Mac security: A comprehensive guide to securing your MacBook
MacBooks come with a variety of built-in security settings, but they are not always used to their full advantage. This can leave your data and privacy vulnerable to cybercriminals. While it’s not possible to totally lock down and secure your computer, you can maximize your Mac’s security and privacy and protect yourself from cyber threats by going through your settings and establishing a good set of defenses. Read on to find out how.
Don’t turn off automatic updates
It’s important to keep your apps and Mac operating system up-to-date because security updates address software vulnerabilities. If you don’t keep updated, hackers could exploit vulnerabilities to gain access to your data. Modern Macs have automatic updates enabled by default – it’s worth checking that your computer is properly downloading them.
To make sure software updates are running correctly:
- Open System Preferences then Software Update
- Click the Advanced button
- Be sure to check all the boxes
- These updates may require you to restart your computer
To make sure app updates are running correctly:
- Within System Preferences, click on App Store and then enable automatic updates
FileVault is software for encrypting your device. It jumbles up your device’s data so that it’s incomprehensible to anyone without your password. This means if you lose your device or it’s stolen, nobody else will be able to access anything on your storage drive. On more recent Macs, FileVault is probably enabled by default. But if you have an older Mac, or you opted out of the feature when you set up your Mac originally, you should check to see if it’s turned on. To do this:
- Open System Preferences, click Security & Privacy and select the FileVault tab
- Click Turn On FileVault and follow the on-screen instructions
Apple gives you the option to store your recovery key in your Apple account or locally. For most people, if you have a strong password for your Apple account, you’re better off storing the recovery key there. But if you’re not comfortable with that, or if you store a lot of very personal data on your device, you can opt to store the code yourself. If you choose to do so, it’s important that you don’t lose the key or forget the password you create, as you won’t be able to access your data if you lose either one.
Password protect folders
Knowing how to password protect a folder on Macs is useful. This feature allows you to store sensitive information and ensure that only somebody with the password can access it.
You can do this without installing any extra software by using your Mac's Disk Utility app. It doesn't password protect the folder itself. Instead, it creates a separate folder disk image, but the effect is the same. You can open the folder disk image and move files in and out as normal. It's possible to share the folder disk image with other people and, provided they know the password, they can access files in the folder as well.
To password protect a folder on Mac:
- Open the Disk Utility app. You can do this by launching Finder, clicking Applications in the left-side menu, and then clicking the Utilities folder.
- You can also find it via Spotlight – press the Command and Spacebar on your keyboard and type Disk Utility.
- With Disk Utility open, click File and move your mouse over New Image.
- Click Image From Folder from the list of options.
- Select the folder that you want to password protect and click Choose.
- You will need to choose a level of encryption. Click the Encryption drop-down and select either 128-bit AES encryption or 256-bit AES encryption.
- Your choice will depend on what you're looking to password protect. If the information is very sensitive, choose 256-bit AES encryption because it offers a higher level of protection. For speed and efficiency, however, 128-bit AES encryption is more than sufficient.
- Now enter the password you want to use to protect the folder. Enter it again to verify.
- Click the drop down box next to Image Format and select read/write – this will ensure you can edit your folder in the future. Click Save.
- A folder disk image will be created (it will have the suffix .dmg). It may take some time. When it's complete, click Done.
- You will now have two folders – the disk image and the original folder. The original folder will be unprotected. If you don't need the non-password protected folder, remember to delete it.
Enable the built-in firewall
Apple has a built-in firewall that helps to block unwanted inbound network connections and keep malware out of your network and device. This provides a useful layer of protection but it is turned off by default, so you need to manually turn it on to benefit from it. To do this:
- Go to System Preference then open Security & Privacy
- Click on the Firewall tab
- Click on Turn On Firewall
For more advanced users, you can review Firewall Options to select more detailed settings. Otherwise, you can simply let the default settings apply. Bear in mind that Apple’s firewall guards against incoming traffic only and does not prevent data from being sent out. For additional security, you can consider using a third-party firewall which offers more advanced protection.
Back up your files
By regularly backing up your files, you ensure you always have copies if something happens to your Mac – for example, if it’s lost, stolen or needs to be repaired.
You can use Apple’s Time Machine feature to back up your files. Time Machine backs up files on a separate, external hard drive which allows you to restore your Mac and data from a specific recent time. To set it up:
- Connect an external hard drive that is the same size or bigger than your Mac’s drive and has no other files stored on it
- Open the Time Machine app from System Preferences
- Click Select Backup Disk, select the name of your disk, then click Use Disk
- By ticking Back Up Automatically, you won’t have to remember to backup manually
Once set up, Time Machine works automatically, provided your external drive is connected to your Mac. It will send you reminder notifications if you don’t connect your external drive for a while. If your external disk runs out of space, Time Machine automatically erases the oldest versions of the files to make room for new ones.
Consider a guest account for occasional visitors
If you have occasional visitors, rather than giving them a full account of their own, use the Guest account available at the login screen. This will enable them to use apps and the internet but won’t allow them to see files you have stored on your Mac. MacOS creates a temporary workspace and deletes it when the guest logs off.
