Browser extensions can increase productivity but they also increase cyber risk. Companies should take advantage of browser extensions to advance their business goals. This can be accomplished while preserving security. In this post, I will discuss some of the benefits of browser extensions. I will also give three reasons why your company should implement a deny-all-allow-by-exception policy towards browser extensions. I will also discuss how your company can implement that policy.

According to Google browser extensions are “small programs that add new features to your browser and personalize your browsing experience.”.

Browser extensions can provide employees with increased productivity. Examples include Grammarly, an extension that helps with spelling and grammar, Adblock that blocks internet advertisements, Cisco Webex, and zoom extensions that are used for video conferencing. The extensions I listed provide value to organizations and may have associated business needs. They may even provide security benefits. Companies should leverage browser extensions to advance their business goals while mitigating security risks.

In a report titled "Protecting Browsers from Extension Vulnerabilities ”, Google researches said that “because extensions interact directly with untrusted web content, extensions are at risk of attack from malicious web site operators and active network attackers.” The report goes on to say “browser extensions are often not written by security experts, and many extensions contain security vulnerabilities”.

Earlier this year both Google Chrome and Mozilla Firefox teams banned hundreds of browser extensions “that steal user data and execute remote code”.

In a report by Awake “browser extensions downloaded almost 33 million times from Google’s Chrome Web Store covertly downloaded highly sensitive user information”. This isn’t the first time this has happened. An article titled "My browser, the spy: How extensions slurped up browsing histories from 4M users ”, Dan Goodin, Security Editor at Ars Technica goes into detail about how “your tax returns, Nest videos, and medical info may have been made public” thanks to browser extensions.

As I stated earlier, browser extensions can be beneficial. Using group policy you can implement a Deny-All-Allow-By-Exception-Policy towards browser extensions/add ons. Before implementing it, determine which browser extensions your organization needs to be using or wants end users to have access to. This may include allowing cisco webex extensions, adblock, grammarly, and any extensions associated with your antivirus suite.