Browser Extensions in Your SMB: The Risk Nobody's Tracking

PDF converters, screenshot tools, AI assistants: browser extensions creep into your organisation unnoticed. Here's how to find out what's installed — and what needs to go — in about an hour.

Ask five colleagues which browser extensions they have installed. Chances are you'll get answers like "erm… that PDF thing?" and "some AI one, I think". That's not a criticism — it's exactly how extensions work. They slip in via a handy tip from a colleague, a suggestion from ChatGPT, or a button on a website. And then they live on for years, with access to everything you do in your browser.

For an SMB without its own IT department, this is a blind spot you can largely close in a quiet hour. Here's how.

Why extensions are a serious risk

Depending on their permissions, a browser extension can access:

• the content of every page you visit (including your accounting software, email, and customer systems);
• everything you type (including passwords you haven't saved in a password manager);
• cookies — which means your active logged-in sessions;
• in some cases, your downloads, bookmarks, and browsing history.

That's not necessarily a problem if the developer is trustworthy. The issue: a popular extension can be sold to a new owner, who can then push an update containing ads, tracking, or outright malware. This isn't a theoretical scenario — it has happened dozens of times in recent years. You install a perfectly clean tool today and wake up to a data breach tomorrow, without having clicked a thing.

Three types of extensions you'll find in your SMB

1. The convenience tools

PDF mergers, screenshot tools, colour pickers, tab managers. Often free, often with aggressive permissions ("read and change all your data on all websites"). Many people install these once and never use them again.

2. The AI assistants

Over the past eighteen months, this has been the fastest-growing category. Summarisers, writing aids, "AI everywhere". Some literally send the content of every page you open to an external server. For a law firm or accountancy practice, that's a serious GDPR issue.

3. The legitimate work tools

Password managers, your video conferencing tool, your CRM plugin. These are exactly what you want — but even here: only install them from the official store, and only from the genuine vendor (there are fake versions out there).

The clean-up session: one hour's work

Schedule a short session with your team — for example, at your next team meeting. Here's the approach:

1. Everyone opens their extensions overview. In Chrome/Edge: chrome://extensions or edge://extensions. In Firefox: about:addons.
2. Make a list per person of everything installed, including the permissions ("can read all your data…").
3. Remove anything you don't recognise or haven't used in the past six months. When in doubt — out. You can always reinstall it.
4. Check the remaining extensions: does the publisher look right, is the user count plausible, when was the last update? An extension that hasn't been updated in two years is a red flag.
5. Write down what you allow. A simple list of "these extensions are approved for work browsers" works far better than a thick policy document nobody reads.

Prevent it from becoming a mess again within three months

A one-off clean-up helps, but without clear agreements things will pile up again. What works in practice for small teams:

• Two-browser approach. One browser for work, one for personal use and experimentation. Sounds dull, works surprisingly well. Edge for work, Firefox for everything else — or the other way around.
• "Just ask first" rule. Before anyone installs a new extension, one quick message in the team chat. No formal approval process — just make it visible.
• Repeat twice a year. Ideally at the same time as your access check. Same moment, same habit: what do we actually have running?
• Consider a managed browser. Working in Microsoft 365? Via Edge for Business you can centrally enforce which extensions are and aren't allowed. That takes the reliance on individual discipline out of the equation.

Especially relevant if you work with client data

If you handle personal data, financial data, or medical information, treat browser extensions as data processors. An AI summariser that sends the contents of a patient record or set of financial statements to an external server is a form of data processing you need to be able to justify. For most free extensions, that's simply not possible — so don't use them.

The same applies to extensions that monitor your email (think "tracking pixel blockers", "writing assistants in Gmail", "email templates"). As soon as a tool can read your inbox, it's piggybacking on the data your clients send you in confidence.

What do you do if you find something suspicious?

If during the clean-up you come across an extension you can't account for, or one that's suddenly injecting ads, remove it immediately. Then log out of your important services and log back in (this refreshes your sessions). Change the passwords for services you use frequently in that browser, and — if you haven't already — enable 2FA. That makes any leaked session worthless.

In closing

Browser extensions aren't a disaster waiting to happen, but they are the softest spot in an otherwise well-managed SMB. One clean-up round every six months and a few simple agreements keep things manageable. No extra software, no IT department, no budget required.

Want to tackle this as part of a broader check on who has access to what? Take a look at our access check — extensions are included as standard. And if you'd rather get started on your own: do it today, open chrome://extensions, and see what's there. You'll probably be a little surprised. That's exactly the point.