If your Mac is lost or stolen, and you have set up iCloud’s Find My Mac option, when a guest logs on and connects to the internet using Safari, Apple can track your Mac’s location.
Delete software you don’t need
Depending on how long you have owned your Mac, you may have software on it that you no longer use. Unused software takes up space on the drive but, more critically, can sometimes create a security risk, as it may contain vulnerabilities that remain exposed. Apple allows users to check for old or unused apps on their Mac. To do this:
- Click on the Apple icon in the top right corner of your screen
- Select About This Mac
- Click on the Storage tab, and then click Manage
- Click on Documents and then choose Unsupported Apps to see a list of programs your Mac no longer supports — then delete them all
- Then click on Applications and sort by ‘Last Accessed’ to see apps you have not used in a long time, which you may want to delete
Review your Mac privacy settings
As with your phone, your Mac has various privacy permissions as over time, you have granted or denied apps access to different types of information such as your location, contact or calendars. It’s good practice to review these permissions regularly to make sure they are set to a level you remain comfortable with. To do this:
- Open System Preferences and going to Security & Privacy
- Select the Privacy tab
- Go through each permission and uncheck any that feel unnecessary (you can always reinstate permissions later if you change your mind)
Generally, if you’re in doubt about whether an app needs permission or not, it’s best to be cautious by restricting access.
To check if you are unknowingly sending usage data to Apple and other app developers, click Analytics & Improvements at the bottom of the left-hand menu. Then uncheck the options for data you don’t want to be sent automatically to Apple or other app developers.
Review Safari privacy settings
If you use Safari on your Mac, it’s worth reviewing Safari’s privacy settings. Some useful shortcuts to know include:
- New Private Window (Shift + command + N): This enables private browsing, allowing you to browse the web without recording your visits in the History menu
- Clear History in the Safari menu: This erases cookies and other cached data in the History menu
- Privacy section in Safari’s Preferences: This helps to prevent websites from tracking you or storing cookies on your computer
Set up Find My Mac
The Find My Mac feature is useful in case your Mac is lost or stolen. Not only will this tool help you find your Mac, but it will also enable you to wipe your drive remotely if your device is lost or stolen. To set it up:
- First turn on Location Services in your privacy settings and select Find My Mac in the list of apps that can use your location
- Then, click on the Apple menu icon and select System Preferences followed by Security & Privacy then Location Services
- Click the padlock and enter your password
- Select Enable Location Services and select Find My Mac and lock the padlock to prevent further changes
Set up a strong computer passcode and enable Touch ID if you can
When you leave your computer unattended, it’s a good idea to have a screen saver that can only be turned off with a password. You should set up a screen saver that will start after your computer has been idle for a set interval. To set your computer to lock your screen automatically:
- From the Apple menu, choose System Preferences
- Click Desktop & Screen Saver
- Click Screen Saver, and then use the slider to choose 15 minutes (or less)
- Click Show All to go back to the main System Preferences window
- Click Security, and then click Require password to wake this computer from sleep or screen saver
- Close the System Preferences window
If you have a more recent Mac, you might be able to log in with Touch ID. If you didn’t enable that feature when setting up your computer, you should do so now. It makes logging in quicker and easier and gives you scope to create a more complicated password since you don’t have to type it so frequently. To set up Touch ID:
- Open System Preferences, then Touch ID
- Select Add A Fingerprint and follow the on-screen directions
Your computer’s password still serves as a backup login option and will be required whenever you restart your machine, but you can make it as long as you wish since you won’t have to type it so often. The longer your password, the more secure it is likely to be. Touch ID support also extends to some apps, which makes unlocking them less of a chore.
Limit app purchases to the App Store
To minimize your risk of malware and harmful apps, only use apps from a known and trusted source like the App Store. Never download unlicensed or pirated apps from the internet. Harmful apps can often be disguised as a movie or graphics file. These apps, called Trojans, are often spread by internet downloads and email attachments. If you see a warning that a file you receive is an app – for example, a file sent to you in an email – don’t open it and delete it from your Mac.
It’s also a good idea to read trusted reviews of apps before downloading them. This may help you avoid malicious apps and ensure you’re downloading a legitimate app onto your device.
Be cautious when granting app permissions
Be wary of phishing scams and pop-ups
One of the best ways to protect yourself online is by learning how to spot online scams. This includes recognizing phishing attempts and being careful about what you download.
To avoid falling victim to phishing, never click on links in text messages, emails, social media messages or any message which looks suspicious. These could be messages designed to trick you into disclosing personal information such as credit card numbers or passwords.
If you do receive an email claiming to be from your bank asking you to verify login information, look closely at the sender’s details to check who it is from. When in doubt, go directly to your bank’s site in your web browser and avoid clicking on any link within the email. To test your ability to recognize phishing scams, you could try Google’s Phishing Quiz.
