It’s long been received wisdom that small and early-stage businesses are not worth cybercriminals’ time to attack. But new research from Proton shows that early-stage startup businesses are being targeted far earlier than their founders expect.
In 2025, breaches derailed growth, exposed intellectual property, and shook investor confidence. Data from Proton’s Data Breach Observatory, a unique resource that monitors and reports cyberattacks and data breaches using information sourced directly from the dark web, makes clear that no business is too small to be breached.
Almost half of the breaches seen involved compromised passwords. Weak logins and usernames are still the easiest way for attackers to break into SMBs. When workers share credentials over Slack, save them in browsers, or reuse them across tools, that initial compromise can quickly spread to other parts of the business.
As tech SMBs grow, data and access naturally spread across cloud storage, collaboration tools, internal platforms, and client-mandated systems. Over time, it becomes harder to see who can reach what, from which devices, and under what conditions. When access paths multiply faster than teams can track them, attackers don’t need to break everything at once.
Modern SMBs increasingly depend on cloud hosts, CRMs, analytics platforms, and authentication providers to operate at speed. That dependence creates inherited risk: if one of those services is compromised, their data can be exposed, even when their own infrastructure wasn’t at fault. In other words, their security posture is partly defined by systems they don’t control.
Patricia Egger, Proton’s head of security says, “A thrill for European entrepreneurs and founders is the freedom to innovate disruptive, differentiated ideas, products, and services at pace. Startups, particularly in their early stages, often tear up the rulebook and move with an agility that established competitors simply cannot match. In startup circles ‘speed wins’ and security can be seen as a hindrance to that speed. This can result in missing crucial steps when securing a business. The findings from Proton’s Data Breach Observatory and the accompanying report offer a clear lesson: pause for a moment, resist the temptation to chase trends at the expense of fundamentals.”
Startups that collaborate, store, and share their IP, ideas, roadmaps, and plans without encryption leave themselves vulnerable to rogue actors, competitors, or even former collaborators who could replicate their ideas, strategies, and key differentiators.
You can get the full report from the Proton site.
Image credit: VitalikRadko/depositphotos.com
