Proton, the Swiss-based privacy company, has released its 2026 SMB Cybersecurity Report, presenting findings from a survey of 3,000 industry leaders across six countries. The study provides an overview of the cybersecurity landscape for small-to-medium-sized businesses (SMBs).
The survey covered the United Kingdom, United States, Germany, France, Brazil, and Japan. It found that one in four SMBs experienced a cyberattack or data breach in the past year, despite average annual cybersecurity investments of £43,000.
The report highlights a gap between security spending and actual resilience. While 92% of SMBs have implemented cybersecurity measures, their effectiveness is often reduced by human error, inconsistent tool usage, and differing technical capabilities.
Common challenges for SMBs include weak password management, AI misuse, and insufficient IT infrastructure. These factors contribute to a disconnect between cybersecurity awareness and effective implementation. Cloud and AI adoption, sometimes in regions with weaker privacy regulations, adds further complexity, reducing confidence in data protection.
In the UK, the impact of cyber incidents is considerable. Approximately 370,000 SMBs reported breaches over the past year, resulting in downtime, legal costs, data loss, fund theft, and regulatory penalties. Reported financial losses range from £7,500 to over £75,000, underscoring the need for stronger protective measures.
The report also notes persistent security weaknesses, such as sharing passwords insecurely or poor credential management. Transparency concerns are rising with AI usage, with 69% of SMBs expressing worry over how AI handles data.
Robust data protection is increasingly seen as critical, with 66% of SMBs recognising its role in securing business opportunities. Cybersecurity practices now influence procurement decisions and long-term client relationships, with firms integrating security into daily operations gaining a competitive advantage.
To reduce ongoing risks, the report recommends embedding security into everyday business processes, limiting shared access, and verifying third-party providers. Strengthening these practices is essential for mitigating both financial and reputational risks from cyber threats.
