TGM-100 Active

Safe Internet Browsing Practices for Small Businesses: A General Overview

Issued
April 15, 2026
Effective
April 15, 2026
Category
Security
Author
Rebecca Murphy

Technical Guidance Memo: Safe Internet Browsing Practices for Small Businesses

The threat is real, growing, and aimed at you

Small businesses are now the primary target of cybercrime — not large corporations. 88% of ransomware incidents target small and midsize businesses (Verizon, 2025), and the FBI recorded $16.6 billion in total cybercrime losses in 2024 alone, a 33% increase over the prior year (FBI Internet Crime Complaint Center [IC3], 2025). Nearly one in five small businesses that suffer a cyberattack are forced into bankruptcy or closure. Yet most of the damage is preventable. The practices in this memo do not require technical expertise or large budgets. They require understanding a handful of core concepts and building a few simple habits into your daily work. This guidance draws on recommendations from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC), the National Institute of Standards and Technology (NIST), the Electronic Frontier Foundation (EFF), and peer-reviewed academic research.

1. HTTPS and the padlock: what it actually tells you

The analogy: Think of HTTPS like a sealed envelope. It means nobody can read your letter while it's in transit — but it says nothing about whether the person you're mailing it to is trustworthy. A scammer can use sealed envelopes too.

When you see a padlock icon and "https://" in your browser's address bar, it means the connection between your computer and the website is encrypted using a protocol called TLS (Transport Layer Security). Anyone eavesdropping on the network — at a coffee shop, at an airport — cannot read the data you exchange with that site (CISA, n.d.-a).

Here is what the padlock does not mean: it does not mean the website is legitimate, safe, or honest. More than 90% of phishing sites now use HTTPS (Anti-Phishing Working Group [APWG], 2024). Attackers obtain free encryption certificates from services like Let's Encrypt in minutes. The certificate authority verifies only that the applicant controls the domain — not that the domain belongs to a real business or a trustworthy operator.

HTTPS adoption has reached 97.5% of websites on the desktop web (HTTP Archive, 2025), and 93.2% of Chrome browsing time is spent on HTTPS pages (Google, 2024). The EFF retired its famous HTTPS Everywhere browser extension in 2023, declaring that "HTTPS is actually everywhere" (Electronic Frontier Foundation [EFF], 2021). All major browsers — Chrome, Firefox, Edge, Safari — now include a built-in HTTPS-only mode that you should enable. This setting automatically upgrades connections to HTTPS and warns you before loading any site that lacks encryption.

What to do: Enable HTTPS-only mode in your browser settings. But never assume a padlock means a site is safe. Always verify the actual web address in the address bar before entering any login credentials, payment information, or sensitive business data (CISA, n.d.-b).

2. Phishing and social engineering: the oldest trick, now supercharged by AI

The analogy: Phishing is like a con artist in a convincing uniform knocking on your door. They look official, they sound urgent, and they want you to hand over your keys. The uniform is fake — but you have to know what to look for.

Phishing is the most common cyberattack. The APWG recorded 4.8 million phishing attacks in 2024, the highest annual total in the organization's history (APWG, 2025). In the UK, 84% of businesses that experienced a cyberattack identified phishing as the vector (UK Department for Science, Innovation and Technology, 2024). According to the Verizon 2025 Data Breach Investigations Report (DBIR), 60% of all confirmed breaches involved a human action — someone clicked a bad link, responded to a social engineering message, or mishandled credentials (Verizon, 2025).

Phishing comes in several forms. Email phishing casts a wide net with mass messages. Spear phishing uses personal details about you or your business to craft a targeted, convincing message. Smishing arrives via text message. Vishing uses phone calls. Business email compromise (BEC) — discussed in detail later — impersonates executives or vendors to redirect payments.

What AI has changed. The NCSC assessed in January 2024 that "AI will primarily offer threat actors capability uplift in social engineering" and that generative AI "can already be used to enable convincing interaction with victims, including the creation of lure documents, without the translation, spelling and grammatical mistakes that often reveal phishing" (NCSC, 2024a). A landmark study by Harvard and MIT researchers tested AI-generated spear phishing against human-crafted attacks on 101 participants. The result: AI-automated phishing emails achieved a 54% click-through rate, matching human expert performance and outperforming generic scam emails by 350% (Heiding et al., 2024). The Verizon DBIR found that AI-written malicious emails have doubled from roughly 5% to 10% over the past two years (Verizon, 2025).

CISA now warns that "a common sign used to be poor grammar or misspellings although in the era of artificial intelligence (AI) some emails will now have perfect grammar and spelling, so look out for the other signs" (CISA, n.d.-c). Those other signs include: urgent or emotionally manipulative language, requests for personal or financial information, sender addresses that don't match the claimed organization, generic greetings, and links whose actual URL (visible when you hover over them) doesn't match the text displayed.

What to do: Verify any unexpected request — especially requests involving money, credentials, or sensitive data — through a separate, trusted channel. Do not use contact information from the suspicious message itself. Call the person directly using a phone number you already have. Train yourself and your staff to pause before clicking.

3. Passwords: the new rules may surprise you

The analogy: A good password is like a long, unique combination on a safe. "1234" is a bad combination. So is your dog's name. A random sequence of words — like "purple-elephant-bicycle-thunder" — is easy for you to remember and extremely hard for a computer to guess.

The rules you learned about passwords a decade ago are now officially outdated. NIST SP 800-63B, the U.S. government's authoritative standard for digital identity, was revised in 2024 and makes three major changes (NIST, 2024a):

No more forced password rotation. Requiring employees to change passwords every 90 days leads to predictable patterns — people just increment a number ("Spring2025" becomes "Summer2025"). NIST found this "provides a false sense of security" (NIST, n.d.-a). Passwords should be changed only when there is evidence of compromise.

