NordLayer has released the Why Browser Security Can’t Wait: Web-based Threats Report 2026. The findings show that as work applications increasingly shift to the browser, attackers are shifting with them — 82% of surveyed IT professionals report their organization experienced a web-based security incident in the past year, with half describing the impact as moderate or severe.
Organizations that experienced significant-impact incidents follow distinct patterns: They more often allow bring-your-own-device (BYOD) policies (85% vs. 60% overall), have employees who primarily use their own devices (51% vs. 31%), rely more extensively on SaaS tools (56% vs. 31%), and have established fully or primarily remote work policies (35% vs. 17%).
Expectations vs. reality
Despite frequent incidents, 73% of IT professionals say their organization is well prepared — yet their own responses tell a different story. Coverage is modest and uneven: Data loss prevention (DLP) tools lead at just 53%, with other browser security controls trailing below that mark. Nearly all IT professionals report that their organizations are concerned about web-based threats (98%), and most expect escalation — 81% foresee greater sophistication and 73% anticipate more incidents over the next few years.
“There’s a clear gap between recognizing the threat and knowing how to address it,” says Buinovskis. “Concern is high, but awareness of which controls actually solve browser-specific risks is low. Much of the initial confidence most likely comes from having general security controls in place, yet they rarely adequately cover risks in the browser.”
NordLayer’s analysis of 504 unique, highest rated and most reviewed applications listed on 51 unique software categories on Gartner® Peer Insights™, a community-driven software review platform, found that 100% of the applications were browser accessible and 78.8% were browser only (Full methodology located here). Meanwhile, data analyzed by NordLayer and NordStellar, a threat exposure management platform, shows that infostealer malware harvested around 1.8 million credentials and nearly 68.8 billion cookies in 2025, peaking in November.
“Hackers don’t hack anymore, they just log in,” says Buinovskis. “Stolen cookies and credentials grant immediate access without raising alarm bells — a login looks legitimate. It’s low risk, high reward, and as reliance on web-based SaaS grows, so does the value of stolen data. Attackers will keep exploiting this until organizations secure the browser as a critical boundary.”
Practical steps to protect the browser
Buinovskis highlights three priorities for organizations looking to strengthen browser security.
1. Establish observability. Security administrators need visibility into what SaaS tools employees are using, what browser extensions are installed, and whether employees are visiting malicious or unauthorized websites. This minimizes shadow IT and reduces the risk of accidental malware downloads or data exposure.
2. Proactively block threats. Use domain name system (DNS) filtering to block access to malicious content or specific website categories like AI tools or gambling, and deploy data loss prevention (DLP) tools to restrict file uploads, downloads, and copy/paste functions — especially where employees handle personal or financial data.
3. Adopt a zero-trust approach. “Trust can’t be considered inherent — every user needs to be verified,” says Buinovskis. “Applying zero trust allows security administrators to implement network segmentation at the browser level, ensuring employees only access necessary resources and infiltrators are denied entry.”
To read the full Why Browser Security Can’t Wait: Web-based Threats Report 2026, please visit: https://nordlayer.com/browser-research-report/.
Related
This entry was posted on May 20, 2026 at 8:24 am and is filed under Commentary with tags NordLayer. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
8 in 10 IT professionals report their organization experienced a web-based security incident in the past year
NordLayer has released the Why Browser Security Can’t Wait: Web-based Threats Report 2026. The findings show that as work applications increasingly shift to the browser, attackers are shifting with them — 82% of surveyed IT professionals report their organization experienced a web-based security incident in the past year, with half describing the impact as moderate or severe.
Organizations that experienced significant-impact incidents follow distinct patterns: They more often allow bring-your-own-device (BYOD) policies (85% vs. 60% overall), have employees who primarily use their own devices (51% vs. 31%), rely more extensively on SaaS tools (56% vs. 31%), and have established fully or primarily remote work policies (35% vs. 17%).
Expectations vs. reality
Despite frequent incidents, 73% of IT professionals say their organization is well prepared — yet their own responses tell a different story. Coverage is modest and uneven: Data loss prevention (DLP) tools lead at just 53%, with other browser security controls trailing below that mark. Nearly all IT professionals report that their organizations are concerned about web-based threats (98%), and most expect escalation — 81% foresee greater sophistication and 73% anticipate more incidents over the next few years.
“There’s a clear gap between recognizing the threat and knowing how to address it,” says Buinovskis. “Concern is high, but awareness of which controls actually solve browser-specific risks is low. Much of the initial confidence most likely comes from having general security controls in place, yet they rarely adequately cover risks in the browser.”
NordLayer’s analysis of 504 unique, highest rated and most reviewed applications listed on 51 unique software categories on Gartner® Peer Insights™, a community-driven software review platform, found that 100% of the applications were browser accessible and 78.8% were browser only (Full methodology located here). Meanwhile, data analyzed by NordLayer and NordStellar, a threat exposure management platform, shows that infostealer malware harvested around 1.8 million credentials and nearly 68.8 billion cookies in 2025, peaking in November.
“Hackers don’t hack anymore, they just log in,” says Buinovskis. “Stolen cookies and credentials grant immediate access without raising alarm bells — a login looks legitimate. It’s low risk, high reward, and as reliance on web-based SaaS grows, so does the value of stolen data. Attackers will keep exploiting this until organizations secure the browser as a critical boundary.”
Practical steps to protect the browser
Buinovskis highlights three priorities for organizations looking to strengthen browser security.
1. Establish observability. Security administrators need visibility into what SaaS tools employees are using, what browser extensions are installed, and whether employees are visiting malicious or unauthorized websites. This minimizes shadow IT and reduces the risk of accidental malware downloads or data exposure.
2. Proactively block threats. Use domain name system (DNS) filtering to block access to malicious content or specific website categories like AI tools or gambling, and deploy data loss prevention (DLP) tools to restrict file uploads, downloads, and copy/paste functions — especially where employees handle personal or financial data.
3. Adopt a zero-trust approach. “Trust can’t be considered inherent — every user needs to be verified,” says Buinovskis. “Applying zero trust allows security administrators to implement network segmentation at the browser level, ensuring employees only access necessary resources and infiltrators are denied entry.”
To read the full Why Browser Security Can’t Wait: Web-based Threats Report 2026, please visit: https://nordlayer.com/browser-research-report/.
Share this:
Like this:
Related
This entry was posted on May 20, 2026 at 8:24 am and is filed under Commentary with tags NordLayer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.