Safer Internet Day: The 5 Security Basics Most SMBs Still Get Wrong

Safer Internet Day is aimed at children. But frankly, many businesses need the reminder too. Here are the basics we still see companies getting wrong.

Safer Internet Day was created to educate children about online safety. But after a decade of working with small businesses, we've concluded that many adults need the same lessons.

These five security basics are taught to school children. Yet we regularly find them missing in professional environments.

1. Don't Use the Same Password Everywhere

Children are taught this in primary school. Yet we still find business owners using the same password for their email, banking, and Netflix.

When LinkedIn gets breached (which it has, multiple times), attackers immediately try those passwords on Office 365. If yours matches, they're in.

The fix: A password manager. One master password to remember. Unique passwords for everything else, generated and stored automatically.

2. Think Before You Click

Every child safety programme covers this. Don't click links from strangers. Check the URL before entering information.

Yet 34% of staff click phishing links in simulations. 12% enter their credentials.

The fix: Assume every link is suspicious until verified. Hover before clicking. When in doubt, navigate to the site directly rather than following the link.

3. Keep Your Software Updated

Children understand that apps need updating. Yet businesses run Windows 10 for years past its support date. Security patches sit uninstalled because 'now isn't convenient.'

Every unpatched system is an open door for attackers.

The fix: Enable automatic updates. Yes, the occasional restart is annoying. Data breaches are more annoying.

4. Don't Share Personal Information Publicly

Kids are taught not to share their address or phone number with strangers online. Yet businesses publish employee details, org charts, and internal processes on LinkedIn.

Attackers use this information for targeted phishing: 'Hi Sarah, I'm the new contractor working with James in Finance. Can you send me...'

The fix: Limit what you share publicly. Consider what an attacker could learn from your LinkedIn, your website, your job listings.

5. Tell an Adult If Something Goes Wrong

The most important lesson: if you make a mistake, tell someone immediately.

In businesses, this translates to incident reporting. Yet many employees hide mistakes for fear of blame. They clicked a suspicious link, panicked, closed the browser, and hoped nobody noticed.

Meanwhile, the attacker is exploring the network.

The fix: Create a blame-free reporting culture. 'I think I clicked something bad' should be met with 'thanks for telling us immediately' not 'how could you be so stupid?'

The Real Lesson of Safer Internet Day

Security awareness isn't a one-day event. It's a continuous process of building good habits.

Children get regular, age-appropriate security education throughout their school years. Adults often get one boring compliance video annually.

No wonder the kids are better at this.

Making It Stick

For Safer Internet Day to mean anything for your business:

• This week: Check that everyone has a password manager
• This month: Run a phishing simulation
• This quarter: Review your public information exposure
• Ongoing: Build reporting into your culture

Need help implementing any of this? That's literally what we do.

Talk to us about security basics