No more complexity rules. Requiring a mix of uppercase, lowercase, numbers, and symbols does not meaningfully improve security. NIST's research showed that "composition rules often have the opposite effect as users tend to avoid or shortcut the rules by making predictable changes, resulting in weaker passwords" (NIST, n.d.-a). Instead, length is the primary factor. CISA recommends passwords of at least 16 characters (CISA, n.d.-d).

Use passphrases. The NCSC recommends combining three random words into a passphrase — for example, "coffeetreefootball" — which is long, memorable, and resistant to automated guessing (NCSC, n.d.-a). Every account should have a unique passphrase. Reusing passwords is the single most dangerous credential habit: a study of 19 billion exposed passwords found that 94% were reused or duplicated across accounts (Cybernews, 2025), and 73% of people use the same passwords for personal and work accounts (Enzoic, n.d.).

The reason this matters for your business: when attackers breach a minor service — a forum, a shopping site, a game — they harvest email-and-password pairs and automatically test them against business systems like Microsoft 365, Google Workspace, and VPN logins. This is called credential stuffing, and it accounts for roughly 24% of all login attempts on major platforms (Okta, 2024). If an employee reuses their Netflix password on your company email, a breach of Netflix becomes a breach of your business.

4. Password managers: your digital safe deposit box

The analogy: A password manager is a locked safe deposit box that stores a unique key for every door in your life. You only need to remember the one combination to the box itself. The box generates, stores, and automatically uses the right key for every door.

Password managers solve the reuse problem by generating and storing a strong, unique password for every account. You remember one master passphrase; the manager handles the rest. The EFF calls a password manager "the single best defense against both [phishing and data breaches]" because it makes unique passwords practical and protects against phishing by filling credentials only on the correct website — if you land on a fake site, the manager will not auto-fill your password (EFF, 2026).

CISA explicitly recommends password managers and names Apple Passwords, Bitwarden, and Google Password Manager in its Mobile Communications Best Practice Guidance (CISA, n.d.-d). The NCSC recommends password managers for both individuals and organizations (NCSC, n.d.-b). NIST, while not naming specific products, requires that websites allow paste functionality in password fields specifically to support password manager use (NIST, 2024a).

Well-regarded options include Bitwarden (open-source, independently audited), 1Password (widely recommended, independently audited), and KeePass (open-source, locally stored). Most browsers also include built-in password managers — Firefox, Chrome, and Safari all offer this — and these are a reasonable starting point for users who are new to the concept.

What to do: Choose a password manager. Use it for every account. Set a strong master passphrase (at minimum three random words, or longer). Enable multi-factor authentication on the password manager account itself. If your business has employees, select a team-oriented password manager that allows shared vaults for business credentials without exposing the actual passwords to each user.

5. Multi-factor authentication: the two-lock door

The analogy: MFA is like having two locks on your front door, each requiring a different key. Even if a thief picks one lock, they still cannot get in without the second key. The more different those keys are — a deadbolt and a fingerprint scanner, say — the safer you are.

Multi-factor authentication requires a second verification step beyond your password: something you have (a phone, a security key) or something you are (a fingerprint, a face scan). It is the single most effective defense against account takeover. Microsoft's research found that 99.9% of compromised accounts did not have MFA enabled, and enabling MFA reduced the risk of compromise by 98.56% even when credentials had already been leaked (Microsoft Research, 2023). Google's research found MFA prevented 100% of automated attacks and 96% of bulk phishing (Doerfler et al., 2019).

Not all MFA is equal. CISA ranks MFA methods from most to least secure (CISA, n.d.-e):

  • Hardware security keys (e.g., YubiKey) — the "gold standard." These physical tokens use cryptography that is bound to the legitimate website. They will not authenticate to a fake site, making them phishing-resistant. CISA calls FIDO/WebAuthn "the only widely available phishing-resistant authentication" (CISA, 2022).

  • Authenticator apps with number matching (e.g., Google Authenticator, Microsoft Authenticator, Authy) — strong, but not phishing-resistant. A user can still be tricked into typing a code on a fake site. Number matching — where you must type a number displayed on your screen, rather than just tapping "approve" — significantly reduces the risk of the next threat.

  • SMS text message codes — better than nothing, but the weakest option. NIST classifies SMS-based MFA as a "restricted" authenticator because it is vulnerable to SIM-swapping attacks, where an attacker convinces your phone carrier to transfer your number to their device (NIST, 2024a). Despite this, SMS MFA still blocked all automated attacks in Google's study. Any MFA is better than no MFA.

MFA fatigue attacks. Attackers who have stolen a username and password may repeatedly trigger MFA push notifications on the victim's phone — sometimes dozens of times in the middle of the night — until the exhausted user taps "approve." This is called "prompt bombing." The September 2022 Uber breach was accomplished this way by an 18-year-old attacker (CISA, 2022). The defense: switch to number matching (where you must enter a specific number) or, better still, hardware security keys.

Passkeys: the future, available now. Passkeys are a newer technology based on the FIDO2/WebAuthn standard. When you create a passkey, your device generates a pair of cryptographic keys: the private key stays on your device (unlocked with your fingerprint, face, or PIN) and the public key is stored by the website. The private key never leaves your device and never gets transmitted. This makes passkeys phishing-resistant by design — even the most convincing fake website cannot steal a passkey. NIST approved passkeys for use at Authenticator Assurance Level 2 in April 2024 (NIST, 2024b). Google reports that over 1 billion users have signed into Google services using passkeys, with a 30% higher sign-in success rate and a 20% speed improvement over passwords (FIDO Alliance, 2025). As of 2025, 48% of the top 100 websites support passkeys.

What to do: Turn on MFA for every account that supports it — email first, then banking, then everything else. Authenticator apps are a good starting point. If you handle sensitive financial transactions or client data, consider hardware security keys for your most critical accounts. Ask your key service providers (email, accounting software, banking) whether they support passkeys, and enable them where available.

