Small Businesses Breached Despite Security Spending: What IoT Decision-Makers Need to Know

Small and medium-sized businesses are investing heavily in cybersecurity - averaging $58,000 annually across major markets - yet one in four still fell victim to cyberattacks or data breaches in the past year. This troubling disconnect between security spending and real-world resilience has critical implications for organizations deploying IoT solutions.

A comprehensive six-market study by Proton, surveying 3,000 founders, executives, and IT leaders, exposes a fundamental challenge: security tools alone aren't enough. For IoT implementers managing connected devices, sensors, and edge computing infrastructure, the findings underscore that human behavior and operational practices often undermine even substantial security investments.

The Human Factor in IoT Security

The research identifies human error as a primary vulnerability, with 39% of cybersecurity incidents traced to employee mistakes. This statistic carries particular weight for IoT deployments, where the attack surface expands exponentially with each connected device.

Even among organizations using password managers (a baseline security tool) unsafe credential practices persist:

• 32% share passwords via email

• 31% distribute credentials through shared documents

• 27% use messaging apps for password transmission

• 22% still write passwords down physically

For IoT implementers, these behaviors create cascading risks. A compromised credential could grant attackers access not just to corporate networks, but to industrial sensors, smart building systems, medical devices, or supply chain monitoring equipment. The consequences extend far beyond data theft to operational disruption and physical safety concerns.

Financial Impact: Beyond the Budget

The economic toll of breaches is severe and often underestimated:

• 67% of breached SMBs lost between $10,000-$100,000

• 14% exceeded $100,000 in losses - often surpassing their entire annual cybersecurity budget

• 46% suffered data loss

• 39% experienced operational downtime

• 30% faced erosion of customer trust

For IoT-dependent businesses, downtime carries huge consequences. For example, a manufacturing facility relying on connected sensors for quality control, a healthcare provider using remote patient monitoring, or a logistics company tracking shipments through IoT gateways faces immediate revenue loss and potential safety incidents when systems fail.

The AI and Cloud Complication

The study reveals growing anxiety around emerging technologies. While 69% of SMBs now use AI tools like ChatGPT or Claude, 30% distrust AI providers with proprietary data. Among those concerned, 45% lack clarity on how their data is collected or stored, and 32% worry confidential information could train external models.

This transparency gap presents a particular challenge for IoT implementers. Many IoT architectures rely on cloud-based AI services for data processing, predictive maintenance, and anomaly detection. When organizations lack visibility into how third-party providers handle their data, they create compliance risks and potential intellectual property exposure.

Security as Competitive Advantage

Despite these challenges, the research highlights a market opportunity. Sixty-six percent of SMBs view strong data protection as critical or very important for winning business, and 76% promote secure file sharing as a competitive advantage. Only 14% report that clients never inquire about security practices.

For IoT solution providers and implementers alike, this signals a shift in procurement dynamics. Customers increasingly demand proof of security posture before committing to IoT deployments. Organizations that treat privacy and security as value propositions—not just compliance checkboxes—gain competitive differentiation.

Actionable Steps for IoT Implementers

The report concludes that bridging the gap between security awareness and operational reality requires systematic change. For IoT decision-makers, three priorities emerge:

1. Audit Third-Party Risk: Verify that cloud providers, AI services, and IoT platform vendors have transparent data handling practices. Don't assume security—validate it through documentation, certifications, and direct inquiry.

2. Embed Secure Practices in Workflows: Security tools fail when employees bypass them. Design processes that make secure behavior the path of least resistance. This includes automated credential management, device authentication protocols, and regular security training integrated into daily operations.

3. Reduce Shared Access Risks: The study shows widespread credential sharing across email, documents, and messaging apps. Implement zero-trust architectures where access is granted on a need-to-know basis, with multi-factor authentication and session monitoring for all IoT device management interfaces.

The Bottom Line

As Raphael Auphan, COO of Proton, notes, "For small- and medium-sized businesses, cybersecurity is no longer just an IT expense; it is directly tied to revenue, reputation, and long-term growth."

For IoT implementers, this means security investments must extend beyond purchasing tools. Success requires addressing the human and operational dimensions that determine whether security measures actually work in practice. With up to 1.2 million businesses potentially affected by cyberattacks across the surveyed markets, the cost of inaction continues mounting.

The organizations that thrive will be those recognizing that effective IoT security isn't about perfect technology—it's about creating resilient systems where security works even when humans make mistakes.