The browser is, by most measures, the most used application in the modern workplace. It makes outbound network requests to virtually anywhere on the internet, renders and executes external code, handles authentication to dozens of services, and writes files directly to the filesystem. All of this happens constantly, as a normal part of someone’s workday.
It’s also one of the least governed applications on most endpoints. Organizations tend to have mature policies around things like PowerShell execution, software installation, and privileged access. The browser, despite doing more than most of those combined, often operates with surprisingly little scrutiny. That’s worth examining.
Downloads and the Visibility Gap
The risk becomes concrete the moment a user clicks a download link. A file leaves an external server, travels across the internet, and lands on a corporate endpoint, and in most organizations, very little stands between those two events beyond a post-download antivirus scan that runs after the fact with no policy context behind it.
That reactive model made more sense when threats were simpler. Today, malware is increasingly designed to evade signature-based detection, and some variants are built to lie dormant until they’ve established persistence. A scan alone doesn’t account for who downloaded the file, from where, under what conditions, or whether it should have been permitted in the first place.
Those are policy questions, and most organizations have no mechanism to answer them at the point of download.
What Browsers Actually Do on Your Endpoints
Part of what makes this difficult is the sheer variety of ways a browser can introduce files to an endpoint. Direct downloads are the obvious one, but browsers also handle files arriving through web-based email clients, cloud storage interfaces, and file sharing platforms. A user pulling a document from a shared Google Drive link and a user downloading an executable from a random forum are both, from a policy standpoint, just someone using their browser.
Most endpoint security tools don’t distinguish meaningfully between those two scenarios at the point of download. They apply the same post-arrival scan to both, treat them identically in logs, and give IT teams little ability to set different rules for different risk levels. The result is a flat, undifferentiated policy applied to a wide range of very different behaviors.
Browser Versions as an Attack Surface
Downloads aren’t the only vector. The browser itself, specifically which version is running, matters more than most organizations account for. Browser vendors patch vulnerabilities regularly, and the time between a patch being released and a corresponding exploit appearing in the wild has gotten shorter.
In distributed workforces, enforcing browser versions is harder than it sounds. Employees on home networks, personal devices used for work, or machines that haven’t checked in for a patch cycle can easily fall behind. Without visibility into which browser versions are running across the fleet, and without the ability to enforce minimums, organizations are essentially trusting that everyone kept up.
Shadow IT Makes This Harder
Overly restrictive controls create their own problems. When employees can’t access the tools or files they need through official channels, they find workarounds, and those workarounds are almost always less secure than the thing they were trying to avoid. Personal email accounts, consumer file sharing services, and unapproved cloud storage all become vectors when sanctioned options feel too restrictive or slow.
This is the core tension in browser governance. Too little control and the endpoint is exposed. Too much and you push behavior into channels with even less visibility. Getting that balance right requires something more granular than a blanket allow or block, with the ability to pre-approve trusted sources, route higher-risk activity through review, and maintain a full audit trail of what came in and from where.
Where This Is Heading
Browsers aren’t going to become less central to how people work. If anything, the shift toward web-based applications means more of what employees do every day runs through a browser tab, which means the browser’s role as an entry point for both legitimate files and potential threats will only grow.
The controls organizations apply to other high-risk surfaces, things like privileged access, software installation, and remote connections, exist because someone recognized that ungoverned access in those areas created unacceptable risk. Browser-based downloads and web access haven’t historically received the same treatment, but the threat profile arguably warrants it.
We’re currently building a product specifically designed to address this. It will be Admin By Request’s forthcoming solution for endpoint-level browser and download control, and we’ll have more to share soon.
