Empowering Your Workforce to Be the Strongest Link
In a connected world, the web browser is a central component of enterprise security.
It’s become something of an axiom in the world of cybersecurity that the vast majority of breaches are due, at least in part, to human behavior—things like clicking on a link in a phishing email or navigating to a website that looks like (but isn’t) part of a frequently used Software as a Service (SaaS) application. And at that point, the web browser may be the only thing standing between the user and a malware payload that can wreak havoc on a business.
“Preventing human error or bad behavior is important. And if more of that can be done within the browser, by default, enterprises might feel more comfortable using browsers for more application cases,” says Chalan Aras, managing director, cyber & strategic risk, at Deloitte. “Having a browser that is secure is absolutely critical.”
The web browser, once more associated with consumer services like online shopping and social networking, is now a critical piece of business software. With the rise of SaaS, cloud-based apps accessed through browsers have displaced many traditional desktop programs in some organizations. This, says Andrew Whalley, director, Chrome security at Google, is a major advantage for overtaxed IT teams. “Previously, an IT organization might need to make sure that a word processor, spreadsheet, document viewer, email program and various enterprise-specific applications were all up to date,” he says, in order to keep them secure. “We now access those using a browser.” However, Whalley adds, that means it’s up to browser developers to keep enterprise users safe from attacks. “The ability to safely visit any website is what gives the web such flexibility and power,” he says. “I think of a browser’s main responsibility as keeping users safe, even if they are attempting to visit a malicious website.”
Protecting and Empowering
For major businesses like Roche—one of the world’s largest biotech companies with over 100,000 employees worldwide—browser security is now a key priority. Standardizing Chrome as its enterprise browser has allowed it to increase collaboration, efficiency and productivity without compromising security, according to Tim Erhart, global team head of security monitoring at Roche.

“Every health care company has to be extremely attentive to the security of its technology solution, and we’re no exception,” Erhart says. The company uses the extensive administrative controls of Chrome to block certain URLs across the company, as well as blocking attachment downloads from personal emails. Chrome Browser Cloud Management tools improve the user experience and enhance security through frequent, automated updates and the ability to push controls and permissions through Chrome to every user, regardless of the device used for access.
These threat and data protections “provide more visibility into important information our security teams need to protect our employees. In the case of suspicious activity or malicious files, we have the ability to pinpoint the source and take action quickly,” Erhart says. “The tools and features in Chrome, as well as the admin console, are easy for us in IT to use. Chrome has become a productivity tool for our workforce.”
For companies like Roche, Chrome also fits in with a zero trust approach to security, one that limits access to resources only to those with a proven need to use them. “One of the core tenets of zero trust,” Whalley says, “is moving security checks from a network to an employee’s device in a way that allows it to take advantage of identity information and device state, and for those to be considered when granting access to individual corporate resources.”
The ability to safely visit any website is what gives the web such flexibility and power. I think of a browser’s main responsibility as keeping users safe, even if they are attempting to visit a malicious website.
Ideally, Whalley says, zero trust should extend to their browser, as well. Chrome can integrate with single sign-on services and access control policies and user- and device-based authentication and authorization. Access can be granted through contextual factors, not determined by the network. “This allows workers to access corporate resources when they’re working on untrusted networks, like when they’re working at home,” he says.
User Experience and Security
The ability to use a tool without friction, Aras says, is a critical function of security. “The more intrusive security controls are, the less likely users will be happy about using those tools. They may choose a different application, because it’s easier to use,” he says. Pile enough friction points on top of each other, and employee buy-in—critical for enterprise security and productivity—can fade. People will naturally seek workarounds.
“Simplifying the user experience without compromising on security should be the approach browsers take to be a favorable choice,” Aras says.
That relationship between usability and security is one to which Google pays serious attention, Whalley says. “It’s one where we’ve done quite a lot of research. That can mean inviting people into a user research lab, asking them to perform tasks to see how they respond. Our engineers really want to understand how people are using the features we develop.”
Ultimately, Whalley says, “for a browser to be secure as it’s used day to day, security technologies themselves need to be ergonomic. For many of the sort of undercover features like sandboxing and site isolation, that means the user never notices they’re there; the features just provide protection. But for those that are user visible, they’ve got to be comprehensible and easy-to-use.”
Learn more about what Google Chrome can do for your enterprise.