6. Your browser is your front door: choosing and configuring it

The analogy: Your browser is the front door of your digital business. Some doors are solid oak with a deadbolt; others are screen doors with a broken latch. The browser you choose and how you configure it determine how much protection stands between you and the threats outside.

All modern browsers include security features like sandboxing — running each tab in an isolated environment so a compromised website cannot access other tabs, your files, or your operating system. NIST defines a sandbox as "a restricted, controlled execution environment that prevents potentially malicious software from accessing any system resources except those for which the software is authorized" (NIST, n.d.-b). This is happening automatically in every modern browser, but configuration still matters.

Firefox is widely regarded as the most privacy-respecting mainstream browser. Mozilla states that "not even Mozilla should know which websites you visit or what you do there" (Mozilla, n.d.-a). Firefox's Enhanced Tracking Protection blocks cross-site tracking cookies, fingerprinters, cryptominers, and social media trackers by default. Its Total Cookie Protection feature isolates cookies so that each website gets its own separate "cookie jar," preventing advertisers from tracking you across sites (Mozilla, 2022). For maximum protection, set Firefox's tracking protection to Strict mode in Settings > Privacy & Security.

Brave is another privacy-focused option, built on the same Chromium engine as Chrome but with aggressive tracking and ad blocking built in. The EFF's Cover Your Tracks project notes that Brave was "built to thwart fingerprinting" (EFF, n.d.-a).

Chrome, while technically secure, is designed to support Google's advertising business. The EFF has expressed concern about Chrome's advertising-related features (EFF, 2023). Google announced in July 2024 that it would not remove third-party cookies from Chrome, and in April 2025 confirmed that third-party cookies will remain enabled by default (OneTrust, 2025). By contrast, Firefox and Safari have blocked third-party tracking cookies by default for years.

The UK's NCSC notes that "in recent years browser security has steadily improved" and that browsers are "generally secure in their default state," but recommends ensuring automatic updates are enabled, developing a policy around extensions, and instructing users not to browse while logged in as an administrator (NCSC, n.d.-c).

What to do: Use Firefox or Brave for business browsing. Enable HTTPS-only mode. Set tracking protection to its strictest available setting. Ensure automatic updates are turned on.

7. Browser extensions: helpful tools and hidden dangers

The analogy: Browser extensions are like contractors you let into your house. A trustworthy electrician improves your home; an unvetted stranger with a master key to every room is a liability. Choose carefully, and keep the guest list short.

A small number of extensions can significantly improve your security:

  • uBlock Origin — A lightweight, open-source ad blocker that also blocks tracking scripts, malicious domains, and pop-ups. CISA explicitly recommends ad-blocking software as a security measure, noting that "malvertising and poor web browser security go hand in hand" (CISA, 2023a).
  • Privacy Badger (from the EFF) — Automatically learns to block hidden trackers and sends the Global Privacy Control signal (EFF, n.d.-b).
  • Your password manager's extension — Enables auto-fill on the correct site, which also protects against phishing.

The danger is that extensions can request broad permissions — including the ability to "read and access all web data in the browser and interact with the webpages accessed by users" (NCSC, 2025a). In December 2024, attackers compromised the developer accounts of at least 35 Chrome extensions and pushed malicious updates to approximately 2.6 million users, exfiltrating cookies, session tokens, and sensitive data (The Register, 2025a). By February 2025, researchers had identified an additional 16 malicious extensions affecting 3.2 million more users (GitLab Security, 2025). A separate campaign called ShadyPanda operated for seven years, infecting 4.3 million Chrome and Edge users with backdoors and spyware hidden inside seemingly legitimate productivity tools (The Register, 2025b).

The NCSC warns that "Chrome extensions (like other popular browser extensions) have been found to contain spyware, advertising injections and crypto currency mining code even if the extension has been trusted previously" (NCSC, 2025a). An extension that was safe when you installed it can become malicious with a single update.

What to do: Install only extensions you genuinely need from well-known, reputable developers. Review and remove any extensions you no longer use. Avoid extensions that request permissions beyond what their function requires. For a small business, consider establishing a short allow-list of approved extensions.

8. Updates and patching: the unglamorous essential

The analogy: Software updates are like fixing a broken lock as soon as you discover it. Every day you wait, every burglar in the neighborhood knows about the broken lock. Criminals actively scan for unfixed weaknesses.

Vulnerability exploitation was the initial access vector in 20% of breaches in 2025, a 34% increase year-over-year (Verizon, 2025). When a software vendor discovers a security flaw and releases a patch, attackers immediately begin scanning the internet for systems that have not yet applied it. The median time to patch critical vulnerabilities is 32 days (Verizon, 2025) — and in many cases, attackers exploit flaws within hours of public disclosure.

A "zero-day" vulnerability is one that attackers discover and exploit before the vendor even knows about it — meaning there are zero days of warning. The NSA notes that "zero-day vulnerabilities can often defeat most web browser defenses" (NSA, 2018). CISA maintains the Known Exploited Vulnerabilities (KEV) catalog, now containing over 1,484 vulnerabilities confirmed to have been exploited in the wild, and "strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation" (CISA, n.d.-f).

Ransomware appeared in 44% of all breaches in 2025, up from 32% the previous year (Verizon, 2025). Unpatched systems are a primary entry point.

What to do: Enable automatic updates for your operating system, browser, and all software. Do not postpone update prompts. If you use business software that requires manual updates, designate a specific day each week to check for and apply updates.

9. Cookies, tracking, and fingerprinting: the invisible watchers

The analogy: Cookies are like name badges. A first-party cookie is the name badge the host gives you at a dinner party so they remember your preferences. A third-party tracking cookie is a private investigator hired by someone you've never met, following you from party to party and taking notes on everything you do.

