No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Compliance and the Blacklist/Whitelist Fallacy

Safe Web Use Practices for Investment Firms

by John Klassen
February 22, 2019
in Compliance, Featured
hand turning dial from blacklist to "greylist"

Regulating web use for employees via compliance handbook and URL filters for blacklisted (bad) and whitelisted (good) online resources has failed to improve compliance. Authenic8’s John Klassen discusses how firms can ensure compliance without sacrificing productivity or risking an internal backlash.

Pressure from the SEC and state authorities has increased over the past two years to remediate areas of cybersecurity weakness. Yet regulators and compliance professionals agree that alarming gaps remain in how regulated financial services firms use the web.1  Many firms still struggle to effectively control, secure and monitor employee web activities.

So what’s the holdup?

Industry insiders point to the ubiquitous use of a tool that was conceived almost 30 years ago: the locally installed browser. Many firms still use a traditional “free” browser for all their web activities, its inherent architectural flaws and vulnerabilities notwithstanding. At the same time, CCOs and IT are also increasingly aware of the risks associated with local browser use:

  • Traditional browsers indiscriminately execute web code, no matter if benign or malicious, on the local computer or mobile device. This exposes the firm’s IT to web-borne exploits, such as ransomware or spyware.
  • Regular browsers leak data to visited websites and other third parties, such as plug-in developers. This can cause unintentional disclosure of sensitive information about the firm, individual users within the firm and what they are working on. Such browsers also don’t allow for control of the “clipboard” functionality. Malicious insiders can – and do – use the copy-and-paste command to exfiltrate proprietary information from their firm’s cloud to a different account opened in another tab.
  • Local browsers are notoriously difficult to monitor and audit. This creates a critical blind spot for compliance managers and IT administrators whenever employees upload files to (third-party) cloud storage services, access their webmail from the office or remotely or post comments on social media.

“Free” Browsers Blow Up IT Security Budgets

For financial firms, this dependency on architecturally flawed technology has significantly increased the risk of web-borne exploits, data loss and noncompliant online behavior. In addition, they risk productivity losses each time the CCO and IT try to compensate – with restrictive web use enforced through third-party point solutions – for the firm’s lack of actual control and oversight when someone on the team fires up a locally installed browser.

The underlying problem here is that local browsers weren’t designed to perform in a highly regulated environment with tight security and compliance demands. Never mind that mainstream browsers are marketed as “secure.” The dirty little secret of the IT industry is that “free” and “secure” browsers are neither free nor secure.2

Even without factoring in damages resulting from data breaches or regulatory enforcement actions, relying on this tool comes at a steep price, especially for the financial sector and other regulated industries. Firms incur ever-increasing costs for point solutions mostly aimed at remediating the local browser’s cybersecurity and compliance vulnerabilities.

One prime example is what I call the “Blacklist/Whitelist Fallacy:” the ill-fated attempt to mitigate browser risks by policing web use via blacklists (“blocked”) or whitelists (“approved”) of web resources. Why did it fail?

Growing Risks in The Web’s “Gray Zone”

One significant reason is the ineffectiveness and insecurity of URL filtering tools. Like other patchwork solutions aimed at mitigating the inherent flaws of the local browser, they have proved ineffective as a reliable backstop to prevent data breaches and compliance violations.

IT security experts agree: URL filters cover only a narrow sliver of today’s web.3 Yesteryear’s “black and white” approach is missing the “gray” areas where most of the risk lives – such as (firm-approved) cloud apps and storage services, social media or industry news outlets. Blacklists and whitelists are no match for the risks associated with local browser use in the gray zone, primarily for three reasons:

  1. The web changes too fast. As of January 2018, there were more than 1.9 billion websites, with nearly 400 new websites added every minute.4 Even sites once categorized as “safe” may have fallen in the wrong hands since or are vulnerable to exploits because they run Flash, Java, Visual Basic or other web-based scripts.
  2. Approved URLs harbor risk, too. Today, 1 in 13 web requests lead to malware (up from 1 in 20 in 2016).5 Millions of website visitors to the New York Times and the BBC, for example, were exposed6 to ransomware exploit kits distributed via compromised online ads networks. Online comment sections on firm-approved websites also increase the compliance7 risks for firms who have no visibility into the actual web activities of employees on those sites.
  3. Web filters often get it wrong. URL categorization relies on automated, heuristic processes. Frequently, such systems mistakenly block access to work-relevant web resources. Defining exceptions for individual employees or “whitelisting” resources for the firm at a third-party URL filtering service slows down important processes and puts an extra burden on IT.

In short, while website functionalities evolve, as do the firm’s needs and regulatory demands, URL filters remain static.

Back in Control with a Secure Cloud Browser

As the web grows, so does the challenge for compliance and IT managers. With web filtering and other point solutions, firms risk unintentionally blocking the “wrong” websites, slowing down critical workflows or alienating employees with web use policies perceived as too restrictive.

