For many organizations today, the web browser is the most powerful and important operating system they have. The more employees use generative AI and new cloud-enabled technologies, the greater the risk they expose sensitive business data to fraud, cybercrime and other threats. As we reported in our recent research, 1 in 10 AI prompts generates sensitive content. Even more than 70% of today’s malware attacks start in browsers. This article explores the risks associated with browser use, the misuse of trusted platforms, and the vulnerabilities posed by browser extensions.
With remote work becoming more common than ever, employees are turning to their digital tools more than ever. That supporting role has completely shifted how they interact with technology. Today, about three-quarters of employees already use generative AI. Too many organizations are still in the dark about what’s being shared and the dangers associated with third-party browser extensions. This kind of behavior goes on to have far-reaching consequences. In reality, 34% of file uploads from corporate devices go to personal accounts.
The Vulnerability of Trusted Platforms
While cloud-based collaboration tools like Google Docs and Dropbox have made it easier to seamlessly collaborate from anywhere, these platforms introduced other vulnerabilities. According to a recent Google report, more than 150 well-known platforms have been hijacked to carry out phishing attacks and extract sensitive information. Attackers usually obfuscate their malicious links to make them look like valid URLs that come from these popular software-as-a-service (SaaS) providers.
This exploitative nature presents a huge risk to businesses, as employees might unknowingly leak sensitive data through affected channels. These tools have simplified drinking water data access and the ability to share information widely. This convenience leads to careless data disposal habits, increasing the chance of a data breach.
Legacy Data Loss Prevention (DLP) systems were primarily designed around email and classic endpoints. They can no longer afford to be reactionary and unable to keep pace with the continually changing landscape of online threats. These legacy systems can ill-afford to secure sensitive information passed through 21st-century browser works.
The Risks of Browser Extensions
Browser extensions are another wild west of risk. Even more alarming, 10% of these extensions are marked with high or critical risk. Or, they have been given too much permission, which allows them to access sensitive organizational data and their entire user identity. Alarmingly, over one-fifth of browser extensions fall into lifestyle categories, such as shopping and social browser plugins. While these extensions might not be work-related, the security risk is just as high.
Employees tend to install these extensions themselves, sometimes without understanding the consequences. Overreaching extensions require an inordinate amount of permissions that can leave organizational security in shambles. As a direct consequence, these vulnerabilities are being exploited by attackers, allowing them to obtain unauthorized access to sensitive information.
In addition, with the prevalence of generative AI tools, employees frequently paste API keys or sensitive customer data into browser-based applications without considering the potential consequences. Continuously dismissing such behavior puts corporate assets in jeopardy. It opens companies up to new data exfiltration threats that legacy systems simply can’t prevent.
The Phishing Epidemic
Phishing campaigns have been on a rise in sophistication, with 70% of phishing campaigns impersonating trusted services such as Microsoft, OneDrive or Office 365. This deceptive tactic takes advantage of the inherent trust that users have in these popular digital platforms. As employees use these services on a daily basis, they might not even notice when they receive a phishing email.
The crossroads of how generative AI is being used and its connection to phishing creates an especially troubling picture. The employees who use AI tools can accidentally disclose sensitive information as he described with no knowledge of the dangers involved. This lack of awareness is indicative of a larger culture of complacency around cybersecurity practices within organizations today.
Attackers frequently mask themselves behind URLs associated with reputable SaaS platforms. This tactic severely impacts employees’ ability to distinguish legit communications from the nefarious ones. As a result, companies need to do a better job training and raising awareness among employees so they can identify and react appropriately to phishing attacks.