To Blacklist or Not to Blacklist?

Which websites, if any, should be banned from employee access at work is, like so many things, a matter of balance. By Carolyn Heinze

While it's nothing new for companies to blacklist malware and infected sites, these days they are targeting websites and applications that are considered to be legitimate. For example, a recent study published by Zenprise, a Redwood City, Calif.-based mobile device management solutions provider, reports that an increasing number of organizations are forbidding employee access to apps and sites such as Facebook, YouTube, Skype, Dropbox, Google Play, The App Store, and the solitaire of the 21st century, Angry Birds.

What's more, the line between what's “hot” and what's not is extremely blurry. As Zenprise puts it, one company's blacklist is another company's whitelist. After all, how can an organization justify banning Facebook, Twitter, and YouTube company-wide if one of its objectives is to develop a stronger social media presence? And why wouldn't a company encourage employees to help decrease communications costs by using Skype whenever possible?

The answer, for many, is directly linked to productivity: If employees have access to games, app boutiques, and social networking sites, chances are they will fritter away their time while on the clock, right?

“I'm generally not a fan of blacklisting for productivity-preserving purposes, primarily because I think that humans are great at finding ways to waste time.” Pete Lindstrom,
VP Research, Spire Security

That argument is weak, says Pete Lindstrom, vice president of research at Spire Security, a risk and cyber-security analysis firm in Malvern, Pa. “I'm generally not a fan of blacklisting for productivity-preserving purposes, primarily because I think that humans are great at finding ways to waste time,” he says. And if they don't waste it online, they will waste it somewhere else or in some other way.

Security is another issue, especially for companies in highly regulated industries. “To the extent that we are trying to get smarter about security, and are blacklisting in order to protect against things like drive-by downloads, spyware, and various types of attacks against systems, then I'm generally supportive of the notion,” Lindstrom says.

Even firms operating under less restrictive regulations can fall prey to, say, the likes of Dropbox. All that's needed is for a disgruntled employee to download valuable client lists or trade secrets onto his or her personal hard drive, and the company has a potential disaster on its hands.

For the majority of organizations, however, blacklisting is a question of balance. Banning presumably responsible adults from full Internet access usually results in decreased employee morale, which is not so great if there is an interest in maintaining productivity.

For Lindstrom, if blacklisting seems like a company's only option, then the company's leadership needs to explain itself clearly. “I would hope that management, in talking about blacklisting, would be clear in their objectives and also fair to their employees,” he says. “If it's because of a specific security concern, then they should have a very specific reason as to why it exists, and why there isn't a better way [to protect against it].”

About the Author