While it’s true that Macs are less likely to be attacked on the basis that there are fewer Macs than PCs, Mac users can be a very lucrative target and hence considered worth the effort. As a result Macs do get viruses and are just as vulnerable to attack as a PC.
Macs are generally safer though. This is because the operating system is Unix-based and therefore more difficult to exploit. Apple also has a number of security measures built into the macOS and the Mac hardware.
On the software side, macOS includes its own antivirus software built in. XProtect detects and blocks any known malware. Apple monitors for new malware infections and updates XProtect regularly. XProtect will check for malware when an app is first launched and if it has been changed. If XProtect detects malware it will block the software and remove it.
In addition to the protection offered by XProtest is Gatekeeper. Gatekeeper is a feature of macOS that is designed to stop users from installing malware in the first place. Gatekeeper checks that any app you download from the internet has been verified by Apple and checked for malicious code. If the app is considered a risk Gatekeeper will stop you from installing it.
Gatekeeper isn’t infallible, it has been bypassed in the past, and XProtect isn’t always right up to date, so malware has slipped through. But both offer a level of protection that should give you peace of mind.
Privacy and phishing
If you want to be really confident about any app you install you would be wise to stick to apps on the Mac App Store. Every app in Apple’s Mac App Store has been reviewed by Apple, so you can be confident that it will not pose a risk to you. In fact Apple goes a step further by ensuring that apps are upfront about how they are using your data, so you can be sure that there is no risk that any of your information will be shared with anyone without your knowledge.
Also, since macOS 10.15 Catalina launched in 2019 it has been a requirement for all Mac apps to get your permission to access your files – whether they are on your Mac, in iCloud Drive or on an external volumes. The macOS will also ask for your permission before an app is able to access the camera or microphone, or log what you type, for example.
The above is designed to protect you from rogue apps, but the biggest threats can be from phishing emails, websites and services you might use online.
Apple’s web browser, Safari also offers various ways of protecting you online. Safari will warn you if a website is suspicious and will prevent it from opening. Every web page is loaded as a separate process in a separate tab – so if there is a problem it will be possible to close that tab without Safari itself crashing.
As well as protecting your security online Apple also protects your privacy. For example, Apple allows users to stop advertisers tracking them around the web. You can see a Privacy Report including details of all the cross-site trackers Apple has stopped from profiling you.
Apple also monitors your passwords, helping you change them to a more secure option, and you’ll even see an alert if Apple believes your password is involved in a data breach.
On that note, Apple also offers iCloud Keychain, a password management system that works across all your Apple devices so that you can log into software and services on any of your devices without having to remember individual passwords and log in details. The benefit of this is that you can have strong rather than memorable passwords (which Apple can generate on your behalf). All your passwords are locked away behind your main password, which is protected by two factor authentication (2FA) for added security.
Protecting your Mac
As we mentioned earlier, Apple also builds protection into the Mac hardware. This is particularly true of the Macs that gained Apple’s M1 Chip back in November 2020. The M1 system on chip has a built-in Secure Enclave that protects your login password and automatically encrypts your data. But even Intel-powered Macs with the T1 or T2 security chip are able to encrypt storage and offer secure boot, for example.
Apple also has other technologies to assist you if your Mac is stolen, from Find My which enables you to track, and potentially locate your lost Mac, and wipe it so that your data can’t fall into the wrong hands. The Macs with the T2 chip and M1 Macs also offer Activation Lock, a feature of Find My, to remotely lock your Mac so that only you are able to use it.
The Touch ID fingerprint scanner available on some Macs also adds another layer of security. It can be used to unlock your Mac, to log onto software and services, and for Apple Pay.
Thus Apple protects your Mac if it is stolen, or if someone with malicious intent gains access to it. Apple also protects you from malicious software, and gives you a say over whether you data is accessible and control over how it is used. All of these measures help to make the Mac much safer than a PC, but there are measures you can put in place to protect yourself further and we will run through these below.
Best Mac Security settings
While the above shows that Apple makes sure your Mac is safe, there are various changes you can make to your settings to protect youself further.
Below we will share some tips to help you set up your Mac so that you are safe and it is completely secure.
