1 in 4 small businesses hacked despite cybersecurity measures
Businesses are trying to guard against breaches, but their efforts fail under real-world conditions.
To understand why, Proton asked 3,000 founders, executives, and IT leaders across three continents about their cybersecurity practices. The insights we gained will help you protect your business.
Hackers breached one in four SMBs last year, even though virtually all the victims had taken precautions.
SMBs spend as much recovering from cyberattacks as they do trying to prevent them.
Human error, inconsistent security policies, and lack of data control are to blame.
The security status quo is failing SMBs
Many of the defenses in place are designed for ideal behavior, not for how people actually work.
of breached SMBs lost $10,000–$100,000
of incidents stemmed from human error
don’t feel in control of how cloud providers handle their data
don't have a password manager in place at their organization
Attacks cost small businesses dearly
The small businesses that reported breaches last year were spending on their security, but their defenses failed. The attacks ended up costing them about as much money as they spent on protection. About 57% reported losses between $10,000 and $100,000.
Anxiety over data in the cloud
Almost all the SMBs (86%) we surveyed rely on cloud service providers like Google or Microsoft. But as many as 28% of that group say they don’t feel in control of how their data is handled, or aren’t sure. When your provider handles your encryption keys and collects your data, an attack on third-party companies can affect your business.
Taking steps in the right direction
Security wasn’t informal or ad hoc. Far from the cliché of the clueless small business, these SMBs had training programs, recurring audits, and tools in place before the breach. But security solutions become ineffective when they’re optional, unevenly enforced, or easy to bypass.
Training won’t catch every slip
In fact, 39% of businesses report experiencing a cybersecurity incident caused by human error. Strong security requires both training and secure business tools that enable security hygiene by default.
Investing in tools isn’t enough
Password sharing is a clear example. Even respondents that have a password manager on their tech stack still share credentials via email, messaging apps, shared documents, conversations, or in writing.
Not all the losses were financial
Once attackers got in, the consequences spread far beyond money. Cyberattacks disrupted operations, exposed data, and undermined trust. Damage looked different by country:
38% were disrupted
It was worst in the the US, where more than half of the SMBs hit by a cyberattack (51%) said they suffered downtime or operational disruption, halting business.
35% faced legal/IT costs
Legal or IT remediation expenses affected all markets, but Germany’s rate was highest (38%), likely driven by more rigorous data protection requirements.
46% suffered data loss
Among those hit by a breach, Brazilian businesses outpaced the average for data loss, with more than half (53%) reporting that outcome.
24% received penalties
Japanese firms, which were the least impacted by cyberattacks, were also the least likely to have paid fines or regulatory penalties (14%).
How did the breach affect your business?
The survey suggests that well over 1 million small- and medium-sized businesses in the markets we studied suffered a cyberattack last year. Nearly all of them faced costs and operational disruptions.
Stay one step ahead of the hackers
In compiling the SMB Cybersecurity Report 2026, Proton surveyed 3,000 business and IT leaders of companies under 250 employees across the US, UK, France, Germany, Brazil, and Japan.
Inside this report you’ll learn four key insights and five recommendations:
How peers in your industry are handling cybersecurity
How to build security systems that expect human mistakes — and contain them
Why security is an active growth lever, not just passive defense
Who this report is for
This report is written for founders, executives, and operators at small- and mid-sized businesses who:
Are responsible for protecting customer, financial, or operational data
Run lean teams without a dedicated security function
Make decisions about tools, vendors, access, and risk
Rely on cloud services and AI to get work done
Need security practices that hold up in real-world conditions
Don’t want a single security incident to derail the business
Download the free report
Understand where security confidence breaks down and how to build protection that holds up in real-world conditions.
