Browser Extensions Are Tiny. The Risk They Carry Is Not.
Your staff probably have half a dozen browser extensions installed right now. A grammar checker, a PDF tool, something that clips web pages to a note-taking app. Each one felt harmless at the time - a two-second install, a small productivity win. But a browser extension is not a small thing in security terms. It sits inside the browser where your team spends most of their day, and it can see everything happening in that browser: the pages visited, the forms filled in, the cloud tools being used.
That is not a theoretical risk. Extensions are granted special access inside the browser that most other software is not. They can read what is on a page, interact with what is being typed, and in some cases reach into the same systems your practice runs on. One over-permissioned extension - or one extension that gets a bad update - can turn a helpful toolbar icon into an access problem you never saw coming. This is the kind of exposure that catches small businesses off guard precisely because the source looks so ordinary.
The permissions issue is where most of the risk lives. A well-designed extension asks only for what it needs to do its job. But many extensions ask for far more than that: access to all tabs, browsing history, and the ability to read and modify page content. If an extension can do all of that, it can potentially capture data from your practice management software, your client emails, and anything else your staff have open. Microsoft's own guidance for browser extensions is clear that tools should request only the permissions essential for their stated function. Requesting broad access 'just in case' is not acceptable, and it is a reliable signal that something is not quite right.
Extensions also change over time. An extension that was safe when it was installed can request new permissions in a future update. If a staff member clicks 'accept' without reading what has changed, the extension quietly gains capabilities it did not have before. This kind of permission creep rarely gets noticed - until something goes wrong. It shares the same slow-burn quality as credential attacks that build undetected across your whole team.
Getting this under control does not require a lengthy policy or a major project. The practical answer is a short vetting habit. Before any extension gets installed, check that the developer has a real business presence, a consistent name, and a track record of normal updates. Read the store listing carefully - it should explain clearly what the extension does and exactly why it needs the access it is requesting. If the permissions do not match the feature, that is a red flag. If the extension is vague about what it does with data, that is another. For anything that touches sensitive systems or asks for broad access, the right move is to get an IT engineer who understands professional services environments to review it before it is installed, then add approved tools to a managed list so staff are not making these calls on their own.
When extensions are managed this way, the decision process is simple. Approve the ones with a credible vendor, a clear purpose, and tight permissions. Avoid the ones that are vague or over-permissioned. Escalate anything genuinely useful that touches sensitive areas. That structure turns what is currently an impulse decision into a repeatable standard - and it stops unvetted tools from accumulating quietly in your browser over months and years. Pairing this with the broader hygiene habits that matter most in 2025 gives your practice a much stronger baseline.
For professional services businesses handling client data, this matters more than it might seem. The cyber security obligations on practices under the NZ Privacy Act 2020 include taking reasonable steps to protect personal information - and 'reasonable steps' increasingly means managing the software your staff use every day, including what lives in their browsers.
IT Stuffed ran a full systems cyber security audit for us, which was very eye-opening! They helped us implement the necessary changes and gave us some strategic advice on future steps. Daniel and the team are incredibly dedicated, great communicators and a real pleasure to deal with.
Zia Lilley
When faced with a cyber-attack a year ago we greatly appreciated the immediate and ongoing support we received from IT Stuffed. Happy to recommend this service.
Maggy Tai Rākena
ITstuffed works with Canterbury professional services businesses to get this kind of thing sorted properly - approved extension lists, browser-level controls, and a clear process so staff know what to do before they install anything. A 15-minute IT Fit Check is a good place to start if you are not sure where your current setup stands.