First-party cookies are set by the website you are visiting and serve useful functions: keeping you logged in, remembering your shopping cart, storing your language preference. Third-party cookies are set by other entities — typically advertising networks — embedded in the page you are visiting. They track your activity across multiple websites to build a profile of your interests and behavior for targeted advertising. Mozilla explains that "cross-site tracking cookies collect information about the websites you visit and send them to other companies, often for advertising purposes" (Mozilla, n.d.-b).

Browser fingerprinting goes further. Even without cookies, a website can identify you by collecting a combination of your browser version, operating system, screen resolution, installed fonts, graphics card capabilities, and other technical details. The EFF's Cover Your Tracks project describes a fingerprint as "a list of characteristics that are unique to a single user, their browser, and their particular hardware setup... metrics that are harder to change and impossible to delete" (EFF, n.d.-a).

For a small business, tracking and fingerprinting are primarily privacy concerns rather than direct security threats. However, the infrastructure that serves tracking — advertising networks — is also the infrastructure exploited by malvertising (discussed next). And excessive data collection increases the damage if any of your online accounts are breached.

Firefox blocks cross-site tracking cookies, fingerprinters, and cryptominers by default through its Enhanced Tracking Protection. Its Total Cookie Protection feature, rolled out to all users globally, creates isolated "cookie jars" for each website (Mozilla, 2022). Chrome, by contrast, still allows third-party cookies by default as of April 2025 (OneTrust, 2025). Safari has blocked third-party cookies since 2020.

What to do: Use Firefox with Enhanced Tracking Protection set to Strict. Consider installing Privacy Badger (EFF) for additional tracker blocking. Be aware that "free" services often monetize your data through tracking — a cost that is invisible but real.

10. Malvertising and malicious downloads: when ads attack

The analogy: Malvertising is like a poisoned flyer slipped into a stack of legitimate advertisements at a business you trust. You didn't seek it out. The legitimate business didn't know it was there. But picking it up can still make you sick.

Malvertising — malicious advertising — exploits the online advertising ecosystem to deliver malware, redirect users to scam sites, or trigger drive-by downloads. The NCSC defines it as "particularly insidious because it often doesn't require any user interaction (such as choosing to run downloaded files) to cause problems" (NCSC, n.d.-d). In 2024, one out of every 160 advertisements served in the United States was malicious (AdMonsters, 2025). While less than 1% of global ads are classified as security violations, this still amounts to nearly three billion malicious ad impressions annually (NCSC, 2024b).

In early 2025, Microsoft Threat Intelligence uncovered a malvertising campaign that compromised nearly one million devices globally, using malicious ads to redirect users from streaming sites to GitHub-hosted malware (ThreatLocker, 2025). Attackers frequently impersonate downloads for popular tools — WinSCP, PuTTY, Zoom — leading users to counterfeit sites serving ransomware or information-stealing malware.

A drive-by download occurs when malware is automatically downloaded to your device simply by visiting a compromised website, without any click required. Attackers embed malicious code that probes your browser for known vulnerabilities and pushes a payload if one is found. Keeping your browser updated (Section 8) is the primary defense against drive-by downloads.

CISA recommends deploying ad-blocking software as a proactive security measure: "CISA encourages agencies to evaluate solutions that would enable malicious ad blocking" (CISA, 2023a). The agency also recommends protective DNS services, noting that "more than 91 percent of cyberattacks use DNS and that protective DNS services could mitigate one out of every three incidents" (CISA, 2023a).

What to do: Install uBlock Origin in your browser. Keep your browser and operating system updated. Never download software by clicking an ad — navigate directly to the developer's official website. If a website unexpectedly prompts you to "update your browser" or install software, close the tab immediately.

11. Fake and typosquatted domains: the digital impostor

The analogy: Typosquatting is like a con artist who opens a shop at 124 Main Street because the real bank is at 123 Main Street. If you're in a hurry and misread the address, you walk into the wrong door — and hand your information to the wrong people.

Typosquatting exploits small typographical errors in web addresses. The Center for Internet Security (CIS) identifies six main variations: character omission ("cisecurit.org"), character repetition ("cissecurity.org"), adjacent character swaps ("ciseucrty.org"), character substitution ("cisekurity.org"), missing dots between subdomains, and homoglyph attacks — replacing Latin characters with visually identical characters from other alphabets, such as using a Cyrillic "а" instead of a Latin "a" (CIS, n.d.).

The scale is significant. Zscaler ThreatLabz analyzed over 30,000 lookalike domains in a six-month period and found more than 10,000 were malicious (Zscaler, 2024). Attackers register these domains, obtain free HTTPS certificates (so they display the padlock), and build pixel-perfect replicas of login pages for banks, email providers, and business software. In January 2023, CISA, NSA, and MS-ISAC issued a joint advisory documenting a widespread typosquatting campaign that targeted federal employees with fake help-desk themed phishing emails leading to lookalike domains (CISA et al., 2023).

This threat is especially dangerous on mobile devices, where URLs are truncated, there is no hover function to preview links, and small screens make typos harder to spot.

What to do: Bookmark the websites you use regularly and access them through bookmarks rather than typing URLs. Hover over links before clicking to verify the destination. On mobile, long-press a link to preview the URL before opening it. Consider purchasing common misspellings of your own business domain to prevent attackers from impersonating you.

12. Public Wi-Fi: the risk has changed, but hasn't disappeared

The analogy: Using public Wi-Fi used to be like sending a postcard — anyone in the café could read your messages. Now, thanks to HTTPS, most of your messages are in sealed envelopes. But the person handing out envelopes at the door might be an impersonator, and anyone watching can still see who you're writing to, even if they can't read what you wrote.

Because 97.5% of web traffic is now encrypted via HTTPS (HTTP Archive, 2025), the classic "eavesdropping on an open Wi-Fi network" attack is far less dangerous than it was a decade ago. An attacker sitting on the same café network generally cannot read the content of your encrypted connections.

