The 2024 Browser Security Report warns that your browser could be a security minefield

As the browser becomes the most common workspace in modern business, it is increasingly targeted by cyber attackers. Whether through account takeovers, malicious extensions, or phishing attacks, browsers are often exploited to steal sensitive data and infiltrate organizational systems.

Security leaders designing their security architectures need detailed insights into the browser threat landscape. LayerX’s recent “Annual Browser Security Report 2024” offers an extensive analysis of the evolving threats to browser security.

This thorough report identifies critical vulnerabilities and attack vectors that pose significant risks to enterprise security. It enables decision-makers and stakeholders to assess the security challenges in their environments and make informed decisions. Below, we detail key findings from the report and a summarised list of security recommendations. For a comprehensive understanding, we recommend reading the full report, which includes detailed examples and additional sections not covered here.

Key Findings from the Report

• Hybrid Work Risks – Unmanaged devices and personal browser profiles are primary vectors for cyber threats, like data leakage and phishing. The risk is widespread – 62% of the workforce is using unmanaged devices to access corporate data and 45% of all browsers within corporate devices use personal profiles.
• Browser Extension Threats – 33% of all extensions within an organization pose a high risk, with 1% of installed extensions known to be malicious. The report highlights how deceptive extensions are used by attackers to hijack user data and lead users to phishing sites.
• Shadow SaaS Risks – The clandestine use of Shadow SaaS applications by employees creates significant vulnerabilities, like blind spots and in identity management.
• Identity Vulnerabilities – Shared accounts and Single Sign-On (SSO) practices lead to increased risks of unauthorized access. Incidents like the 23andMe data breach highlight the dangers of shared identities.
• Gen-AI and LLM Vulnerabilities – 7.5% of employees risk data exposure by pasting or typing sensitive information into Generative AI tools like ChatGPT. There is a critical gap in the security community in understanding the risks associated with AI tools in corporate environments.
• AI-Powered Threats – AI can be used to enhance attacks, from malware to phishing to browser extension exploitation to supply chain attacks. These threats leverage AI-driven personalization to make attacks more convincing and difficult to detect, or they use AI algorithms to improve attacking capabilities.
• Unpatched Vulnerabilities – Unpatched vulnerabilities in browsers pose a significant risk. There are differences in patching times among browsers.

Recommendations for Security Leaders

To combat these threats, the report’s analysts recommend a multifaceted approach:

• Update browsers regularly and push security patches promptly to mitigate risks from outdated software.
• Restrict unauthorized extensions and regularly review permissions to prevent data theft.
• Train employees to identify and report suspicious emails and websites.
• Implement conditional access controls and promote clear BYOD policies to secure personal devices used for work.
• Enforce MFA and educate employees on password hygiene to enhance account security.
• Enforce secure configurations and the whitelisting of extensions.
• Restrict access to sensitive data based on user roles.
• Use advanced tools to detect and analyze browser data for threats, ensuring proactive threat mitigation.

Read the full report here