Safe Browsing and Web Security for Your Business

After email, the web browser is the most common delivery mechanism for malware, credential theft, and drive-by attacks. Staff who browse the web for legitimate work purposes — researching suppliers, checking industry news, accessing online services — are continuously exposed to web-based threats, most of which they would have no way to identify as such.

This post covers the browser security settings, DNS-level protection, and browsing habits that reduce the risk from web-based threats without making the web impractical for normal business use.

Browser Security: The Basics

Keep Browsers Updated

Web browsers are among the most actively exploited software categories because they handle untrusted content from the entire internet by design. Browser vendors release security updates frequently — sometimes multiple times per week for critical vulnerabilities. All major browsers (Chrome, Firefox, Edge, Safari) support automatic updates. Enable this. A browser that is even a few weeks out of date may be vulnerable to publicly known exploits.

Use a Supported, Mainstream Browser

Internet Explorer is deprecated and receives no security patches. Legacy versions of Edge, Firefox, or Chrome that staff haven't updated provide no defence against current threats. Niche or less-maintained browsers may have security features that lag behind the major vendors. For business use, a current version of Chrome, Edge, Firefox, or Safari — configured with auto-update — is the baseline.

Be Selective With Browser Extensions

Browser extensions run with significant access to your browsing activity: they can read the content of every page you visit, including pages where you enter credentials. Malicious or compromised extensions — including extensions that were legitimate when installed but have since been purchased by bad actors — are a meaningful attack vector. Review installed browser extensions periodically. Remove any that aren't in regular use or whose purpose is unclear. Source extensions only from official browser stores and check reviews before installing.

Look for HTTPS, But Don't Rely on It Alone

The padlock icon in your browser's address bar indicates that the connection is encrypted — that data passing between your browser and the server cannot be read by an intermediary. It does not indicate that the website is legitimate or safe. Phishing sites routinely use HTTPS because certificates are freely available and the padlock makes the site appear more trustworthy. HTTPS is necessary but not sufficient — it tells you the connection is encrypted, not that you're talking to the right party.

DNS Filtering: Protection at the Network Level

DNS (Domain Name System) is the internet's address book: it translates domain names into IP addresses when you try to visit a website. DNS filtering services intercept these lookups and block access to known-malicious domains before your browser ever connects to them.

Services such as Cloudflare Gateway, Cisco Umbrella, or Quad9 maintain databases of domains known to host malware, phishing pages, command-and-control servers, and other malicious content. When a device on your network tries to resolve a domain on the blocklist, the DNS filter returns no result — effectively blocking the connection before it's established.

DNS filtering is one of the most cost-effective network security controls available. Several providers offer free tiers suitable for small businesses (Cloudflare's 1.1.1.1 for Families, Quad9's free service), while business-grade products with more comprehensive categorisation and reporting are available at modest cost. Configuring your router to use a DNS filtering service applies the protection to every device on the network without requiring software installation on individual devices.

Avoiding Malicious Downloads

Drive-by downloads — malware delivered via a malicious or compromised website without any explicit user action — rely on unpatched browser or plugin vulnerabilities. Keeping your browser updated is the primary defence. Ensure browser plugins like Flash (now broadly discontinued) and Java Web Start are disabled or uninstalled, as these have historically been high-value exploit targets.

For files that are explicitly downloaded, the general principle is: download software only from official vendor websites or reputable sources. Searching for "download VLC" and clicking the first result is riskier than navigating directly to videolan.org. Search engine results for software downloads are a common vector for trojanised installers — software that appears legitimate but includes malware.

If you need to open a file that you are not certain about, many security vendors provide online sandboxes — VirusTotal is the most widely known — where you can upload a file and have it checked against dozens of malware detection engines before opening it locally.

Personal Browsing on Work Devices

Personal web browsing on work devices is a risk that many small businesses either ignore or try to prohibit entirely. Complete prohibition is typically unenforceable and creates resentment. A more practical approach is to acknowledge that personal browsing will occur, and to ensure that the security controls on work devices protect against the higher-risk categories of personal browsing activity: streaming sites that use aggressive advertising networks, torrent sites, software download portals, and adult content sites all have significantly higher rates of malicious advertising and drive-by download exposure than routine work-related browsing.

Your acceptable use policy should address personal browsing. DNS filtering will block the most obviously high-risk categories. Your endpoint security will catch some of what gets through. And awareness that work devices are monitored reduces the probability of the highest-risk personal browsing behaviour.

What to Do If Something Seems Wrong

Staff should know what to do if they believe they've clicked something they shouldn't have, or if their device starts behaving unusually after visiting a website. The answer in all cases is: stop what you're doing, disconnect the device from the network (turn off Wi-Fi, unplug the network cable), and tell your IT provider or security contact immediately. Do not try to fix it yourself; do not continue working on the device while it may be compromised. Speed matters — the faster the response, the less opportunity the attacker has.