Protect your Mac with a good password
It goes without saying that if you don’t have to enter a password when you log on to your Mac then nothing on it is secure. Therefore our first tip is to make sure you set up a password and make sure that it has to be used to unlock your Mac when it goes to sleep or a screen saver begins because of a period of inactivity.
Everything starts and ends with this main password. If this isn’t secure nothing is secure. We have an article giving tips on choosing a Good Password, but generally the advice is as follows: Your password should contain upper and lowercase letters, punctuation and a number, and it should be 8-14 characters long.
To set up a login password for unlocking your Mac follow these steps:
- Open System Preferences
- Click Security & Privacy
- Under General you will see an option to set a login password
- Specify how long your Mac will be unlocked for after it goes to sleep or the screen saver comes on.
If you work in an office with other people, or frequently use your laptop in coffee shops, libraries, or similar, you should definitely make sure that the Mac locks quickly. Here’s more advice on How to lock a Mac.
If you have trouble remembering your passwords – which is usually the reason why people use the same simple password over and over again – the best advice is to use Apple’s iCloud Keychain, or a tool like 1Password.
These tools will not only generate a secure password for you, they will save the password so that you don’t actually have to remember them. You only need to know the one password that unlocks every other password. You might think that’s a risk, but that one password will be protected by two factor authentication, so it might only work on a device you have authenticated, for example, or you may have to also enter a code that is texted to you. For more information read about two factor authentication.
1Password is available as a free download on the Mac App Store, but it has in-app purchases (basically a monthly or yearly subscription, from $2.99 a month). There is a free 14 day trial – 30 days if you download it via the Mac App Store.
Set up different users on your Mac
If you aren’t the only person who uses the Mac you should set up different logins. This way all the people who use the Mac will have a different password to log in with – and their own personal settings and data will be associated with them.
This way you minimise access to your data – and if you don’t give them administrator rights they won’t be able to make adjustments that could affect the security of your Mac. You might be thinking you can trust them – but can you trust them not to click on a dodgy link in an email? Are they likely to download something on the internet that could pose a security risk?
Another benefit in doing this is you could set yourself up with an account that doesn’t have administrator access, which would stop you making any accidental changes that could make your Mac less safe.
- Open System Preferences
- Choose Users & Groups
- Click the lock and enter your password to unlock
- Click on the +
- In the New Account section choose Standard, not Administrator, unless you want them to have access to settings.
- Give the user a name, account name and password.
- You can give them a password hint too – but be beware that you won’t want the hint to be too obvious or it could give away the password to someone else.
Set up Find My Mac
Find My Mac – now known simply as ‘Find My’ as it can help you find all your Apple products – is a handy service that can help you trace a lost of stolen Mac and, if there is no chance of recovering it, wipe it remotely.
You will need to set Find My up before you lose your Mac, so now would be a good time to do so.
Here’s how to set up Find My Mac:
- Open System Preferences.
- Click on Apple ID.
- If you aren’t already logged into iCloud do so using your usual Apple ID password.
- Once you are logged in to iCloud, scroll down the list of Apps using iCloud to see if the Find My Mac checkbox is ticked.
- If Find My Mac isn’t already turned on, click in the box and when asked click on Allow to turn it on.
- Wait while it is set up.
Once you have set up Find My Mac set up on your Mac you can rest assured that should your Mac be stolen you will be able to locate it, and should it not be recoverable you can lock it and delete your all data remotely.
If you own a Mac with a T2 Chip, or one of the M1 Macs introduced in November 2020, there is the added benefit of being able to use the Activation Lock feature, so you can erase the Mac, but only you will be able to reactivte it should you recover it. This basically renders the Mac unusable.
Features like Find My make Macs (and iPhones) less attractive to thieves because they can essentially be bricked. Hopefully this will deter thieves.
Be careful out there! WiFi & Bluetooth warnings
It goes without saying that even with Find My set up on your Mac you will be careful when you are out and about. For example, not leaving your laptop on a table in a cafe. But can you be sure that the WiFi network you are linking to is safe?
Unfortunately you can’t be completely sure that an unsecured network is safe, so our advice would be to only connect to a secured hotspot – one that requires a password. It’s easier to join an unsecured network but it’s also easier for someone else to hack into it.
Read more here: How to know if a public WiFi hotspot is safe.
