating but still carries plenty of helpful suggestions.)

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.