As trusted members of an organization, employees can inadvertently or maliciously engage in risky cybersecurity behavior that is harder to detect and lead to data breaches that can cost millions of dollars to remediate. Andrius Buinovskis, a cybersecurity expert at NordLayer, says that as more companies adopt a browser-first approach, mitigating insider threats will become even more challenging due to the limited visibility security administrators have into employee activity within the browser.
Cybersecurity risks that originate from within a company are referred to as insider threats. The term encompasses all threats emerging from dangerous employee activity, whether intentional or not. Deliberate employee actions — such as selling confidential data to competitors or leaking private information out of spite — are also called malicious insider threats.
In their most recent annual report, IBM found that malicious insider threats were the cause of the most financially devastating data breaches in 2024, with an average cost of $4.99 million per incident. Buinovskis explains several reasons why these cybersecurity incidents can pack a hefty punch.
“Employees have access to incredibly sensitive data and resources which, when leaked, can have devastating consequences to a company’s reputation, result in GDPR fines, or be used for ransomware demands,” says Buinovskis. “Insider threats pose a significant danger due to their high impact, but they’re also harder to detect. Employees are trusted members of the organization, and their malicious actions can blend in with usual activity, potentially going unnoticed for months.”
Lurking in the Browser
Buinovskis highlights that spotting malicious activity inside the organization has become even more challenging due to the rise of web-based software as a service (SaaS) applications.
“Consumer-grade browsers do not offer security admins a comprehensive view into employee activity, creating the perfect environment to carry out malicious activities without getting caught,” says Buinovskis.
“As a result, the risk of data exfiltration, sharing credentials and confidential information, data theft, unauthorized web application use, and even sabotage by deleting or modifying critical information are all amplified in cloud-first, browser-heavy working environments.”
He explains that in traditional IT environments, these threats can be mitigated by ADR (automated detection and response) and XDR (extended detection and response), which observe network connections, file-based systems, and desktop applications. However, their observability of browser activity is very limited — for example, they cannot distinguish between normal work tasks and data exfiltration or which records were accessed or downloaded.
Additionally, consumer-grade browsers do not offer the possibility of enforcing centralized security controls. Consequently, employees can act as they please: download malicious browser extensions, screenshot or copy sensitive data, and share it with outside parties — all of which can lead to devastating data breaches.
“Companies are shifting to a browser-based working environment for greater efficiency and collaboration; however, as the reliance on the browser continues to grow, so will the cyber risks,” says Buinovskis. “This is especially true for small to medium businesses that might not even have had robust ADR and XDR solutions in the first place and now, consequently, have even less observability into their employee activity.”
Buinovskis explains that investing in cybersecurity awareness training for employees is the first step in mitigating unintentional insider threats. However, he emphasizes that businesses need to have comprehensive defenses in place to safeguard against employee error and malicious insiders.
“The longer malicious employee activity remains undetected, the greater its impact and the more extensive the resulting damage. This underscores the importance of robust observability and rapid incident response,” says Buinovskis.
“Companies must prioritize strict access controls, strong user authentication, and continuous employee activity monitoring to mitigate insider threats effectively. For organizations operating in a web-based SaaS environment, leveraging the built-in security tools and enhanced observability of an enterprise browser is essential for comprehensive protection.”