Spreadsheets sit at the center of day-to-day business decisions, holding financial data, customer records, HR information, and strategic plans. New Proton research shows this central role makes spreadsheets a hidden security and privacy liability.

The results point to a variety of risks that are easy for busy employees and managers to overlook: 

  • Spreadsheet access does not expire when roles change and businesses confess they don’t review access to old documents, leaving sensitive data exposed indefinitely.
  • Managers say they have limited clarity over what Big Tech providers like Google and Microsoft can see or reuse for AI training and other purposes. Without end-to-end encryption, the data could be indexed, scanned, and leaked.
  • Workers use personal accounts to manage work files, blurring digital lines and making it all but impossible to maintain a network firewall and control business data.

We surveyed SMB leaders across the US, UK, Germany, and France about how they use — and protect — their spreadsheets. All of them were small businesses (with under 100 employees), which makes them uniquely at risk to hacking and ransomware attacks.

The results point to a critical need for encrypted spreadsheets and better internal security practices. We present our recommendations at the bottom of this article. 

From temporary tools to permanent archives

Chart depicting French, German, US and UK SMB respondents who still have access to old spreadsheets from previous jobs or projects

One of the most striking findings in the research is how often spreadsheet access persists after roles and projects end. Former employees continue to have visibility into files long after they should, exposing businesses to compliance failures, contractual breaches, and loss of customer trust.

Image with text that says 61% of US respondents say they have opened spreadsheets from a previous job, project, or team.

The nature of what files remain open varies by country. The UK reports the highest levels of visible HR data, while France shows the highest incidence of customer-data exposure.

This lingering access is known as ghost access: files containing sensitive business data stay open, links keep working, and open permissions remain in the background. The exposed data is not trivial. Respondents report continued access to ongoing salary and payroll information, internal budgets, client records, and strategic planning documents.

When asked what types of data they could still access, respondents reported the following:

US:

  • Financial or payroll documents (44%)
  • Sales or purchase records (41%)

This type of access exposes employee personal data and commercially sensitive transactions, increasing the risk of privacy violations and financial misuse.

UK:

  • Financial or payroll documents (31%)
  • Client or customer information (31%)

Continued access to payroll and customer records raises direct GDPR compliance concerns, particularly around lawful access and purpose limitation.

Germany:

  • Financial or payroll documents (30%)
  • Internal business plans or strategy files (26%)

In addition to personal data exposure, access to internal plans can affect competitive position and breach confidentiality obligations.

France:

  • Financial or payroll documents (31%)
  • Client or customer information (31%)

The combination of payroll and customer data creates both regulatory exposure and reputational risk if information is shared beyond authorized roles.

Chart depicting how French, German, US and UK SMBs use spreadsheets for client/customer data, financial reporting, and project management

Why ghost access persists

Ghost access is a byproduct of how teams collaborate. Across markets, 26-28% of respondents said they share spreadsheets using “anyone with the link can view”. Another 7-15% use “anyone with the link can edit”.

Chart showing that many SMBs set link permissions as anyone with the link can view or, less often, anyone with the link can edit.

Once a link exists, it becomes detached from identity. If it isn’t tied to employment status, role changes, or account deletion, it can be forwarded, copied, bookmarked, and reopened indefinitely. A spreadsheet is only as secure as the last person who received the link.

Access reviews rarely compensate for this. Only 30% of French respondents say their team regularly reviews access to spreadsheets, and this figure is not an outlier across countries. Once access to a document is granted, reviews of collaborators are inconsistent, even though sharing happens constantly as part of everyday work. 

Over time, these one-off sharing decisions accumulate. The fastest and most familiar way to collaborate becomes the default, while access reviews remain infrequent and ownership is often unclear. As a result, spreadsheets tend to retain permissions long after projects, roles, or teams have changed. 

Reducing long-term risk requires controls that operate throughout a spreadsheet’s lifecycle, not just at the moment it is shared. Ghost access persists even in organizations with good intentions because protection demands regular manual reviews and perfect handoffs. 

