The way small and medium businesses work has changed for good — but so has the way they get attacked. Teams are distributed, SaaS tools handle everything from payroll to project management, and contractors and vendors rotate in and out of systems regularly. With each new tool or employee with access, the number of potential entry points increases.
That expanding attack surface matters because credential-based attacks, including phishing, account takeovers, and password theft, have become one of the most common ways businesses get breached. They work precisely because access has sprawled, which makes it difficult to track. All an attacker has to do now is find one valid set of credentials to bypass your business’s defenses.
In this context, it should be encouraging that over half of small businesses now use a business password manager. But Proton’s SMB Cybersecurity Report 2026 — a global study of 3,000 SMB decision makers — found that one in four still experienced a breach last year.
All this points to a gap between how tools are adopted and how they’re actually used.
How SMBs use password managers today
Most password managers are designed to do one thing well: help you remember your password. In practice, that means creating complex and unique passwords and managing them in an encrypted vault. That’s meaningfully better than the norm of reusing the same credentials across accounts and platforms.
But with passwords being an attacker’s easiest point of entry, SMBs need password managers to do much more than just solve memory and convenience problems. They need it to secure access.
Access is a far broader question. Do the right people have the right credentials — and would you know what they unlock or if they fell into the wrong hands? And as teams grow, subscriptions stack up, and contractors cycle in and out, your organization’s considerations need to shift from merely strengthening passwords to accounting for real-world security threats.
That’s the change most businesses don’t make until something goes wrong.
Where password manager implementations go wrong
The key insight of our report was that businesses adopting password managers don’t consistently use them.
Unsafe credential sharing still persists at surprisingly high rates:
- 33% share them in shared documents or spreadsheets
- 30% share credentials via email
- 27% share them via messaging apps
- 25% write them down
- 24% share them verbally
That’s a picture of busy people taking the fastest route available at that moment. Instead of toggling over to the password manager app and sharing a new credential in its proper vault, they might paste it into Slack or an email.
Workarounds feel harmless in isolation. But over time, credentials end up scattered across inboxes, chat histories, and shared documents in ways that are hard to untangle. When an employee leaves, you can’t later revoke access. And updating passwords on a moment’s notice after a data breach becomes impossible unless it’s stored in a centralized secure location.
Training to enforce security policies can help, but our research revealed even that isn’t quite enough…
Why security awareness training isn’t enough
Our report found that 39% of SMBs have experienced a security incident caused by human error. That statistic is easy to misread; the natural response is to assume that more careful employees means fewer incidents.
But this framing misses something important: Security systems that depend on perfect behavior under everyday pressure will always be let down by reality. Mistakes happen not because people don’t care — they happen because the secure option often demands more effort and time than the typical SMB can afford. Even well-intentioned teams will find workarounds when they’re resource-stretched.
The lasting fix isn’t more training. It’s designing systems where the secure option is also the easy one.
When sharing access safely takes no more effort than dropping a password into a chat message, people will use it.
When the access problem gets out of control
The credential problem compounds as teams grow.
Eighty-six percent of SMBs now rely on cloud-based services for day-to-day operations. That typically means credentials sprawl across project management tools, finance platforms, marketing software, file storage, and customer systems, each with its own permissions and access history.
Access doesn’t just scatter across systems; it spreads across the organization, flowing between teams, external partners, contractors, and former employees who may still retain a way in.
This means that in reality, credentials accumulate, old access continues to linger, and the number of people who have — or have had — the keys to your most sensitive systems scales beyond easy tracking.
Having tools isn’t the same as being protected
The SMBs that experienced breaches last year weren’t cutting corners: 92% were actively investing in security tools. They had password managers, encrypted email, training programs, and written policies in place. In other words, their setups looked solid on paper.
What many lacked was consistent enforcement. Multi-factor authentication (MFA) was switched on but not required, password managers were deployed but not embedded into daily habits, and onboarding and offboarding processes were handled informally rather than systematically. We suspect, given the popularity of browser password managers, that many were not even using a centralized team platform at all — instead relying on a patchwork of less-safe options on an individual basis.
Each of these is a small gap that stays invisible right up until it isn’t.
The real measure of a security setup isn’t what tools are on the list, but whether those tools hold up under the everyday pressure of how people actually work.
Here are some practices to help bring this reality closer for your business:
- Use a password manager built for teams. Browser password managers are not only less secure, they don’t have the admin tools managers need to maintain full control of your accounts. Unless you have an enterprise password manager that’s easy to use, it’s not going to cut it.
- Audit who currently has access to what. Check the user lists on your most sensitive tools and if any names on there come as a surprise.
- Replace shared logins with individual accounts. While it’s easy to share logins in a password manager, it’s not a best practice: Shared logins reduce visibility at the account level, making it harder to identify and react to a breach.
- Make multi-factor authentication a requirement. MFA is one of the most effective protections available — but only when it’s enforced by default, not left as an optional setting.
- Make offboarding systematic. Every departure, whether it’s an employee, contractor, or vendor, should trigger an access review immediately rather than as an afterthought.
Want to know what else you could learn from our survey of 3,000 business leaders across six key markets? Read more in our SMB Cybersecurity Report 2026. You’ll learn what causes breaches and what they actually cost, where human error shows up most often, how cloud and AI adoption are creating new blind spots. It also includes practical steps for beefing up protection that hold up in real-world conditions.
