Browser extensions can increase productivity but they also increase cyber risk. Companies should take advantage of browser extensions to advance their business goals. This can be accomplished while preserving security. In this post, I will discuss some of the benefits of browser extensions. I will also give three reasons why your company should implement a deny-all-allow-by-exception policy towards browser extensions. I will also discuss how your company can implement that policy.
What is a Browser Extension?
According to Google browser extensions are “small programs that add new features to your browser and personalize your browsing experience.”.
Benefits of Browser Extensions
Browser extensions can provide employees with increased productivity. Examples include Grammarly, an extension that helps with spelling and grammar, Adblock that blocks internet advertisements, Cisco Webex, and zoom extensions that are used for video conferencing. The extensions I listed provide value to organizations and may have associated business needs. They may even provide security benefits. Companies should leverage browser extensions to advance their business goals while mitigating security risks.
3 Reasons Your Company Needs to Control Browser Extensions
Browser Extensions Increase Your Attack Surface
In a report titled "Protecting Browsers from Extension Vulnerabilities
”, Google researches said that “because extensions interact directly with untrusted web content, extensions are at risk of attack from malicious web site operators and active network attackers.” The report goes on to say “browser extensions are often not written by security experts, and many extensions contain security vulnerabilities”.
Browsers Extensions Can Potentially Access Your Sensitive Data
In a report by Awake “browser extensions downloaded almost 33 million times from Google’s Chrome Web Store covertly downloaded highly sensitive user information”. This isn’t the first time this has happened. An article titled "My browser, the spy: How extensions slurped up browsing histories from 4M users
”, Dan Goodin, Security Editor at Ars Technica goes into detail about how “your tax returns, Nest videos, and medical info may have been made public” thanks to browser extensions.
Implement a Deny-All-Allow-By-Exception-Policy
As I stated earlier, browser extensions can be beneficial. Using group policy you can implement a Deny-All-Allow-By-Exception-Policy towards browser extensions/add ons. Before implementing it, determine which browser extensions your organization needs to be using or wants end users to have access to. This may include allowing cisco webex extensions, adblock, grammarly, and any extensions associated with your antivirus suite.