0%

The enterprise browser Securing work where it actually happens

Insights
Share

The enterprise browser:
Securing work where it actually happens

From accounting and client management to documents and AI assistants, the browser has become the busiest surface in enterprise work, but the least secure. Work has changed. Controls have not.

Microsoft 365, Salesforce, ServiceNow, HR systems, finance platforms, file sharing and the generative AI tools staff use every day all now run in the browser. Applications that used to live on the desktop, or behind a VPN in the data centre, have moved.

For most organisations, the issue isn't the sophistication of security, but whether it is aligned to how work happens. The browser is the new workplace.

Security models were built for when data lived on-premise, staff worked from the office and IT controlled the device. Now data lives in SaaS and staff work across locations and devices in the browser. The assumption that securing the network edge, device and identity covers the risk no longer holds.

Security can feel
like a handbrake

For executives and staff, traditional security shows up as friction. Password resets, sessions that time out, VPNs to set up, blocked apps and limits on personal and contractor devices all slow the business down – and people work around them. Files get sent to personal email, documents uploaded to external tools and client work done on laptops the organisation never issued.

None of this is deliberately risky; it’s just people doing their jobs as efficiently as they can.

Will cut-and-paste
bring you unstuck?

Everyday work like summarising a PDF report, drafting a proposal response or analysing spreadsheets is happening inside browser tabs that data loss prevention, firewall and endpoint tools can’t see into. Data can move from a sanctioned system to an unmanaged one in a single keystroke, with no record of it happening.

Recent research1 found:

  • 77% of GenAI users paste data into prompts, often including personal or payment information
  • 82% of those pastes come from personal or unmanaged browser accounts
  • Copy-paste has overtaken file transfers as the leading corporate data exfiltration method

More security risk is being created during legitimate work than during malicious activity. That’s what traditional controls were never designed to catch.

Highly regulated
sectors feel this most acutely

From finance to healthcare, the browser has become the operating system for professional work. Take a clinician’s browser. There’s a medical record open, a rostering system, a finance platform, email and an AI assistant summarising a referral letter. Every tab is handling sensitive information that could end up copied, pasted or uploaded somewhere else. After hours, they open the same apps on a personal phone or laptop. All these sessions run inside a browser, and most are invisible to the security controls meant to protect them.

For clinicians, administrators and contractors, the browser is where care is delivered, decisions are made and sensitive information is handled.

In the first half of 2025, healthcare accounted for 18% of all notifiable data breaches reported to the Office of the Australian Information Commissioner, more than finance and government. Human error drove 37% of breaches that period, up from 29% in the previous six months.2

In public health, large distributed workforces, shared clinical workstations, rotating staff and legacy platforms make device-centric security difficult to sustain. In private health, the use of locums, visiting specialists and contracted nursing staff, alongside rapid AI adoption and commercial sensitivity, creates different exposures.

Browser-level controls help tackle both these issues at their source.

A sharper conversation
for boards

For audit and risk teams, browser-level controls change the conversation around likelihood. Incidents will still happen, but routine errors become much less likely. 

The controls also generate the kind of evidence boards can measure, optimise and reference in audit papers – session records, policy enforcement logs and data movement captured at the point of interaction. 

Risk becomes easier to articulate, defend and govern, with fewer compensating controls and consistent enforcement across environments.

At CSO Group, we’re helping clients make this shift, particularly where shared workstations, distributed workforces and AI adoption have outpaced what device and network controls can cover.

CSO Group will be at the Digital Health Festival at MCEC in Melbourne on 20–21 May 2026, with our partner Island. Come and talk browser security with us there, or contact the CSO Group team.

References
1.LayerX, Enterprise AI and SaaS Data Security Report 2025
2. Office of the Australian Information Commissioner, Latest Notifiable Data Breach statistics for January to June 2025
Paul Edmondson
is Chief Revenue Officer at CSO Group, Australia’s trusted cybersecurity partner. Learn more at csogroup.com.au.
Learn more at csogroup.com.au

Related article

AI's Wild West won't last forever.
But it's here now.

Read more

The security integration trap:
When tools talk but don't listen

Read more

Everything and nothing:
What's really changed for directors since privacy law reform

Read more

Horizon 2:
What security leaders really think about Australia's 2028 cyber ambitions

Read more

"We're there now":
What business leaders need to know from ASIO's cyber warnings

Read more

Subscribe
for updates

for expert insights on cybersecurity strategy, trends, and implementation.