Browser Security Basics For Small Business Owners

A controller at a Destin construction company spent two hours on the phone with "Microsoft Support" because a popup said her computer was infected. She gave them remote access. They installed software that captured her banking credentials.

She didn't open an attachment. She didn't visit a sketchy website. She was checking her email in Chrome when the popup appeared.

Browsers are the main workspace for most employees. And attackers know it.

What this solves (in real business terms)

Browsers are the gateway to your business data. Email, banking, cloud storage, customer portals, vendor tools — it all happens in a browser. When someone clicks a malicious link, visits an infected website, or enters credentials on a fake login page, the browser is the attack surface.

Browser security controls three things:

• What your team can visit (blocking known malicious sites)
• What happens when they visit (preventing drive-by malware downloads)
• What credentials they share (warning on fake login pages)

What can go wrong

Tech support scams. The Destin scenario. Fake Microsoft, Apple, or "your ISP" popups convincing your team to call a number or install remote access software. The popup is often triggered by a website they visited, not something they downloaded.

Credential phishing. A link in an email takes your team to a page that looks exactly like Microsoft 365, QuickBooks, or your bank. The URL might be slightly wrong (micros0ft.com instead of microsoft.com). Chrome saves the password anyway because it thinks it's the real site.

Compromised browser extensions. Ad blockers, PDF converters, emoji keyboards — browser extensions have full access to everything you do online. If the extension developer gets compromised or sells to a new owner, your traffic gets intercepted. A 2020 study found 20% of popular Chrome extensions had been sold to new developers without users being notified.

Drive-by downloads. You visit what looks like a legitimate site. The site is compromised. Malware downloads automatically without clicking anything. Your antivirus might catch it, might not.

Saved passwords being stolen. Infostealer malware (described in our guide on credential theft) specifically targets browsers to extract saved passwords. If your team saves passwords in Chrome, that data is a target.

What it costs (honest ranges)

• Chrome (free): Automatic updates, basic phishing protection, password breach monitoring
• Business browser management: $0-$5/user/month (Microsoft Edge Business, managed Chrome policies)
• DNS filtering (blocks malicious sites before your browser loads them): $1-$3/user/month (Cloudflare Gateway, OpenDNS, Quad9)
• Managed security provider: Usually $10-$30/user/month and includes browser-related protections

Vendor questions (copy/paste)

1. "Do you configure browser policies for our team, or do we get whatever defaults Chrome ships with?"
2. "Do you block access to known malicious websites at the DNS level, or only after someone clicks?"
3. "Are browser extensions managed? Can employees install any extension they want?"
4. "Do you prevent saved passwords from being used on phishing sites?"
5. "What happens if an employee visits a site that isn't blocked but still compromises their browser?"

Minimum viable implementation

Step 1: Use Chrome or Edge Both update automatically and have decent built-in phishing protection. Safari is fine on Macs. Don't use Internet Explorer (retired) or generic browsers that don't auto-update.

Step 2: Enable Chrome's built-in protections

• Go to chrome://settings/security
• Enable "Standard protection" at minimum
• Consider "Enhanced protection" for more aggressive phishing and download scanning
• Enable "Warn you if passwords are exposed in a data breach" under safety check

Step 3: Block employees from installing random extensions

• In Google Admin Console (if using Google Workspace), go to Devices > Chrome Management > App Management
• Set policy: "Only approved extensions can be installed"
• Start with a small approved list: LastPass, Grammarly (if used), your password manager

Step 4: Enable DNS filtering

• Sign up for Cloudflare Gateway or OpenDNS
• Change your router's DNS settings to point to the filtering service
• This blocks known malicious domains before your browser even loads them

Step 5: Disable autoplay on sites you don't control

• In Chrome settings > Privacy and security > Site Settings > Sound
• Set to "Mute sites that play sound" or require user interaction first

Step 6: Train your team to recognize fake popups

• Real tech companies don't put phone numbers in browser popups and ask you to call
• If you see a popup telling you to call Microsoft, close the browser. Don't click the popup. Close Chrome entirely.
• If you're worried, open a new browser window and go directly to the company's real website.

When to hire help

Do it yourself if:

• You have fewer than 15 employees
• You're comfortable configuring Chrome policies in Google Admin or Microsoft Intune
• You just need basic protections (automatic updates, DNS filtering, no random extensions)

Get help if:

• You have non-technical employees who are likely to fall for tech support scams
• You need centralized management across Windows and Mac
• You want someone actively monitoring for malicious sites and browser-based attacks
• You've already had a browser-based incident