Proton, the Swiss-based privacy company trusted by over 100 million people and businesses worldwide, has released a sweeping six-market study. Proton’s SMB Cybersecurity Report 2026, based on a survey of 3,000 founders, executives, and IT leaders from six major countries, offers a deep look at the current precautions being taken by businesses and their limitations in the real world. The annual report’s website will be updated in the months ahead with further details, including a breakdown by country and sector.
The survey of business leaders across the United Kingdom, United States, Germany, France, Brazil, and Japan reveals that one in four SMBs experienced a cyberattack or data breach in the past year, despite significant investment in cybersecurity tools and training. The findings highlight a growing disconnect between security spending and real-world resilience, with SMB security budgets ranging from £3,700 to over £185,000 and an average annual investment of £43,000 across the six markets. The research suggests that the problem is not a lack of awareness of the risks of cybercrime, or a lack of preparedness, but rather a failure to consistently enforce secure tooling and effectively identify and thwart attacks.
Despite deliberate cybersecurity investment, SMBs remain vulnerable as the strategies they rely on lag behind today’s evolving threat landscape. While 92% of SMBs report implementing some security and privacy measures, these precautions often break down in practice. Human error, weak password management, AI misuse, and varying levels of technical expertise, especially among SMBs without robust IT and security infrastructure, remain persistent weak points, widening the gap between awareness, spending, and real-world resilience.
Patricia Egger, Head of Security at Proton AG, said:“This research refutes the stereotype that small businesses don’t take security seriously. In fact, the vast majority invest in tools and training. The problem is that it takes a lot more effort to make security work in the real world, with real human beings, than it does to deploy a tool or design a process. Your protection should not rely on every employee and business partner getting everything right every step of the way. Effective security comes from tools, policies and practices that work as intended in all, or most, circumstances.”
With rapid advances in cloud technology and AI services, often based in overseas jurisdictions with weak privacy laws, many business leaders admit they no longer feel fully in control of their data or confident in their ability to protect it. While most recognise cybersecurity as critical to commercial success, an increasing number express concern about their limited defensive capabilities.
For UK businesses, 370,000 of which may have experienced a cyberattack in the last year, the consequences are concerning. Among those who experienced a breach, nearly half (44%) reported operational downtime, 36% incurred legal or remediation costs, 29% experienced data loss, 29% suffered fund theft, 21% faced regulatory fines or penalties, and 34% reported loss of customer trust.
In the UK, nearly seven in ten (65%) SMBs that were breached reported financial losses between £7,500 and £75,000, with 14% losing £75,000 or more. The average annual spend on cybersecurity among the businesses surveyed in the UK is £29,000, with the top 10% spending £75,000 to £185,700 annually, meaning a single incident can match or exceed the range of yearly security budgets in the country.
Research shows the problem isn’t a lack of awareness or preparedness: 74% of UK SMBs conducted a formal risk assessment in the past year, and many review their security posture quarterly (37%) or monthly (26%). Thirty-nine percent of SMBs reported cybersecurity incidents caused by human error. Unsafe credential practices persist even among password manager users: 32% share passwords via email, 31% through shared documents, 27% via messaging apps, and 22% still write them down, revealing a gap between having secure tools such as password managers and consistently using them. Meanwhile, AI adoption is rising, with 69% using tools like OpenAI’s ChatGPT or Anthropic’s Claude. Yet among the 30% who distrust AI providers to protect proprietary data, 45% are unclear on data collection or storage, and 32% worry confidential information could train models, highlighting a growing transparency gap as AI becomes integral to operations.
The report finds 66% of SMBs see strong data protection as critical or very important for winning business, and 76% promote secure file sharing as a competitive advantage. Only 14% say clients never inquire about their security practices. Security posture increasingly shapes procurement decisions and long-term client relationships.
Raphael Auphan, COO of Proton AG, commented: “For small- and medium-sized businesses, cybersecurity is no longer just an IT expense; it is directly tied to revenue, reputation, and long-term growth. Customers are asking tougher questions about how their data is handled, and one serious breach can undo years of trust. Businesses that treat privacy and security as part of their value proposition, rather than a compliance checkbox, will be better positioned to win deals and build lasting customer relationships.”
The report concludes that closing the gap between perceived preparedness and operational reality is now critical for SMBs. Investment in tools and training is widespread, but resilience depends on reducing shared access risks, verifying third-party providers, and embedding secure practices into everyday operations. Without that shift, cyber risk will remain both common and costly, regardless of budget.