However, residual risks remain. An attacker can set up a rogue "evil twin" Wi-Fi access point that mimics a legitimate network. When you connect, they become your network provider — and while they cannot read encrypted traffic content, they can see which websites you visit (the domain names, visible through DNS queries) and can attempt to redirect you to malicious sites. CISA notes that "anyone with access to your network traffic can still see what websites you are accessing online" even with HTTPS (CISA, n.d.-a). In Australia, a scammer set up convincing fake Wi-Fi networks in airports and on planes, redirecting passengers to a fake login page that harvested email addresses and passwords (Swiss NCSC, 2024).

The modern role of VPNs. A Virtual Private Network encrypts all traffic between your device and a VPN server, hiding even the domain names you visit from anyone on the local network. The NCSC defines VPNs as "encrypted network connections" that "allow remote users to securely access an organisation's services" and guarantee "the security of data in transit across an untrusted network" (NCSC, n.d.-e). In 2025, a VPN's main value on public Wi-Fi is hiding your browsing metadata and protecting any remaining non-HTTPS traffic. For a small business, if employees ever work from public Wi-Fi, a VPN is a sensible precaution — but it is not a magic shield, and it does not replace the other practices in this memo.

What to do: If you must use public Wi-Fi for business work, use a VPN. Better yet, use your phone's mobile hotspot for sensitive tasks like banking or accessing business systems. Disable automatic Wi-Fi connections on work devices. Verify network names carefully before connecting.

13. Secure DNS: choosing a trustworthy phonebook

The analogy: DNS is the phonebook of the internet. When you type a web address, your device looks up the phone number (IP address) in a phonebook. By default, your internet provider controls that phonebook and can see every lookup you make. Choosing a secure, independent phonebook means your lookups are private and the phonebook will warn you if a number is known to be fraudulent.

The Domain Name System (DNS) translates human-readable addresses like "yourbank.com" into the numeric IP addresses computers use. Cloudflare explains that "by default, DNS queries and responses are sent in plaintext, which means they can be read by networks, ISPs, or anybody able to monitor transmissions" — even when the website itself uses HTTPS (Cloudflare, n.d.-a).

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt these lookups, preventing eavesdropping on which websites you visit. Firefox has enabled DoH by default for U.S. users since 2020. CISA published Encrypted DNS Implementation Guidance in May 2024, recommending that "all organizations" review it as "a benchmark for appropriate, applicable steps they can apply to advance their own zero trust efforts" (CISA, 2024a).

Protective DNS services go a step further by blocking known malicious domains before your browser can reach them. CISA and NSA jointly recommend protective DNS, noting that it "could greatly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking known-malicious domains" (CISA, 2021).

Recommended DNS providers for small businesses:

  • Quad9 (9.9.9.9) — Free, non-profit, blocks known malicious domains automatically. Recommended by the Northern Ireland Cyber Security Centre (NI Cyber Security Centre, n.d.).
  • Cloudflare 1.1.1.2 — Free, blocks malware domains. Cloudflare 1.1.1.3 adds adult content filtering (Cloudflare, n.d.-b).
  • Cloudflare 1.1.1.1 — Free, privacy-focused, no filtering. Logs purged after 24 hours.

What to do: Change your DNS settings — on your office router, if possible, or on individual devices — to Quad9 (9.9.9.9) or Cloudflare's malware-blocking service (1.1.1.2). This takes about five minutes and provides a free layer of protection against known malicious websites. Enable DNS-over-HTTPS in your browser settings if it is not already active.

14. Search engines and privacy

The analogy: Using Google for every search is like hiring a research assistant who keeps a detailed diary of every question you've ever asked — and shares it with advertisers. A privacy-respecting search engine is a research assistant who answers your question and then immediately forgets you asked.

Major search engines like Google and Bing log your searches, build profiles of your interests, and use that data for targeted advertising. For a small business, this means your competitive research, supplier inquiries, and financial questions all become data points in someone else's advertising model.

Privacy-respecting alternatives include:

  • DuckDuckGo (duckduckgo.com) — Does not create user profiles or store personal information. Revenue comes from contextual ads (based on what you're searching right now, not your history).
  • Startpage (startpage.com) — Based in the Netherlands under GDPR. Delivers Google results without the tracking, acting as an anonymizing intermediary.
  • Brave Search (search.brave.com) — Building its own independent search index. No tracking or profiling.

The EFF recommends using "privacy-focused search engines and browsers that don't track our online activity" as part of basic digital hygiene (EFF, n.d.-c).

What to do: Set your browser's default search engine to DuckDuckGo or another privacy-respecting option. You can always navigate directly to Google for a specific search if needed, but making a private engine your default reduces routine tracking significantly.

15. Backups: your safety net when everything else fails

The analogy: Backups are insurance for your data. You hope you never need them, but when a ransomware attack locks every file on your computer and demands $50,000 to unlock them, a recent backup means you can wipe the machine and restore everything yourself — no ransom paid.

Ransomware is now present in 44% of all breaches, and 88% of ransomware incidents target small and midsize businesses (Verizon, 2025). Among organizations that had data encrypted by ransomware in 2025, 54% recovered using backups as their primary method (Sophos, 2025). Recovery without backups can take weeks or months and may be impossible.

Ransomware reaches businesses through the browser in several ways: malvertising, drive-by downloads, and phishing links that lead to malware downloads. A recent campaign exploited fake "CAPTCHA" prompts that tricked users into executing malicious commands (ENISA, 2025). Another campaign impersonated popular AI tools like "DeepSeek" and "Kling AI" to distribute infostealer malware through download pages.

The widely recommended 3-2-1 backup rule, endorsed by CISA, specifies: 3 total copies of your data, on 2 different types of storage media, with 1 copy stored offsite or in the cloud (CISA, n.d.-g). CISA's ransomware guidance specifically recommends offline, encrypted backups and regular testing, because "many ransomware variants actively look for accessible backup repositories" and will encrypt your backups too if they can reach them (CISA, n.d.-g).