How can firms maximize security and compliance when employees access the internet, without sacrificing speed and convenience? “Ten years ago, our compliance manual used to be three to four pages thin,” says the Chief Compliance Officer (as a matter of policy, he doesn’t want to be named) of a midsize investment firm with headquarters on the east coast. “Now it’s a whole book.”

For his firm, like for many others, deploying secure cloud browser technology (aka “remote browser isolation”) has been key to taking back control over its own web activities. With a cloud browser, all web code is processed in the cloud on a remote host configured for regulatory compliance and data security.

The firm, which has several satellite offices and roughly a dozen team members working from home, prides itself on its tight-knit team and flexible work culture. Most employees spend a significant amount of time online. They use the cloud browser mostly for conducting research, but also take care of personal tasks from the office, according to the CCO.

One main area of concern for the firm was online data loss prevention, he explains, and “IT was concerned, because compliance had become too taxing and too rigid for our users. As a firm, we definitely didn’t want to be perceived as ‘Big Brother’ by our employees.”

Using remote browser isolation instead allowed employees to maintain their work-life balance without putting proprietary data or compliance at risk. With the cloud browser, which is centrally managed and monitored by IT and the compliance team, the firm and its clients remain protected no matter what websites employees visit, because no code from the web can reach the local device. Some cloud browser customers even report elimination of their prior break-inspect and web filtering gateway infrastructure.

Throughout the financial services industry, firms are now deploying cloud browsers to maintain oversight and governance when employees go online. No more blind spots or erroneous “site not approved” roadblocks – with a cloud browser, firms no longer need to accept a risky trade-off between governance and control versus risk and productivity.

Win-Win-Win for Compliance, Productivity and IT

Because compliance-ready cloud browsers build each web session with embedded policies that are pre-defined by IT or the compliance team, oversight, governance and data protection are ensured each time employees use the web:

  • Research analysts, investment managers and administrative staff get a secure and personalized browser that enables them to leverage the powers of the internet without putting the firm at risk.
  • CCOs and IT administrators get a compliance-ready browser that is centrally managed and gives them control and oversight over all employee activities on the web.

Device access, websites, content types, credentials and data operations are centrally managed, which prevents IT bottlenecks and minimizes risk when onboarding/offboarding team members. All user actions are logged and encrypted, which makes it easy for regulated entities to “promptly produce”8 data requested by the SEC and conduct compliance reviews.

Many firms have learned the hard way that categorizing URLs and depending on blacklists and whitelists to compensate for the weak security posture of regular browsers is a losing proposition. Cloud browsers provide a win-win-win solution instead – for users, compliance managers and IT admin alike.


1 SEC Office of Compliance Inspections and Examinations Announces 2018 Examination Priorities (Press release 2/2018) and Authentic8: What Regulators Want to See (White paper 10/2018)

2 Osterman Research: Why You Should Seriously Consider Web Isolation Technology (White paper 12/2018)

3 Gerd Meissner: When URL Filtering Fails, This Secure Browser Has Your Back Authentic8 blog 4/11/2017)

4 Real Time Statistics Project: Internet Live Stats

5 Symantec: 2018 Internet Security Threat Report  

6 Gerd Meissner: Reliable Resources – for Ransomware Infections (Authentic8 blog 3/17/2016)

7 SEC Division of Investment Management: Guidance on the Testimonial Rule and Social Media

8 Authentic8: Inefficiencies Put Compliance at Risk (White paper 7/2018)


Tags: Cloud ComplianceRansomware
Previous Post

OFAC Announces 2 Sanctions Enforcement Settlements

Next Post

U.S. Tests New Sanctions Strategies on Russia, Venezuela

John Klassen

John Klassen

John Klassen is Product Marketing Manager at Authentic8, maker of Silo, the browser in the cloud that ensures compliance and control for the world’s most demanding firms in regulated industries.

Related Posts

data spillage

Instead of Crying Over Spilled Data, Shore up Your Governance Practices

by Rich Hale
October 12, 2022

The reputational damage and compliance failures that result from a data spillage incident are well-known, and as the volume of...

amazon web services

Dark Clouds: Capital One Proves Financial Institutions Can’t Rely on Providers for Security

by Michael Volkov
September 7, 2022

Going by the online handle “erratic,” a former Amazon software engineer conducted an extensive hacking scheme that gave her access...

lloyds of london

Now That Lloyd’s Won’t Cover Nation-State Cyber Attacks, What Do Organizations Need to Know?

by Jonathan Armstrong and André Bywater
August 31, 2022

Lloyd’s of London, the world’s leading insurance market, says that cyber insurance policies it issues after March 31, 2023 will...

Arms extended from computer screen to signify hackers

Kroll Warns: We’ve Detected a Staggering Rise in Two Key Forms of Cyber Attack

by Alan E. Brill
March 22, 2022

As part of its ongoing commitment to cyber threat research, Kroll’s threat intelligence team looked at hundreds of real-life cyber...

Next Post
illustration of vladimir putin, nicolas maduro, and donald trump in profile

U.S. Tests New Sanctions Strategies on Russia, Venezuela

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT