The Tor Browser is a web browser designed for anonymous web browsing and protection against traffic capture, providing some level of privacy protection for individuals who us it. The Tor Browser is used for legitimate reasons by law enforcement officials, reporters, activists, whistle blowers and ordinary security-conscious individuals to protect their anonymity. Tor was originally developed by the United States Navy to protect confidential U.S. government communications.
Tor is now an open source, multi-platform browser that is available to the public. Tor hides user identities through a series of “encrypted tunnels” which conceal the next “relay” and the previous “relay” from anyone observing the traffic. The Wikipedia article explains it like this:
Onion routing is implemented by encryption in the application layer of a communication protocol stack, nested like the layers of an onion. Tor encrypts the data, including the next node destination IP address, multiple times and sends it through a virtual circuit comprising successive, random-selection Tor relays. Each relay decrypts a layer of encryption to reveal the next relay in the circuit to pass the remaining encrypted data on to it. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing or knowing the source IP address. Because the routing of the communication was partly concealed at every hop in the Tor circuit, this method eliminates any single point at which the communicating peers can be determined through network surveillance that relies upon knowing its source and destination.
Now, if you understood that, well done. Each layer of the onion in Tor browsing is pulled off and discarded leaving no trace of where it came from or where it was going to. Reach your destination only when the last encrypted layer is removed.
What does this mean for an SMB?
On the one hand, you may wish to prohibit the use of TOR browsers in your organization on the grounds that they can lead to anonymous and untraceable data exfiltration which could damage the company. This is a legitimate prohibition which belongs in your Acceptable Use of Computers policy.
On the other hand, perhaps you have employees who travel and must send data out of dangerous places or with content that could be risky were it discovered by hostile parties. In such cases, you might encourage the use of a Tor browser.
What you do is up to you. Knowing what is out there and why it is used helps prepare you for the day you find a Tor browser in your company.