What to do: Set up automatic, regular backups. Use both a local backup (external drive) and a cloud backup service. Disconnect or keep at least one backup copy offline or immutable so ransomware cannot reach it. Test your backups periodically by actually restoring files to confirm they work.

16. Threats that target small businesses specifically

Three threats disproportionately affect small businesses and deserve special attention.

Business email compromise: the $55 billion scam

The analogy: BEC is the digital equivalent of someone intercepting your mail, learning who your vendors are, and then sending you an invoice that looks exactly like the real thing — but with their bank account number instead.

Business email compromise has caused $55.5 billion in global losses since 2013 (FBI IC3, 2024a). In 2024 alone, the FBI recorded $2.77 billion in BEC losses across 21,442 reported incidents — making it the second-costliest cybercrime category (FBI IC3, 2025). The average fraudulent wire transfer request in Q4 2024 was $128,980 (APWG, 2025). BEC attackers compromise or spoof email accounts, impersonate executives or vendors, and request urgent payments. AI is accelerating this threat: IBM researchers found that AI needed "only 5 prompts and 5 minutes" to build a phishing attack as effective as one that took human experts 16 hours. In February 2024, an employee at engineering firm Arup transferred $25 million after a video call in which every other participant was an AI-generated deepfake of company executives (CNN, 2024).

Defenses: Establish a strict policy that any request to change payment details or wire money must be verified by a phone call to a known number — never a number from the email itself. Implement dual-approval for wire transfers. Deploy DMARC, SPF, and DKIM email authentication on your business domain (CISA, n.d.-h).

Credential reuse between personal and work accounts

The Verizon DBIR found that 30% of corporate-managed devices appearing in infostealer malware logs contained company credentials, and among ransomware victims, 54% had prior credential exposure in infostealer logs (Verizon, 2025). Infostealer malware — distributed through malicious ads, fake software downloads, and browser extensions — silently harvests every password saved in a browser. When employees reuse passwords across personal and work accounts, a single infostealer infection on a personal device can hand attackers the keys to your business systems.

Defenses: Require unique passwords for all work accounts. Deploy a business password manager. Ensure MFA is enabled on all business-critical services.

Employee training: the highest-return investment

The Verizon DBIR found that 8% of employees account for 80% of security incidents, and the median time to fall for a phishing email is less than 60 seconds (Verizon, 2025). However, organizations that implement training programs see a four-fold increase in phishing reporting by employees (Verizon, 2025), and the National Cybersecurity Alliance found that 94% of employees who received training made at least one positive behavior change (National Cybersecurity Alliance, 2023). Critically, research shows that training effects fade after about four months without reinforcement, so brief, regular refreshers are far more effective than a single annual session (NIST, 2003).

NIST's Small Business Cybersecurity Corner (nist.gov/itl/smallbusinesscyber) offers over 70 free resources including short videos, tip sheets, and case studies specifically designed for small businesses (NIST, n.d.-c). CISA also provides free training resources through its Cybersecurity Awareness Program. The NIST Cybersecurity Framework 2.0 Small Business Quick Start Guide (SP 1300) provides a practical planning tool organized around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover (NIST, 2024c).

What to do: Conduct short (15-minute) cybersecurity awareness sessions quarterly, focused on phishing recognition, password hygiene, and reporting procedures. Run periodic simulated phishing tests. Create a no-blame culture where employees feel safe reporting suspicious messages. Consult NIST's Small Business Cybersecurity Corner for free, authoritative training materials.

The threat landscape in 2025–2026: what has changed

Several converging trends make the current moment especially dangerous for small businesses.

AI has supercharged social engineering. The NCSC assessed that by 2025, generative AI would "make it difficult for everyone, regardless of their level of cyber security understanding, to assess whether an email or password reset request is genuine" (NCSC, 2024a). Over 80% of phishing emails in the period from September 2024 to February 2025 used AI to some extent (ENISA, 2025). Deepfake-based voice phishing (vishing) surged 1,600% in Q1 2025 versus late 2024.

Infostealer malware is booming. Criminal use of information-stealing malware — which silently harvests passwords, session tokens, and browsing data — at least doubled in 2024 (SpyCloud, 2025). The Lumma Stealer infected nearly 400,000 machines in spring 2025 alone (ENISA, 2025). These tools are distributed through malvertising, fake software download pages, and compromised browser extensions.

MFA is being bypassed. Adversary-in-the-middle (AiTM) phishing kits — available as commercial Phishing-as-a-Service platforms — intercept both passwords and session tokens simultaneously, rendering standard MFA ineffective. Platforms like Darcula, Lucid, and FlowerStorm have automated this at scale (ENISA, 2025). The only reliable defense is phishing-resistant MFA: hardware security keys or passkeys.

Ransomware is hitting smaller targets harder. The proportion of breaches involving ransomware rose to 44% in 2025, with 88% targeting SMBs (Verizon, 2025). Small businesses impacted by ransomware faced costs between $120,000 and $1.24 million (Halcyon, 2024).

These trends reinforce the same core message: the fundamentals in this memo — strong unique passwords, MFA, updated software, ad blocking, employee awareness, and tested backups — are not optional precautions. They are the minimum viable defense for operating a business on the modern internet.

Conclusion: a handful of habits that matter

This memo covers a lot of ground, but the essential actions fit on a single index card. Use a password manager to generate unique passwords for every account. Turn on multi-factor authentication everywhere, with hardware keys or authenticator apps preferred over SMS. Keep everything updated — browsers, operating systems, and business software. Use Firefox or Brave with HTTPS-only mode and an ad blocker like uBlock Origin. Change your DNS to Quad9 or Cloudflare's malware-blocking service. Back up your data following the 3-2-1 rule with at least one offline copy. Verify unexpected requests for money or credentials through a separate trusted channel. Train your team briefly and regularly, creating a culture where reporting suspicious messages is rewarded, not punished.

