Insider Threats Drive Rising Costs of Data Breaches, Reports Highlight Risks from Employee Departures A growing body of research underscores the severe financial and operational risks posed by insider threats particularly when employees leave an organization. According to IBM’s Cost of a Data Breach Report 2025, the global average cost of a data breach reached $4.44 million, with malicious insider attacks incurring even higher losses at $4.92 million. Even unintentional insider errors carried a significant price tag, averaging $3.62 million. The risk of data loss escalates during employee departures, whether voluntary or involuntary. Verizon’s 2025 Data Breach Investigations Report found that privilege misuse where insiders abuse legitimate access remains a leading cause of breaches, driven by financial motives, espionage, or personal grievances. While not all incidents are malicious, many stem from misunderstandings over data ownership, weak bring-your-own-device (BYOD) policies, or employees transferring work-related materials to personal devices. Voluntary resignations introduce unique challenges. Some departing employees may unknowingly retain sensitive data, while others deliberately exfiltrate proprietary information such as client lists, source code, or product formulas to gain a competitive edge at a new employer. The risk intensifies with involuntary terminations. Cyberhaven’s 2024 Insider Risk Report revealed a 720% surge in data exfiltration in the 24 hours preceding a layoff, as disgruntled employees may sabotage systems, sell access to hackers, or leak confidential data. The nature of the threat varies by role, with high-level access increasing potential damage. Common targets of exfiltration include customer data, intellectual property, and design files, often transferred via personal cloud storage, removable media, or generative AI tools. Remote employees are more likely to use unsecured methods like Bluetooth or AirDrop, further complicating detection. With insider threats accounting for a substantial share of breaches, organizations face a dual challenge: mitigating both accidental exposure and deliberate misuse of access particularly during periods of workforce transition.

Cyberhaven fell victim to a supply chain attack when threat actors compromised at least 16 Chrome browser extensions, one of which was Cyberhaven's own Chrome extension. This incident led to the exposure of data for over 600,000 users. Upon stealing an employee's credentials via phishing on December 24, attackers pushed a malware-infested version to the Chrome Web Store. The malicious extension harvested cookies and access tokens. Version 24.10.4 of the Cyberhaven extension was compromised, affecting users who updated their extensions between December 25 and 26. The intrusion was identified swiftly and addressed within an hour, but it was part of a larger campaign aimed at Facebook Ads users.

Browser-Based Attacks Surge as Enterprises Struggle with Session Hijacking and AI Risks Cybersecurity leaders warn that browser-based attacks have become a dominant threat vector, with 95% of enterprises experiencing incidents in the past year most undetected by traditional security tools. Attackers increasingly exploit the browser as an execution layer, hijacking authenticated sessions, abusing extensions, and leveraging AI tools to exfiltrate data, all while bypassing multi-factor authentication (MFA) and perimeter defenses. ### The Browser as a Blind Spot Modern adversaries no longer need to "break in" they log in using stolen credentials or session tokens, then operate undetected within trusted browser sessions. Traditional security tools, designed to inspect traffic before authentication, lose visibility once access is granted. As Elia Zaitsev, CTO of LayerX, notes, "The browser was treated as a window, not an execution layer," but today, it hosts SaaS applications, cloud identities, and AI workflows, making it the primary attack surface for enterprises. Key vulnerabilities include: - Session hijacking: Attackers replay valid tokens from anywhere, inheriting credentials but not normal behavior patterns. Detection requires correlating browser activity with identity, endpoint signals, and threat intelligence something siloed tools can’t do. - Malicious extensions: 99% of enterprise users have at least one browser extension, with 53% holding high-risk permissions (e.g., access to cookies, passwords, or page content). Extensions like ShadyPanda’s "Clean Master" legitimate for seven years before being weaponized demonstrate how trust can be exploited overnight. - AI-driven exfiltration: Legitimate GenAI use and data theft appear identical at the network level. Both involve encrypted browser sessions to approved SaaS endpoints, but browser-layer controls can distinguish between approved and unauthorized data movement. ### Real-World Attacks Highlight the Risks - Trust Wallet breach (2024): Attackers used a leaked Chrome Web Store API key to push malicious updates, draining $8.5 million from 2,520 wallets within 48 hours no phishing or zero-days required, just abuse of auto-update mechanisms. - Cyberhaven attack (2024): A phished developer’s credentials led to a malicious Chrome extension auto-updating to 400,000 corporate customers on Christmas Eve. Traditional tools web gateways, cloud access brokers, and endpoint protection failed to detect it. - GenAI-related data loss: 14% of all data security incidents now involve AI tools, with GenAI traffic surging 890% in 2024. Employees unknowingly paste sensitive data into unvetted AI platforms, creating new exfiltration paths. ### How Enterprises Are Fighting Back CISOs deploying browser-layer controls report six consistent operational patterns to reduce exposure: 1. Extension inventory and risk assessment: Enumerate all extensions, flag high-risk permissions, and cross-reference against known-malicious hashes. 2. Delayed auto-updates: Implement 48- to 72-hour version pinning to contain supply chain attacks (e.g., Cyberhaven’s 25-hour detection window). 3. Data loss prevention (DLP) at the browser layer: Block copy-paste or file uploads to unapproved AI tools, social media, or personal file shares. 4. Behavioral anomaly detection: Correlate browser activity with identity and endpoint signals to spot impossible travel, permission escalation, or bulk data access. 5. GenAI policy enforcement: Allow AI tool usage while restricting sensitive data input (e.g., blocking copy-paste into ChatGPT but permitting research queries). 6. Integration with SOC workflows: Feed browser telemetry into existing security operations for real-time triage, reducing alert fatigue. ### The Vendor Landscape: Two Approaches The market is split between two strategies: - Browser replacement: Vendors like Island advocate for purpose-built enterprise browsers to replace Chrome or Edge, offering deeper control but requiring user adoption. - Security layers: Companies like Menlo Security and Cloudflare add protection atop existing browsers, preserving user choice but with limited visibility into unmanaged browsers. Acquisitions underscore the urgency: Palo Alto Networks acquired Talon in 2023, and LayerX secured $1.16 billion in funding in January 2026, signaling a shift toward browser-centric security. ### The Core Challenge As Sam Evans, CISO of a Fortune 500 company, puts it: "The browser is the device people use day in and day out it carries the highest risk." Traditional security architectures assume trust ends at login, but attackers now operate inside live sessions, abusing valid identities and tokens. Closing the gap requires treating the browser as both an execution environment and an attack surface, not just infrastructure. Without these controls, enterprises remain vulnerable to attacks that bypass MFA, evade detection, and exploit the very tools employees rely on.