Enable 2FA on your iCloud account
Two-factor authentication or 2FA involves inputting a randomly generated one-time code along with your password when logging into your accounts. This provides an additional layer of security because, even if hackers know or guess your password, they won’t be able to guess the randomly-generated code. This prevents them from accessing your accounts. To set up 2FA on your iCloud account:
- Go to System Preferences then Apple ID then Password & Security
- Then go to Two-Factor Authentication and click Turn On
- You will then be asked to input your phone number to receive the two-factor authentication codes
Once set up, you will receive a one-time password each time you log into your iCloud account on a new device or when logging in online.
Consider using an authenticator app
You can take 2FA a step further by using an authenticator app. An authenticator app generates unique codes on the spot, rather than sending them via SMS text message, which cybercriminals could intercept. Some password managers also offer this feature.
Use a physical security key
Another method of implementing 2FA is by using a physical security key or token. This is like a smart card that provides your digital signature and is an option for users who want additional protection. No one can access your Mac without presenting your security key or token, even if they know your password.
Use a VPN
A VPN or Virtual Private Network disguises your original IP address and replaces it with an IP address in a different location. This means that hackers and websites can’t trace your connection, increasing your anonymity online. VPNs also encrypt your browsing data, which means that hackers can’t see what you’re doing. VPNs are used for a variety of purposes, but online privacy is chief amongst them. There are various VPNs on the market, including Kaspersky Secure Connection.
Disable remote access and sharing
Remote access can be useful if you need to access your Mac from anywhere. However, if your login details are compromised, this means others could also be able to remotely access all your files and data. So, it’s a good idea to disable this feature when you don’t need to use it. To do this:
- Go to System Preferences then Sharing
- Untick the boxes next to Remote Login, Remote Management, and all the other sharing services you don’t need
Use a password manager
It’s essential to use a secure password to lock your Mac. Using unique, complex passwords for all your accounts is essential in today’s online environment. But, with the hundreds of online accounts we now need for our day-to-day activities, remembering so many unique passwords is very difficult, if not impossible. While some users are tempted to use the same password for everything, this can be a mistake; if your password is hacked, your entire online identity is compromised. Using a password manager is a great solution.
Apple offers its own password manager called iCloud Keychain. This works by saving and securely storing your account login credentials, passwords, and payment card information. All information is encrypted with AES 256-bit encryption, considered military-grade encryption.
While iCloud Keychain can be useful, it is limited in that it can only be used for Apple products, so if you also have an Android phone and a Windows PC, you won’t be able to sync your passwords between devices. For this reason, many users decide to use a third-party password manager that works with all operating systems and can seamlessly sync between devices.
Turn off Wi-Fi and Bluetooth when you don’t need them
If you aren’t using Bluetooth — or if you are in an environment you don’t trust — then it’s good practice to turn it off. This reduces your Mac’s discoverability and adds an extra layer of privacy. It can help prevent any potentially dangerous connections.
To turn off Bluetooth:
- Select the Apple menu icon then System Preferences then Network then Bluetooth then toggle Bluetooth to Off
Turn off Siri
Siri is your Mac’s intelligent personal assistant. It can share personal information, so some users prefer to turn it off when not in use. To turn off Siri:
- Select the Apple menu icon then System Preferences then Siri then toggle on or off Enable Ask Siri
Consider enabling Lockdown Mode
Included within iOS 16, Apple’s Lockdown Mode helps to protect devices against rare and extremely sophisticated cyber attacks. Apple considers it an extreme protection that’s designed for the very few individuals who, because of who they are or what they do, could be personally targeted by some of the most advanced digital threats – for example, from hostile nation states. Most users won’t be subject to these kinds of threats.
Apple states that when Lockdown Mode is enabled, your device won’t function like it usually would. To reduce the attack surface that could potentially be exploited by highly targeted mercenary spyware, certain apps, websites, and features will be limited for security, and some experiences may not be available at all. For example, Lockdown Mode blocks link previews in the Messages app, turns off potentially hackable web browsing technologies, and prevents incoming FaceTime calls from unknown numbers.
Most users don’t need Lockdown Mode but if you do want to turn it on, here are the steps to follow:
- On your device, open Settings
- Navigate to Privacy & Security
- Scroll to the bottom and select Lockdown Mode
- Select Turn On Lockdown Mode
Enable firmware password
If you have an Intel Mac, you can use a firmware password to prevent people from using alternative startup disks and removable media to boot your Mac without authorization. A firmware password significantly improves security for those who share devices and works as a strong anti-theft measure.
To turn on a firmware password:
- Start up from macOS Recovery
- When the utilities window appears, click Utilities in the menu bar, then choose Startup Security Utility or Firmware Password Utility
- Click Turn On Firmware Password
- Enter a firmware password in the field provided then click Set Password
- Quit the utility, then choose Apple menu then Restart
Your Mac asks for the firmware password only when attempting to start up from a storage device other than the one selected in Startup Disk preferences, or when starting up from macOS Recovery. Enter the firmware password when you see the lock and password field.
Use a good quality antivirus for Macs
It’s always a good idea to use a comprehensive and up-to-date antivirus. Whilst macOS comes with XProtect anti-malware protection and other safeguards, you can gain additional protection by using a complete antivirus for Macs.