None of these steps require a technology degree or a dedicated IT staff. Each one meaningfully reduces your risk. Together, they represent the security posture that government agencies and cybersecurity experts consider the baseline for any organization operating online today. The threats are evolving, but the defenses are accessible. The hardest part is starting.

References

AdMonsters. (2025). Digital advertising malware in 2024: Lessons for 2025 and beyond. https://www.admonsters.com/digital-advertising-malware-in-2024-lessons-for-2025-and-beyond/

Anti-Phishing Working Group. (2024, May 14). Phishing activity trends report, 1st quarter 2024. https://docs.apwg.org/reports/apwg_trends_report_q1_2024.pdf

Anti-Phishing Working Group. (2025, July 2). Phishing activity trends report, 1st quarter 2025. https://docs.apwg.org/reports/apwg_trends_report_q1_2025.pdf

Center for Internet Security. (n.d.). MS-ISAC security primer – Typosquatting. https://www.cisecurity.org/insights/white-papers/ms-isac-security-primer-typosquatting

Cloudflare. (n.d.-a). What is DNS? Cloudflare Learning Center. https://www.cloudflare.com/learning/dns/what-is-dns/

Cloudflare. (n.d.-b). What is 1.1.1.1? Cloudflare Learning Center. https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/

Cybernews. (2025, May 1). Password study analyzing 19 billion passwords. https://cinchops.com/password-leak-study-unveils-alarming-2025-trends-94-of-passwords-reused/

Cybersecurity and Infrastructure Security Agency. (n.d.-a). Tips to stay safe while surfing the web, part 2: Accessing websites securely. https://www.cisa.gov/resources-tools/training/tips-stay-safe-while-surfing-web-part-2-accessing-websites-securely

Cybersecurity and Infrastructure Security Agency. (n.d.-b). Understanding website certificates. https://www.cisa.gov/news-events/news/understanding-website-certificates

Cybersecurity and Infrastructure Security Agency. (n.d.-c). Recognize and report phishing. https://www.cisa.gov/secure-our-world/recognize-and-report-phishing

Cybersecurity and Infrastructure Security Agency. (n.d.-d). Use strong passwords. https://www.cisa.gov/secure-our-world/use-strong-passwords

Cybersecurity and Infrastructure Security Agency. (n.d.-e). Require multifactor authentication. https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/require-multifactor-authentication

Cybersecurity and Infrastructure Security Agency. (n.d.-f). Known exploited vulnerabilities catalog. https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Cybersecurity and Infrastructure Security Agency. (n.d.-g). Back up business data. https://www.cisa.gov/audiences/small-and-medium-businesses/secure-your-business/back-up-business-data

Cybersecurity and Infrastructure Security Agency. (n.d.-h). Business email compromise continues to swindle and defraud U.S. businesses. https://www.cisa.gov/news-events/alerts/2015/06/24/business-email-compromise-continues-swindle-and-defraud-us-businesses

Cybersecurity and Infrastructure Security Agency. (2021, March 4). Joint NSA and CISA guidance on strengthening cyber defense through protective DNS. https://us-cert.cisa.gov/ncas/current-activity/2021/03/04/joint-nsa-and-cisa-guidance-strengthening-cyber-defense-through

Cybersecurity and Infrastructure Security Agency. (2022, October 31). Implementing phishing-resistant MFA [Fact sheet]. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

Cybersecurity and Infrastructure Security Agency. (2023a). Capacity enhancement guide: Securing web browsers and defending against malvertising for non-federal organizations. https://www.cisa.gov/sites/default/files/2023-09/CISA%20CEG%20Securing%20Web%20Browsers%20And%20Defending%20Against%20Malvertising.pdf

Cybersecurity and Infrastructure Security Agency. (2024a, May). Encrypted DNS implementation guidance, version 1.0. https://www.cisa.gov/sites/default/files/2024-05/Encrypted%20DNS%20Implementation%20Guidance_508c.pdf

Cybersecurity and Infrastructure Security Agency, National Security Agency, & Multi-State Information Sharing and Analysis Center. (2023, January 25). Protecting against malicious use of remote monitoring and management software (Cybersecurity Advisory AA23-025A). https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a

Doerfler, P., Thomas, K., Marincenko, M., Ranieri, J., Jiang, Y., Moscicki, A., & McCoy, D. (2019). Evaluating login challenges as a defense against account takeover. In Proceedings of the 2019 World Wide Web Conference (WWW '19). https://doi.org/10.1145/3308558.3313481

Electronic Frontier Foundation. (n.d.-a). Cover Your Tracks — Learn. https://coveryourtracks.eff.org/learn

Electronic Frontier Foundation. (n.d.-b). Privacy Badger. https://privacybadger.org/

Electronic Frontier Foundation. (n.d.-c). Privacy. https://www.eff.org/issues/privacy

Electronic Frontier Foundation. (2021, September 28). HTTPS is actually everywhere. https://www.eff.org/deeplinks/2021/09/https-actually-everywhere

Electronic Frontier Foundation. (2023, September). Privacy Sandbox concerns [Referenced in coverage by The Register]. https://www.theregister.com/2023/09/30/eff_chrome_google_sandbox/

Electronic Frontier Foundation. (2026, February). How to pick your password manager. https://www.eff.org/deeplinks/2026/02/how-pick-your-password-manager

Enzoic. (n.d.). 8 scary statistics about the password reuse problem. https://www.enzoic.com/blog/8-stats-on-password-reuse/

European Union Agency for Cybersecurity. (2025). ENISA threat landscape 2025. https://socket.dev/blog/enisa-s-2025-threat-landscape-ai-reshapes-cyber-attacks