Even a secure hotspot probably isn’t safe enough for you to do online banking or similar while out in public.
Another thing you can do to protect yourself when you are out and about is to turn off Bluetooth. This will make you less discoverable to those who might take advantages of vulnerabilties in Bluetooth.
Use a VPN
One way around the safety issue associated with using a shared network, whether that’s out and about in a café, or even in location such as an office, is to use a VPN (virtual private network).
Unfortunately, it’s extremely easy for people with malicious interests to spy on data you send to and from websites. This is one reason why VPNs are popular – they encrypt all your data and route it to an end point operated by the folks who run the VPN service. Thereby keeping your data completely private.
Tasks such as browsing and downloading are entirely unaffected as far as the user is concerned, but anybody on the same physical network – such as another computer on the café’s shared Wi-Fi service – is blocked entirely from snooping on your Mac’s data.
Because a VPN service encrypts your data, you can also it at home to overcome internet censorship imposed by the British government and ISPs.
Typically, VPN services come with an app that you run when you want to make use of the VPN connection, although OS X/macOS comes with a built-in VPN tool that you can use instead – just open System Preferences, click the Network icon, then click the plus button at the bottom left beneath the list of connections.
In the dialogue box that appears, click VPN from the dropdown list alongside Interface, then select the service type from the list beneath (usually it’s L2TP). Then click the Create button, and fill in the server/login details provided by the VPN service.
Be careful about what you download
As we said earlier in this article, one of the reasons why Macs are more secure than PCs is that Apple makes it difficult – impossible even – to install anything that hasn’t been verified by them.
First there is the Mac App Store, where every app has been checked by Apple. If you want absolute confidence about the app you are running you should shop at the Mac App Store.
The Mac App Store isn’t the only place where you can buy or download apps though (unlike the iPhone and iPad which can only install apps from the iOS App Store). In the case of Mac software you can buy apps and download apps from various stores aroudn the web. How does Apple make sure they are safe? It won’t let you install an app if it’s not from a verified developer.
You can actualy override this setting and install an app, but Apple doesn’t make it easy to do so. For added peace of mind, if an app carrying malware was accidentally installed then your Mac should be able to recognise the threat thanks to Apple’s XProtect software that is included in the macOS (also mentioned above).
How can you check your app download settings? Follow these steps:
- Open System Preferences
- Click on Security & Privacy
- Click on the lock to unlock and make changes
- Now you can choose between Allow apps downloaded from App Store, or App Store and identified developers.
If you want to limit the installs to only those apps on the App Store, choose that option. That is the safest, but most limiting option. The other option is a good compromise, allowing you to run apps from the App Store and from developers known to Apple.
In older versions of macOS there was an option to allow apps from Anywhere. If you have this option we would advise against using it.
You will still be able to run an app that doesn’t come from the App Store or an identified developer, but you will have to approve it before it will run.
Here’s how to open an app from an unidentified developer if you do want to do that.
Surf Safari safely & privately
Since you probably spend a lot of time browsing the web – and the web is most likely where most of the threats are encountered, it’s important to be careful.
Apple gives clear warnings in relation to potentially risky web pages. If you see a padlock next to the address in Safari’s address bar, you can click on that to reveal information about the Certificate. You will also see warnings if a connection is not private.
For more information read our tips for using Safari on the Mac.
There are also several settings that allow you to control your privacy when surfing the web.
For example you can surf privately, so that none of your surfing history is saved or shared with your other devices. Changes to cookies and website data also won’t be saved.
Here’s how to surf privately: When you want to open a new private window you can either press Shift+Command+N), or got to File > New Private Window.
Another thing you can do to keep your surfing private is to regularly clear your history.
You can easily delete your surfing history in the Safari menu, here’s how:
- Click on Safari in the menu
- Clear History
For more information about how to delete your history in other Mac browsers read: How to delete web browsing history on a Mac.
You may also want to erase cookies and other cached data from the sites you visit.
To clear your cookies and cache in Safari follow these steps:
- Click on Safari in the menu.
- Click on Preferences.
- Click Privacy.
- Manage Website Data.
- You can delete websites individually – if you are looking for a particular site use the Search field. Otherwise click Remove All.
