- The challenges of creating an application blocklist
- A checklist of questions for your application blocklist
- A security policy should not be black-or-white
With the advent of remote and hybrid work, the line that separates work from personal life is increasingly hazier. This thinking applies especially to our digital lives. When work still revolved around fixed hours on-site, admins could easily determine which applications to block. For example, a worker should not be able to access the Netflix application at the office during business hours.
The challenges of creating an application blocklist
Now the decisions on which applications to allow and which applications to add to an application blocklist are not so simple. Applications that were once clearly the realm of personal life may now have legitimate business uses. Adding them to an application blocklist could affect employee morale, disrupt the relevant business activities, and even waste more time, as employees search for a workaround, such as by attempting to install a virtual private network on the company-issued device or accessing the blocked application on a personal device.
It is in the interest of IT managers and their teams to develop a security policy that is not over-zealous. To help you develop an MDM policy that makes sense for a remote and mobile workforce, here is a four-point checklist for an application blocklist. Each part of the checklist is framed around a question that enterprises should ask themselves before deciding whether or not to block an application.
Enterprises should go through this checklist after determining the handful of apps that do not fall into any kind of gray area. With AirDroid Business, IT teams can easily add these offending apps – and any deemed unfit later on – to the application blocklist. The strength of this blocklist is that it is a living document: A business can add, and just as easily remove, applications as the business environment changes, which gives an MDM policy some much needed agility.
A checklist of questions for your application blocklist
Does the application contribute to wellness in some way?
The integration of work and home life was stressful for many, and took a serious toll on their mental and emotional well-being. Fortunately, many HR teams responded with forward-thinking initiatives to encourage wellness in the workplace. Some of these programs may naturally involve applications, as they are one of the few ways to connect with a distributed workforce.
Fitness applications, such as Nike Run Club, may be part of a HR program designed to get workers to exercise regularly. Applications from massive online open course (MOOC) providers, such as Coursera or edX, may be part of an official learning and development program, or chosen by individual employees, who are free to reimburse L&D as an educational benefit. Even an application like Spotify may have a legitimate use: The audio streaming platform has content to help people meditate.
To discover all of these cases for their security policy, IT managers and their teams should not just involve a token representative from HR, but from every functional area, such as employee engagement, learning and development, and compensation and benefits. Close collaboration with HR may also help identify applications necessary for third-parties. Fitness tracking applications, such as FitBit, can help people save on insurance premiums by meeting a certain level of activity. A business may even elect to keep some of these wellness-related applications without an official first- or third-party use, given the importance of wellness for modern workers.
Does the application enable communication with stakeholders?
Every business will have a designated communication platform, such as Slack, Discord, or Telegram. The problem with these is that they are most often only for full-time employees, even though every business must interface with many different stakeholders.
A business may engage with part-timers, consultants, contractors, and freelancers. Beyond stakeholders that work for a business, there are also partners and clients, suppliers and customers. Every industry has this breadth of stakeholders: Even in education, teachers may need to communicate with students, their parents, and other instructional or administrative staff, such as fellow teachers, tutors, or coaches.
In this kind of multi-stakeholder environment, it would be unrealistic to expect all of these individuals and groups to accept third-party access to an organization’s main communication platform. The simplest thing to do for an employee is often to just communicate through the preferred channel of the stakeholder, whether it is Viber, WhatsApp, or even Facebook Messenger.
As part of their security policy, IT managers and their teams should suss out these communication channels through internal dialogue, as preemptively blocking them could have disastrous consequences. Imagine if an organization blocked an application that is actually used by the account management team to deal with an important client. Because blocking an application can be tantamount to cutting off communication with a key stakeholder, this should only be done with the utmost care.
Does the application have industry-specific uses?
Some applications that should be blocked in other industries may have a specific use in another field. Take for example the case of Hulu. For most companies, the presence of Hulu on a company-issued device will mean that the employee is trying to watch shows and movies. But if the business is in advertising, some employees may be checking Hulu to monitor the rollout and performance of video ads of their clients.
These industry-specific uses are common. A knowledge worker in a digital business would have no reason to have navigation applications like Waze and Google Maps. A company with a logistics arm, on the other hand, would have many employees in need of those apps, such as drivers trying to optimize their routes.
The same applies to traditional industries like healthcare. Doctors may use scheduling applications like Google Calendar to set meetings with patients. Up to 84% of healthcare providers may even use their mobile devices to provide post-patient support through both official and unofficial channels.
As with the other items in this checklist, the best way to identify industry-specific use cases is to speak with the necessary stakeholders at your organization. Doing so will prevent the costly and embarrassing scenario where an IT department adds an app to an application blocklist that is actually essential to an organization’s business.
Does the application pose a cybersecurity or reputational risk?
The previous questions on this checklist aim to prevent businesses from making false positives – that is, adding an app to an application blocklist that may have a legitimate business purpose. In cases like these, it may be best to err on the side of caution, conferring patiently with stakeholders to determine whether, and in what cases, an application should be blocked or allowed.
The one area where you should not compromise on or delay decisions about are any applications that represent a cybersecurity or reputational risk. These instances are a reversal of the other gray areas: While these applications may appear to have a legitimate business purpose, the danger of using them is so great that it outweighs any potential benefits. These applications should be blocked from the get-go.
For example, some video conferencing applications may be particularly susceptible to Zoomboming, the practice of trolls interrupting business meetings, often by displaying offensive content such as gore or porn. IT managers and teams should make a case-by-case evaluation on which applications, while legitimate, should be blocklisted due to security concerns beyond what is normal risk. These applications pose not only a security risk, but a reputational one, as security breaches are a popular topic in business news.
Central to this process should also be offering an alternative application in the same category that IT has found to be more secure for an enterprise. Such should be done through a formal canvassing and procurement process as well as technical examination, so the enterprise adopts the safest solution and not merely what initially came to mind as an alternative. This practice reflects the overall approach that companies should take toward blocklisting: Rather than use this process as only an opportunity to identify what is wrong, organizations can also steer their stakeholders toward what is best.
A security policy should not be black-or-white
Even with this checklist, a business may not have all the information it needs to make a decision on whether to block or not block a given application right away. A strong MDM will not force you into this black-or-white choice either. Given how much the nature of work is changing, businesses must also have an agile security policy, one powered by an equally agile MDM.
To this end, AirDroid Business provides organizations with finer controls than just adding to a blocklist. If there is an application your IT team is uncertain about, you can monitor the situation before taking more decisive action.
On the “Alerts and Workflows” tab on your business account, there are two workflows that will enable IT teams to observe an application. The first alert type is “App Running Status” which you can configure to alert you when an application is turned on, and the second is “App Cellular Data Usage” which sends a similar alert when an application consumes a particular amount of data. The information that these alerts produce can serve as additional data points in choosing whether to block an application or not.
Businesses with a strong MDM policy will likely take both actions: The IT team may block some applications outright, and collect more data on other applications before determining whether to add the app to the application blocklist. Businesses should choose MDM solutions that give them this range of options for their security policy, rather than one that locks them into only a few choices. That way, businesses can ensure their MDM policy keeps pace with the increasingly mobile workforce, providing them both the freedom and flexibility needed to inspire productivity among remote and hybrid workers.