Most businesses believe they are well-prepared to face cyberattacks, but the number of successful breaches in the last year alone paints a different picture.

Last week, NordLayer released a new report, called “Why Browser Security Can’t Wait: Web-based Threat Report 2026.” In it, the company states that while 73% of organisations claim to be prepared for web-based attacks and are confident in their solutions, 82% experienced some form of web-based attack.

The paper is based on an analysis of 504 “highest rated and most reviewed work applications”, an analysis of data stolen from various info-stealers, and a survey of 405 US cybersecurity and IT professionals.

NordLayer stresses that coverage is “modest and uneven”, with data loss prevention tools (DLP) leading at just 53%, followed by other security controls. Nearly all IT professionals reported that their organisations are concerned about web-based threats (98%), and most expect escalation. In fact, 81% expect greater sophistication and 73% believe there will be more incidents in the coming years.

“There’s a clear gap between recognising the threat and knowing how to address it,” says Buinovskis. “Concern is high, but awareness of which controls actually solve browser-specific risks is low. Much of the initial confidence most likely comes from having general security controls in place, yet they rarely adequately cover risks in the browser.”

The researchers also stressed that 100% of the tested applications were browser-accessible, and almost four in five (78.8%) were browser-only. At the same time, malware was able to harvest 1.8 million credentials and 68.8 billion cookies last year.

“Hackers don’t hack anymore, they just log in,” says Buinovskis. “Stolen cookies and credentials grant immediate access without raising alarm bells — a login looks legitimate. It’s low risk, high reward, and as reliance on web-based SaaS grows, so does the value of stolen data. Attackers will keep exploiting this until organisations secure the browser as a critical boundary.”