It used to be possible to specify how your location data is made available from this window, but since High Sierra these settings are addressed under a separate tab. To sharing location data go to:
Safari > Preferences > Privacy > Websites > Location
Here you can choose to set Safari to always deny location information, request it, or allow specific websites to always access your location.
And if you’re concerned about storing website username and passwords, or personal data, go to the Auto Fill and Passwords sections and uncheck the boxes that enable those services.
Safari > Preferences > AutoFill
Turn on the Firewall
Another step you could take to help secure your Mac is to enable the firewall, which blocks any unwanted incoming network connections. You might think the firewall is enabled by default, but it often isn’t. (And, no, we have no idea why not.) Luckily, enabling it is dead easy and doing so is entirely wise.
Here’s how to turn on the Firewall on a Mac
- Click the Firewall tab in the System Preferences > Security & Privacy pane.
- Click the padlock icon at the bottom left to unlock system settings (you’ll need to type your login password when prompted).
- Click the Turn On Firewall button.
- Then click the Firewall Options button and, in the dialog box that appears, click the Enable Stealth Mode box. This last step means your computer will be largely invisible on public networks, such as shared Wi-Fi in a cafe.
- In the Firewall tab, click Firewall Options to make changes. Here, you’ll see a list of apps and services which are able to receive inbound connections. To add one to the list, if, say you try to run an app and it displays an error telling you it has been prevented from accepting an inbound connection, click the ‘+’ beneath the list.
It’s important to note that macOS’s Firewall, while useful, offers only limited protection from malware. That’s because it shields you from inbound traffic only. Its job is to limit which apps and services can accept incoming connections. It doesn’t provide any control over outbound connections ie apps and services which initiate connections. So, for example, if you download a piece of malware, macOS’s Firewall won’t stop it connecting to the internet.
Some people choose to block outgoing network connections too so that certain apps can’t “phone home” without their knowledge. This also means accidentally installed malware is unable to leak your data without you being made aware.
However macOS offers no built-in way of blocking outgoing connections. Luckily third-party apps like Little Snitch (circa £30) and Hands Off (£38.95), or an outbound firewall found in anti-malware tools from the likes of Intego, Sophos and Norton, will do the job with aplomb.
Scan for malware
Although it’s true there’s more malware targeting Macs these days, we’re still nowhere near the tidal wave that Windows users face on a daily basis.
Because of this, and because macOS already features a powerful, always running yet invisible anti-malware tool called Xprotect, we reckon that antimalware software is still not a standard requirement for a Mac.
However, for peace of mind you can occasionally fire up an app like Intego Mac Internet Security X9 – which is top of our chart in our round up of the best antivirus for Macs. It normally costs £49.99 a year, but was £20.99 at the time of writing.
Alternatively you could try Bitdefender Virus Scanner. Unlike Windows anti-malware apps, it doesn’t install any system monitoring software that can slow the computer down. Be aware that it also finds and reports Windows malware, though.
For example, scanning my system typically shows a handful of spam mail messages containing attachments into which Windows malware has been hidden. This can be alarming but is actually harmless and, generally speaking, Windows malware can be identified because the name of it usually begins with “Win32” or “Win64”. Even though this is harmless to Mac users, Bitdefender Virus Scanner will still remove it.
We also recommend the occasional use of Malwarebytes Antimalware, which focusses mostly on uncovering and removing adware – which is to say, hidden code within certain apps that aims to hijack your computing experience to show adverts on the desktop or in your web browser. Again, you can run Malwarebytes Antimalware infrequently to scan your system.
Check for persistent apps
Some apps on your Mac are designed to start invisibly each time you boot, and remain invisible while you’re using the computer. These are called persistent apps, and examples include the update checker apps that Google and Microsoft install to ensure Google Chrome and Microsoft Office are always up to date. Adobe installs a handful of persistent apps too as part of the Creative Cloud package.
However, malware also uses persistent apps to do their nastiness without you noticing and, to make matters worse, there are many locations in the file system where malware can hide in order to have itself started at each boot-up. We could advise you to keep an eye on each and every location, but it’s a mammoth task.
Luckily, there are two free apps that’ll do a lot of the hard work for you. KnockKnock scans these locations and will tell you what’s there. It’s not a malware scanner, so won’t tell you if what you find is dangerous or not.
