Startups, family businesses, boutique consulting firms — these are the companies most at risk of cybersecurity attacks. And they know it. So they’ve been taking precautions to stay safe from hackers: adopting tools, tightening policies, and investing in employee training.
Despite these precautions, nearly one in four SMBs fell victim to cyberattacks in the past 12 months alone.
These are among the major findings of Proton’s 2026 SMB Cybersecurity Report, a global study that surveyed 3,000 decision-makers at companies with fewer than 250 employees across six key markets: US, UK, Brazil, France, Germany, and Japan.
Our report offers data and lessons that go beyond the generic and false “SMBs are unprepared” cliché, showing how leaders are actually investing in cybersecurity and why those investments have failed to protect so many of them.
Why we ran this study
At Proton, we regularly survey our community to understand how people use technology and where they feel their sensitive data is vulnerable. With these insights, we can develop new products and features or make recommendations to the customers that depend on our encrypted business solutions. We identified a gap in the research when it comes to SMBs.
Much of today’s cybersecurity research still assumes an enterprise-level setup, with bigger budgets, in‑house security experts, and a CISO in every meeting. That’s not the reality for most SMBs, where the same person may well be signing off on sales targets, lunch orders, and security policies.
We commissioned this report to answer a simple question: What is the real-world risk for SMBs, and what measures are they taking to protect themselves?
Here’s what our report found
With such a large-scale survey, we could identify several surprising and sweeping conclusions that were consistent across SMBs in multiple industries and countries.
- Spending is up, but security isn’t: Many SMBs have run formal risk assessments, introduced regular audits, and rolled out modern measures like multi-factor authentication and password managers. On paper, they look significantly more mature than the stereotype of the unprotected small business. And yet, many still report serious cyber incidents within the same year — often with financial damage that can wipe out months of investment or even halt operations. Well over 1 million small- and medium-sized businesses suffered a cyberattack last year, taking into account the number of SMBs in the markets we studied.
- Human error can’t be patched: People remain one of the biggest vulnerabilities in SMB security. Organizations are not ignoring this; most invest in security awareness training and phishing education. But many businesses also acknowledge that confidence in employees’ ability to spot and avoid every threat is limited. Credential sharing tells this story clearly. Even in companies that have rolled out password managers, logins still circulate via email, messaging apps, shared documents, calls, and written notes.
- Cloud and AI has expanded the attack surface: Almost all of the businesses we surveyed now rely on major cloud providers for core operations, and many have started to integrate AI tools into their workflows. What stands out is the gap between dependency and confidence. Businesses frequently assume that being on a large platform means their data is automatically safe, even when they can’t clearly explain where it is stored, how it is encrypted, or who can access it.
- Security is now a selling point: A clear majority of SMBs say that demonstrating strong data protection has become critical for winning new business, and only a small fraction say clients never ask about security. It’s no wonder. When businesses are attacked, the damage isn’t limited to the business that suffered the breach. It cascades outward. Your partners’ data can be exposed, their operations disrupted, their reputation tarnished, and their own customers put at risk.
Get the full report
Proton gives people and organizations meaningful control over their data through end‑to‑end encryption, open standards, privacy-first Swiss jurisdiction, and a business model that doesn’t depend on exploiting user information.
With the SMB Cybersecurity Report 2026, we’re extending that same philosophy to the way smaller organizations understand their risk. For small business leaders, the report provides a practical benchmark. The report includes four key insights and five actionable recommendations for your SMB. You’ll gain clues into whether your security posture is as strong as you think it is, where it needs reinforcing, and what to prioritize next.
You can explore the full findings, including regional trends, sector differences, and concrete recommendations, in the complete SMB Cybersecurity Report 2026.
