For most small- and medium-sized businesses (SMBs), the “office” is now a collection of home WiFi networks, coffee shop hotspots, shared workspaces, and cloud-based SaaS tools.

Yet even as work continues to become more distributed, many businesses have failed to put network controls in place. Fewer than half of SMBs use a VPN to protect access to their network, according to new research by Proton.

At the same time, security incidents are rising. One in four SMBs have experienced a cyberattack or breach in the past year. 

So why, despite a seemingly permanent shift to hybrid work, is VPN adoption so inconsistent? And is that the cause of so many recent security incidents? 

Our SMB Cybersecurity Report 2026 sheds light on this question. For our exclusive research, we surveyed thousands of business leaders around the world dozens of questions about their security practices. You can download the free cybersecurity report to gain four key insights and five recommendations for your business. 

Download the free report(nowe okno)

Why attackers are targeting SMBs

For years, cybercriminals focused primarily on large corporations. But as enterprise defenses have improved, attackers have increasingly targeted SMBs(nowe okno) due to:

Limited resources: Small teams often lack dedicated security staff and formal security policies.

Distributed networks: Employees connect from home WiFi, shared workspaces, and public hotspots, creating more entry points for attackers.

High-value data: SMBs might store the same sensitive data as large enterprises(nowe okno) — including customer information, financial records, and intellectual property — but with fewer protections in place.

The adoption gap: SMBs are neglecting VPNs

The Proton SMB Cybersecurity Report 2026 exposed two gaps among small and medium businesses:

Let’s start with the adoption gap. 

The rise of software-as-a-service has created a false sense of security among small businesses. While most SaaS platforms use strong encryption (i.e., TLS(nowe okno)) to protect traffic in transit, and some like Proton Mail or Proton Drive also use end-to-end encryption(nowe okno) at rest, they don’t secure the path your employees take to log in. 

For example, your organization might use an encrypted email service(nowe okno) to protect the content of your messages, but without a VPN you can’t enforce IP-based restrictions to control who can log in to the platform. So an attacker with a set of leaked credentials could log in and breach your network.

While the shift to hybrid work is global, the accompanying security adaptations have been uneven. The United States is the only country in our study where a majority of SMBs use a VPN. In every other market, adoption sits below 50%. This gap is even more pronounced outside the tech sector, where security hasn’t kept pace with the shift to hybrid work.

The execution gap: True security goes beyond a VPN 

Fifty-two percent of VPN-using SMBs say they are very or completely confident in their ability to withstand attacks. But our data shows that even among this group, 26% experienced a breach in the past 12 months. If a business is already securing its network, how is this still happening?

The issue is not the VPN itself, but the surrounding controls and the prevalence of human error. Only 56% of VPN adopters in our study enforce two-factor authentication(nowe okno) (2FA). When nearly half of businesses rely on passwords alone, the risk is compounded by poor credential discipline. Instead of consistently using a business password manager(nowe okno):

  • 31.5% still share credentials via email
  • 33.4% via shared documents
  • 28% rely on messaging apps to share logins
  • 24.6% still write passwords down

Our data suggests that many businesses are treating security as a piecemeal investment in isolated products rather than a cohesive system, without consistently executed security policies in place. 

Security as infrastructure, not afterthought

The study revealed another valuable insight: Security is a revenue driver.

In our report, 66% of businesses say demonstrating secure data handling is “very” or “critically” important to winning new business. A VPN for endpoint security gives you the infrastructure and visibility to make that case to prospective clients.

Without a defined network perimeter, entry points multiply, visibility diminishes, and access control is scattered across third-party platforms. All this expands the attack surface and makes it harder to detect suspicious behavior, contain incidents, or demonstrate control to customers and partners. A VPN restores the boundary, and establishes a controllable perimeter around employees wherever they work.

Here’s how you can apply the lesson in your business:

  • Restrict access by IP or location: Only allow access to internal tools from approved devices or networks.
  • Have full network visibility: When logins are only allowed from your VPN, you can monitor traffic to your resources and spot potential attacks.
  • Enforce consistent policies: Apply security rules on your network, rather than relying on third-party promises.

Without a VPN, remote traffic moves across public networks without centralized control, increasing exposure. True security requires the network layer and the identity layer to operate as a single, reinforced system.

Download the full 2026 SMB Cybersecurity Report

Proton’s SMB Cybersecurity Report 2026 examines where security confidence breaks down, why foundational controls are missing, and how hybrid work has reshaped the attack surface for growing businesses.

Inside the report, you’ll find:

  • Global breach patterns and human-error trends
  • The financial impact of modern data breaches
  • Cloud and AI trust gaps among business leaders
  • Practical steps for building layered security systems
Download the free report(nowe okno)