82% of IT pros report a web-based security incident in past year – BYOD, SaaS tools, and remote work policies all play a part in security resilience

News
By published

Confidence is high, despite malware running rampant

World Password Day 2025
(Image credit: Shutterstock)
  • NordLayer’s Web‑based Threat Report 2026 found a gap between confidence and reality: 73% of firms feel prepared, yet 82% suffered browser‑based attacks
  • Malware harvested 1.8M credentials and 68.8B cookies last year, with stolen logins enabling silent intrusions as SaaS reliance grows
  • Researchers stress browsers are the critical boundary, urging stronger DLP and controls to address uneven coverage and escalating web‑threat sophistication

Most businesses believe they are well-prepared to face cyberattacks, but the number of successful breaches in the last year alone paints a different picture.

Earlier this week, NordLayer released a new report, called “Why Browser Security Can’t Wait: Web-based Threat Report 2026.” In it, the company states that while 73% of organizations claim to be prepared for web-based attacks and are confident in their solutions, 82% experienced some form of web-based attack.

The paper is based on an analysis of 504 “highest rated and most reviewed work applications”, an analysis of data stolen from various infostealers, and a survey of 405 US cybersecurity and IT professionals.

Latest Videos From

Hackers don't hack anymore

NordLayer stresses that coverage is “modest and uneven”, with data loss prevention tools (DLP) leading at just 53%, followed by other security controls. Nearly all IT professionals reported that their organizations are concerned about web-based threats (98%), and most expect escalation. In fact, 81% expect greater sophistication and 73% believe there will be more incidents in the coming years.

“There’s a clear gap between recognizing the threat and knowing how to address it,” says Buinovskis. “Concern is high, but awareness of which controls actually solve browser-specific risks is low. Much of the initial confidence most likely comes from having general security controls in place, yet they rarely adequately cover risks in the browser.”

The researchers also stressed that 100% of the tested applications were browser-accessible, and almost four in five (78.8%) were browser-only. At the same time, malware was able to harvest 1.8 million credentials and 68.8 billion cookies last year.

“Hackers don’t hack anymore, they just log in,” says Buinovskis. “Stolen cookies and credentials grant immediate access without raising alarm bells — a login looks legitimate. It’s low risk, high reward, and as reliance on web-based SaaS grows, so does the value of stolen data. Attackers will keep exploiting this until organizations secure the browser as a critical boundary.”

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.