The offboarding gap

When asked what happens to spreadsheet access after someone leaves a job or finishes a project, only 33–44% of respondents said they believed access was manually cleaned up by their employers. Between 12–28% believed nothing happened at all. Another 14–26% admitted they simply did not know.

That uncertainty matters. Where responsibility is unclear, access tends to persist by default. Files don’t disappear on their own; someone has to remember they exist and act on it. This is not necessarily a failure of intent, rather a failure of systems that rely on human memory.

It’s also important to distinguish between two related but separate breakdowns: offboarding, which is a moment in time, and ongoing access review, which is a continuous responsibility.

Our data shows both are failing.

  • 38% of US SMBs believe access is automatically removed
  • 44% of German and UK SMBs think access is manually removed

Blurring work and personal accounts

Chart showing the percentage of US and UK SMB respondents who report opening work spreadsheets in personal accounts and vice versa.

Another significant reason for ghost access is account blur — using the same account for personal and work activities — which creates a pervasive security blind spot. In the US and UK, more than 45% of SMB workers admit to opening work spreadsheets in personal accounts, or personal spreadsheets in work accounts.

When boundaries blur this way, spreadsheets are no longer constrained by the security frameworks a business has in place. Access becomes detached from roles, projects, and employment status, making it difficult to track, review, or revoke.

Big tech, AI, and provider access

Even perfect offboarding and access review cannot address provider-level access or secondary data use. Many SMBs are increasingly uncertain about what happens to their data behind the scenes, especially when that data includes sensitive financial, customer, and HR information.

SMBs said they believe spreadsheets on Big Tech platforms are used for AI training, ad targeting and content scanning.

AI training (40–50%)
Nearly half of respondents believe spreadsheet data may be used to train AI systems.

Ad targeting (35–45%)

A significant share of respondents believe the contents of their spreadsheets may influence advertising or profiling.

Content scanning (30–40%)
Many users expect spreadsheet files to be automatically scanned for sensitive or prohibited content.

The concerns reflect how Big Tech cloud storage platforms are designed. While tools like Google Drive and OneDrive encrypt data in transit and at rest, they retain access to file contents in order to enable indexing, search, collaboration features, and AI-powered tools. End-to-end encrypted spreadsheets are the best way to prevent this kind of access.

Despite this, businesses continue to use these platforms for critical workflows, placing financial, customer, and operational data into systems controlled by third-parties with a poor track record for privacy.

When Big Tech providers retain this level of access, files can be scanned, indexed, and processed automatically, without any human interaction. In this model, exposure is not just limited to who has the link, but also the security of the platform hosting the data. 

Privacy and lasting security with Proton Sheets

For many SMBs, spreadsheets function as integral operational systems. They hold financial data, customer information, and HR records that carry regulatory, reputational, and commercial risk.

To keep data secure, strong access policies, automated offboarding, and clear account boundaries remain essential. At a minimum, you should:

  • Limit access by role
  • Review shared files regularly
  • Remove access immediately when someone leaves
  • Avoid using public links for sensitive data

But governance alone cannot eliminate provider-level visibility or secondary data use as long as platforms hold the encryption keys.

Proton Sheets is built to address this structural risk:

  • Zero-knowledge encryption: The provider cannot read, process, or reuse the information, even if it is stored on their servers.
  • User-controlled encryption keys: Only authorized collaborators can access spreadsheet contents.
  • Secure collaboration: Teams can collaborate in real time while retaining clear control over who can view or edit a spreadsheet.
  • Familiar tools, stronger protection: Supports common spreadsheet formats and features, including formulas, charts, and imports from existing files.

In practical terms, Proton Sheets makes collaborative spreadsheets as safe as they can be at the platform level, while still supporting real-time teamwork and familiar workflows. Combined with responsible sharing practices, this reduces long-term exposure for data that often lasts far longer than teams expect.

Explore Proton Sheets