Enterprise reliance on browsers is growing, and so are the associated risks stemming from dangerous employee web behaviour.
According to Andrius Buinovskis, a cybersecurity expert at NordLayer, some employee activity that may go undetected by security teams can result in confidential data and industry secrets leaks or violations of GDPR.
Research has found that 80% of employees can complete 80% of their work tasks using the browser. While the shift to the browser can increase productivity and collaboration by speeding up processes, it’s also accompanied by risks.
“Companies are embracing web-based software as a service (SaaS) applications for various benefits, such as cost reduction and increased efficiency. However, due to increasing dependency, the browser is becoming a significant cybersecurity concern,” says Buinovskis.
“Aside from attracting the attention of cybercriminals, it’s also become a hub for insider threats or employee error, which can result in devastating security breaches. The most concerning element is the lack of observability security teams might have into employee activity in the browser, creating an alarming blind spot.”
Can security teams see what employees are doing in the browser?
According to Buinovskis, if employees use a traditional browser, security teams’ observability of what people do in the browser is existent yet limited. Solutions like ADR (automated detection and response) and XDR (extended detection and response) can incorporate TLS (transport layer security) inspection and provide extensive activity monitoring and securing capabilities.
However, they require significant financial and human resources to implement and maintain. The hefty price tag might ward off small to medium-sized businesses from the investment, exposing them to browser-based threats.
“Traditional browsers are not built with security and observability in mind — their primary target is to provide a user-friendly interface. These capabilities are more or less sufficient for personal use but are inadequate to safeguard a business,” says Buinovskis.
“Even if a company has an extensive cybersecurity strategy and a large team of security experts at their disposal, the lack of built-in security and monitoring features in a traditional browser still leaves them vulnerable and more likely to experience a safety incident.”
The most dangerous threats to look out for
According to Buinovskis, the most dangerous threats that can result from employee activity in the browser include:
- Data exfiltration. Ill-intended employees can use the browser’s limited observability to steal confidential company information, such as industry secrets or client data stored on web-based apps, and share it through email or social media without being detected.
- Install unauthorized browser extensions. Some of these extensions are malicious and prey on unsuspecting users to collect sensitive data, modify browser behavior, and create security vulnerabilities. If a company uses a traditional browser, it’s challenging to monitor and control which extensions employees can download and minimise the risk of them installing malicious add-ons.
- Engage with unauthorized browser-based applications (shadow IT). Not all web-based SaaS applications are safe to use — some might have significant security vulnerabilities, resulting in data leaks or compliance violations. Without proper monitoring, these applications can go undetected, expanding the scope of unmanaged apps (shadow IT).
- Other insider threats. The traditional browser’s lack of observability and behavioral analytics makes it easier for malicious employees to fly under the radar and access sensitive data or converse with third parties. Depending on the scope, these actions can have dire consequences, such as industry secrets ending up in the hands of the competition.
“To safeguard against browser-based threats, companies need to invest in building and maintaining a comprehensive cybersecurity strategy that would provide a higher level of observability into employees’ activity on the browser or opt for browsers with built-in monitoring and security features,” says Buinovskis.
“However, it’s worth noting that even with comprehensive cybersecurity measures, monitoring browser usage across an organisation remains challenging if it lacks built-in security features. This gap allows certain user activity to go undetected.”
Buinovskis highlights that cybersecurity awareness training for employees is also a worthwhile investment. It helps to minimise the possibility of user error, such as interacting with unauthorised apps or downloading malicious browser extensions.