Secure browsing is vital for organisational defence against internet-borne threats. In this expert Q&A, Carolina Luz, an engineer at Google Chrome Enterprise, explores the critical role browsers can play in safeguarding against a spectrum of risks, from drive-by downloads to phishing attacks.
Chrome, with more than two billion users globally, adopts a zero-trust approach, actively addressing bugs and vulnerabilities through innovative technologies. Luz has advice for leaders aiming to enhance cyber resilience while empowering employees.
Why does secure browsing need to be a part of an organisation’s cybersecurity strategy?
Considering that many security risks originate from the internet, an employee’s point of contact with it can be the first link in the attack chain. Therefore, protecting that connection point via a secure browser is like securing the door to your house, the first yet crucial step towards a secure environment. Organisations are at risk of employees visiting sites that can surreptitiously install malicious programs on their computers without consent, known as drive-by download attacks. Their employees are also vulnerable to clicking on phishing links.
Even genuine websites supporting insecure encryption standards can pose a risk. Defending from all these risks requires participation from web developers, browsers and enterprise organisations themselves to use secure software and configure it securely.
Forrester Study finds that managing Chrome brings enterprises cost savings and major productivity gains.
By Chrome EnterpriseGiven the range of risks, the potential for human error and the sheer amount of time employees spend on websites and web-based software as a service applications, it’s important that protections provided by the browser are embedded. Fundamental to the web is the ability to safely visit any website. It’s what gives the web such flexibility and power, for people to visit tens or even hundreds of sites over the course of a workday. So a browser’s primary responsibility is keeping users safe, even if the website they’re visiting is malicious. While an IT team might be able to vet every application a user installs on their desktop, they can’t possibly vet every website that’s visited.
[See also: The security weak points in your working day]
What work is Chrome undertaking to make sure it is the most secure browser available?
Cyberattacks have been estimated to cost the global economy $7trn per year and the browser is increasingly a platform that attackers are looking to leverage to gain access to an organisation’s network. With more than two billion global users of Chrome, secure browsing is a huge priority for us.
We take a zero-trust approach to security, one that limits access to resources only to those with a proven need to use them. One of the core tenets of this zero-trust model is moving security checks from a network to instead authorising an employee’s device in a way that allows it to take advantage of identity information and device state, and for those signals to be considered when granting access to individual corporate resources.
A modern browser is a hugely complex piece of software and is bound to have bugs. Some of those are going to have security consequences. Our engineering team spend a lot of time trying to stop bugs from being introduced—and fix bugs before attackers find them. Even if a bug is exploited, we’ve got technologies like site isolation and sandboxing that can make it much harder for an attacker to cause harm.
But let’s suppose we live in a hypothetical world where Chrome’s code, or really any browser code, is bug-free. That still wouldn’t mean there would be no security risks. Users might get tricked by phishing campaigns, download or install malware, or mishandle corporate data. Chrome provides solutions like safe browsing, extension security, policy controls and data-loss prevention to help mitigate those sorts of risks.
Chrome does that work for them, protecting users through safe-browsing capabilities that raise flags should they reach a malicious website or attempt to download files that might be compromised. Embedded protections against phishing and similar attacks add additional layers of security, all of which require no action from the end user to employ.
[See also: Is your browser keeping your data safe?]
What advice do you have for leaders and managers who want to empower their employees to stay cyber secure?
It’s important to manage risk in the most efficient and productive way possible. Employees need to work securely, but also productively with minimum disruption. That’s an important consideration when developing your secure browsing strategy.
Similarly, minimising the workload for IT teams should be considered. Security that is easy to deploy and manage can free up team resources and ensure policies are managed effectively. Research we undertook with Forrester showed Chrome Browser Cloud Management could save 75 per cent IT time on activities such as responding to tickets, packaging and confirming updates.
Although there often isn’t a one-size-fits-all answer to security questions. We enable enterprise security and IT teams to best secure Chrome in a way that works for them. We provide tools and controls to enterprises so they can easily adapt Chrome to their deployment and the needs of their environment.
Learn more about how your enterprise browser can protect your company data and improve cybersecurity on the Chrome Enterprise website.