That’s between you and a search engine, although a helping of common sense will do no harm – for example, the aforementioned apps for Microsoft, Google and Adobe apps are easy to spot (although as a caveat we suppose we ought to point out that it’s possible some malware might masquerade as an app from one of these companies).
The second app is from the same clever people who make KnockKnock, and it’s called BlockBlock. This runs in the background of your Mac via a menu bar icon and monitors all the locations in which persistent apps install themselves.
If any app attempts to install persistently then a pop-up dialog box will appear telling you, and it’s down to you whether you allow it or ban it. Again, BlockBlock is not an anti-malware tool so doesn’t know what’s legitimate or not. That’s for you to work out. But as forms of malware protection both KnockKnock and BlockBlock are pretty darned effective.
Turn on FileVault
With FileVault turned on all the files in your user account will be encrypted.
To decrypt them, you’ll need to type in either your account password or the recovery key created when you switch FileVault on.
For most users, the inconvenience of having to type in a password to open a file, together with the time it takes initially to encrypt all the files on your Mac, outweighs the security advantages.
But if you have reason to keep data as secure as it can be, switch it on.
Disable the FileVault ‘Security Hole’
Those who take computer security very seriously indeed point out that, when your Mac enters sleep mode (if you close the lid of a MacBook Pro, for example), there’s a potential security hole in the fact that the password required to decrypt FileVault is stored in memory.
In theory somebody could wake the computer and somehow – and we genuinely don’t know how – retrieve this key, and thereby have access to the entire disk’s contents without the need for a login password.
The only people out there likely to take advantage of this are government agencies that employ extraordinarily clever people and have unlimited budgets. It’s certainly too difficult for a burglar who steals your Mac to exploit, or a nosey colleague.
However, if you’re truly security paranoid then here’s how to stop the FileVault key being stored in memory. The only actual difference this will make in everyday use of the Mac is that sometimes you’ll be prompted to type your login password twice when waking your Mac, and your Mac will be a little slower when waking from sleep mode.
We need to do two things. First we need to switch the Mac to enter standby mode, rather than sleep mode, whenever you do something like close the lid of a MacBook Pro. In Standby mode the contents of memory are saved to disk and the computer put into a deep sleep mode that uses only a trickle of power.
Secondly, we need to tell the computer to not hold the FileVault key in memory while in Standby mode.
Both these two steps can be achieved by opening a Terminal window (you’ll find it in Utilities folder of the Applications listing in Finder) and then pasting in the following:
sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25
To turn off this feature, and renable the security “hole”, again open Terminal and type the following:
sudo pmset -a destroyfvkeyonstandby 0 hibernatemode 3
Apply a firmware password
macOS turns on FileVault encryption by default nowadays, which means the entire boot disk is encrypted and impossible to access unless it’s unlocked at login via the user’s password.
However, that doesn’t stop somebody using a USB memory stick to boot the Mac and potentially wipe all the data from the hard disk, or simply reinstall macOS.
The solution is to apply a firmware password. Unlike with a PC’s so-called BIOS password, the Mac’s firmware password prompt will only appear if anybody tries to boot your Mac in a non-standard way, which is to say, via a USB stick, or if they try and boot to the Recovery Console. Most of the time you won’t see the password prompt.
In fact, it’s from the Recovery Console that you’ll need to activate the firmware password, so restart the computer and, just before the Apple logo appears, press and hold down Command+R on an Intel Mac (or press and hold the on button on a Apple Silicon Mac). Read all about booting in Recovery mode here.
Select your language and location when prompted, then click the Utilities > Firmware Password Utility menu item. Follow the instructions. Be extremely careful here! If you forget the firmware password then only Apple can unlock your computer. This is probably why this feature is optional!
Check your privacy settings
To round up this feature we will just run through all the options available to you to tighten up your privacy settings.
Open System Preferences and click on the Privacy tab.
Location Services allows you to control which apps have access to your location data. You can switch Location Services off completely here, or prevent individual apps from accessing data.
Likewise, Contacts, Calendar, and Reminders allow you to specify which apps on your Mac can access the information stored in those core OS X apps.
If you click on Photos you’ll see all the apps that have requested access to your Photos library.