Federal Bureau of Investigation Internet Crime Complaint Center. (2024a, September 11). Business email compromise: The $55 billion scam (PSA I-091124-PSA). https://www.ic3.gov/PSA/2024/PSA240911

Federal Bureau of Investigation Internet Crime Complaint Center. (2025, April 24). 2024 IC3 annual report. https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

FIDO Alliance. (2025). Passkey index 2025. https://fidoalliance.org/passkey-index-2025/

GitLab Security. (2025, February). Tech note — Malicious browser extensions impacting at least 3.2 million users. https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/malicious-browser-extensions-feb-2025/

Google. (2024). HTTPS encryption on the web. Google Transparency Report. https://transparencyreport.google.com/https/overview

Heiding, F., Lermen, S., Kao, A., Schneier, B., & Vishwanath, A. (2024). Evaluating large language models' capability to launch fully automated spear phishing campaigns: Validated on human subjects. Expert Systems with Applications. https://arxiv.org/abs/2412.00586

HTTP Archive. (2025). Security chapter. In The Web Almanac 2025. https://almanac.httparchive.org/en/2025/security

Microsoft Research. (2023). How effective is multifactor authentication at deterring cyberattacks? https://arxiv.org/pdf/2305.00945

Mozilla. (n.d.-a). How Firefox protects your data. https://www.firefox.com/en-US/user-privacy/

Mozilla. (n.d.-b). Third-party cookies and Firefox tracking protection. Firefox Help. https://support.mozilla.org/en-US/kb/third-party-cookies-firefox-tracking-protection

Mozilla. (2022). Firefox rolls out Total Cookie Protection by default to all users worldwide. The Mozilla Blog. https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/

National Cyber Security Centre. (n.d.-a). Password policy: Updating your approach. https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

National Cyber Security Centre. (n.d.-b). Password administration for system owners. https://www.ncsc.gov.uk/collection/passwords

National Cyber Security Centre. (n.d.-c). Managing web browser security. https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/managing-web-browser-security

National Cyber Security Centre. (n.d.-d). NCSC for Startups: Taking on malvertising. https://www.ncsc.gov.uk/blog-post/ncsc-for-startups-taking-on-malvertising

National Cyber Security Centre. (n.d.-e). Virtual Private Networks (VPNs). https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/virtual-private-networks

National Cyber Security Centre. (2024a, January 24). The near-term impact of AI on the cyber threat. https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat

National Cyber Security Centre. (2024b, November). Guidance for brands to help advertising partners counter malvertising. https://www.ncsc.gov.uk/guidance/guidance-brands-advertising-partners-counter-malvertising

National Cyber Security Centre. (2025a, January). ChromeOS platform guide. https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides/chrome-os

National Cyber Security Centre. (2025b, May). Impact of AI on cyber threat from now to 2027. https://www.ncsc.gov.uk/report/impact-ai-cyber-threat-now-2027

National Cybersecurity Alliance. (2023). Oh Behave! The annual cybersecurity attitudes and behaviors report.

National Institute of Standards and Technology. (n.d.-a). NIST SP 800-63 digital identity guidelines — Frequently asked questions. https://pages.nist.gov/800-63-FAQ/

National Institute of Standards and Technology. (n.d.-b). Sandbox. NIST Computer Security Resource Center Glossary. https://csrc.nist.gov/glossary/term/sandbox

National Institute of Standards and Technology. (n.d.-c). Small Business Cybersecurity Corner. https://www.nist.gov/itl/smallbusinesscyber

National Institute of Standards and Technology. (2003). Building an information technology security awareness and training program (SP 800-50). https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-50.pdf

National Institute of Standards and Technology. (2024a). Digital identity guidelines: Authentication and lifecycle management (SP 800-63B-4). https://pages.nist.gov/800-63-4/sp800-63b.html

National Institute of Standards and Technology. (2024b, April 22). Giving NIST SP 800-63B a boost: Supplement for incorporating syncable authenticators. NIST Cybersecurity Insights Blog. https://www.nist.gov/blogs/cybersecurity-insights/giving-nist-digital-identity-guidelines-boost-supplement-incorporating

National Institute of Standards and Technology. (2024c). NIST Cybersecurity Framework 2.0: Small Business Quick Start Guide (SP 1300). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf

National Security Agency. (2018, May). Steps to secure web browsing (CSF U/OO/156564-18). https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/csi-steps-to-secure-web-browsing.pdf

NI Cyber Security Centre. (n.d.). Cybersecurity considerations for homeworking. https://www.nicybersecuritycentre.gov.uk/articles/cybersecurity-considerations-homeworking

OneTrust. (2025, April 29). Google drops plans for third-party cookie choice prompt in Chrome. https://www.onetrust.com/blog/google-drops-plans-for-third-party-cookie-choice-prompt-in-chrome/

Sophos. (2025). The state of ransomware 2025. https://www.sophos.com/en-us/content/state-of-ransomware

SpyCloud. (2025). Annual identity exposure report 2025. https://spycloud.com/resource/report/spycloud-annual-identity-exposure-report-2025/

Swiss National Cyber Security Centre. (2024). Week 29: Be careful using public WiFi. https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2024/wochenrueckblick_29.html

The Register. (2025a, January 22). Supply chain attack strikes array of Chrome extensions. https://www.theregister.com/2025/01/22/supply_chain_attack_chrome_extension/

The Register. (2025b, December 1). Browser extensions pushed malware to 4.3M Chrome, Edge users. https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/

ThreatLocker. (2025). Malvertising emerges as growing access point for cybercriminals. https://www.threatlocker.com/blog/malvertising-emerges-as-growing-access-point-for-cybercriminals

UK Department for Science, Innovation and Technology. (2024). Cyber security breaches survey 2024.

Verizon. (2025). 2025 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/

← Back to All Memos