Small and medium-sized businesses (SMBs) continue to face significant cyber risk despite growing investment in cybersecurity tools and training, according to new research from privacy company Proton AG.
The company’s SMB Cybersecurity Report 2026, based on a survey of 3,000 business leaders across six global markets, including the UK, found that one in four SMBs experienced a cyberattack or data breach in the past year, highlighting what researchers describe as a widening gap between cybersecurity spending and real-world resilience.
The findings suggest that while awareness of cyber threats among smaller organisations has improved markedly, operational security practices and human behaviour remain persistent weak points.
Human error continues to undermine defences
According to the report, 92% of SMBs have implemented some form of cybersecurity or privacy protection, yet incidents continue to occur due largely to preventable issues such as password sharing, inconsistent policy enforcement, and varying levels of employee technical expertise.
Nearly 39% of cybersecurity incidents were linked to human error, reinforcing long-standing industry concerns that technology investment alone cannot mitigate organisational risk.
Unsafe credential practices remain widespread even among companies using password managers. The research found that employees frequently continue to share passwords via email, shared documents and messaging platforms, while more than one in five respondents admitted credentials are still written down offline.
Patricia Egger, Head of Security at Proton, said the findings challenge assumptions that smaller organisations neglect cybersecurity investment.
“The vast majority of small businesses invest in tools and training. The challenge is ensuring security works consistently in real-world environments involving employees, partners and third-party providers,” she said.
Financial and operational impact remains significant
Among businesses that experienced a breach, the consequences extended beyond immediate technical disruption. Respondents reported operational downtime, legal and remediation costs, data loss and reputational damage following incidents. A majority of breached SMBs reported financial losses ranging from £7,500 to £75,000, with some incidents exceeding annual cybersecurity budgets, a level of impact that can pose an existential threat to smaller firms.
Despite these risks, preparedness appears relatively high on paper. The study found that 74% of UK SMBs conducted a formal cyber risk assessment within the past year, suggesting that governance measures are improving even as attacks persist.
AI adoption introduces new uncertainty
The report also highlights emerging security concerns linked to the rapid adoption of artificial intelligence tools. While 69% of businesses reported using AI platforms, many respondents expressed uncertainty over how corporate data is collected, stored or potentially used by AI providers. Around 30% said they do not fully trust AI companies to protect proprietary business information. Researchers warn that this transparency gap may introduce new data exposure risks as AI becomes embedded in everyday business workflows.
Security is becoming a competitive differentiator
Beyond risk mitigation, the study indicates that cybersecurity is increasingly influencing commercial decision-making. Two-thirds of SMBs said strong data protection practices are now critical to winning new business, while three-quarters promote secure file sharing as a competitive advantage during procurement processes.
Raphael Auphan, COO at Proton, said cybersecurity is evolving from a technical function into a business growth factor.
“Cybersecurity is no longer just an IT expense for small and medium-sized businesses. It is directly tied to revenue, reputation and long-term growth,” he said.
The report concludes that closing the gap between perceived preparedness and operational resilience will require organisations to move beyond tool deployment and embed secure behaviours into daily operations.