The same goes for Camera, Microphone, and Speech Recognition. As well as Input Monitoring – which shows you which apps are monitoring input from your keyboard when using other apps. There is also a Bluetooth option so you can see which apps are using Bluetooth.
If you’ve added your Twitter, Facebook, and LinkedIn details to the Internet Accounts System Preferences pane, you can control which apps have access to those accounts here.
Then there’s the Accessibility section. Despite sharing a name, this, confusingly, has nothing to do with the settings available in the Accessibility pane in the main System Preferences window. Here, you can control which apps are able to control your Mac in some way. For example Onyx allows you change settings which would normally require Terminal commands. To use them, you’ll need to enable them here.
Analytics allows Apple and app developers to improve their products based on data gathered about your use of their apps. You can choose not to share this data here.
Apple also includes a link to Apple Advertising and Analytics & Improvements here so you can see the associated information.
Check what you’re sharing
Your Mac is able to share files with other Macs, and can share data in various other ways too – including sharing the whole screen to facilitate remote working. Once a sharing service is enabled it’s like fitting a new door or window to your house
Yes, that door or window might be considered secure – people will need a password to utilise screen sharing, for example – but there might be a flaw in the door or window that makes it not quite as impenetrable as you might think. In simple terms, it’s a good idea to turn off any sharing service you’re not using, and the majority of Macs used in the home environment should have all sharing services turned off.
Here’s how to turn off sharing:
- Open System Preferences.
- Click the Sharing icon.
- Go through the list on the left, and look closely for any ticks in the boxes beneath the On heading.
- Remove any ticks you see but if in doubt take a look at the following list to make absolutely sure you’re OK disabling that particular sharing service.
Screen sharing: Used mostly in corporate environments to let tech support workers see or control your screen, and perhaps perform repairs/updates. Windows and Linux computers can also use it to control your Mac’s screen via VNC. Not heard of VNC, not in a corporate environment, and never access your Mac remotely? Ensure it’s turned off.
File sharing: Lets other computers on the network access your computer’s file system, including Linux and Windows computers – technically speaking, it enables Windows File Sharing (SMB), Apple Filing Protocol (AFP), and Network File Service (NFS).
Printer sharing: Shares any printer connected to your Mac with other computers on the network, again including PCs. Should be turned off if you’re not sharing your printer, or if you don’t even have a printer attached to your Mac.
Remote login: Allows connection to your Mac via SSH/SFTP, and mostly used by techies to work at the command-line when away from their Macs. Should be turned off if that description doesn’t apply to you – and we’re pretty sure it won’t!
Remote management: Used in the corporate environment to let administrators access your Mac to do things like perform upgrades, or make fixes. Should be turned off in all other circumstances.
Remote Apple Events: One of Apple’s many Good Ideas From Long Ago, this lets one Mac control another to print, or do just about anything, in fact, thanks to tie-ins with AppleScript, at one point a cool joke among Mac fans was to use Remote Apple Events to make another Mac speak, via speech synthesis.
The user of that Mac would be scared half to death when his computer seemingly came to life. However, if you need Remote Apple Events in our modern age then you’ll already know all about it. The rest of us can switch it off without worry.
Internet sharing: Lets one Mac share a Net connection with other Macs. This was created in the days of dial-up internet. It’s extremely unlikely to be used now that broadband, Wi-Fi routers and home networking are the norm, so should be switched off.
Bluetooth sharing: Lets a Mac send and receive files to and from another Bluetooth-enabled device, such as a mobile phone. iPhones and iPads can’t share files this way, so you’re only likely to use it if you’ve got an Android phone. You’ll find guides online telling you how to do this. However, in all other situations this option should be turned off.
Content Caching: A new option in High Sierra is to turn your Mac into an iCloud server that stores iOS updates on your Mac so that you don’t have to download them directly from Apple to each of your devices – instead your devices just sync with your Mac and download them from there. That could speed up the process of updating your devices, as you won’t have to download the update multiple times over what could potentially be a slow Wi-Fi connection. Content Caching can also be used for iCloud documents, photos and app downloads.
Note: We may earn a commission when you buy through links on our site, at no extra cost to you. This doesn’t affect our editorial independence. Learn more.