The Proton Blog

Introducing Proton Pass for AI agents: The password manager for AI that keeps you in control

Son Nguyen Kim — Thu, 21 May 2026 11:50:58 GMT

AI agents can automate your most essential tasks, giving you an edge in the workplace or saving you time to do more of what really matters. But getting the maximum benefits often requires access to your private accounts, which is fraught with dangers.

To give you better control over your AI agent, Proton Pass now offers credential sharing via AI access tokens. Now you can easily give AI agents the credentials they need and nothing else, while monitoring their activity and staying organized. Every time an agent needs one of your credentials, it will have to give a reason, so you always know what your agent is doing and why.

Create access tokens from your Proton Pass settings and start deploying advanced AI automations in minutes. AI access tokens are now included at no extra cost on Pass Plus (included in Proton Unlimited), Pass Family, Pass Professional, and Proton Workspace — no expensive add-on required. You can now get the full benefits of agentic AI with reduced security risks while staying in complete control.

Get Proton Pass

Learn how to use access tokens

Use your AI agent with confidence

Individuals and companies are deploying AI agents at breakneck speed. But the rollout has so far been uneven, inefficient, and unsafe. Most companies that have AI usage policies are violating them constantly. A survey from McKinsey found that while 62% of companies are experimenting with AI agents, only 23% are actually scaling AI agent usage. Why? In part because until now, it’s been difficult to give AI agents safe access to account credentials.

Most apps are still built for people, not AI agents that operate through APIs, Model Context Protocol (MCP) calls, and command-line tools. As a result, when an AI agent needs a credential, you might provide it in plaintext on an ad hoc basis or using complicated methods requiring specialized knowledge. Many people understandably just skip the AI agent altogether rather than take the risk, missing out on exponential efficiency gains.

Proton Pass for AI solves this problem by allowing you to share access in a convenient, auditable, and structured way — with a single prompt.

With Proton Pass, you can:

Segment and control access: Organize unique credentials for your agent inside dedicated vaults, sharing only what you need and nothing else.
Monitor credential usage activity: Every time your AI agent needs a credential, it leaves an audit log including a reason for access, so you can review and monitor every login.
Restrict and revoke access: Set an expiration for each access token and shut off access at any time.

Now it’s easier to stay organized when sharing multiple credentials with your agent, while keeping visibility and control over how they’re used.

Enable dozens of AI use cases, securely

AI access tokens are easy to set up. In your Proton Pass settings, create a new access token and copy and paste the setup instructions to your AI agent. Then simply ask your agent to perform actions that require access to the items you’ve shared with it.

Within minutes, you’ll be able to have your agent perform any number of time-saving tasks autonomously: Ask your agent to check your bank’s transaction history and categorize spending for the month, pull data from your fitness tracker and create a weekly wellness report, or ask your CRM to summarize the last three interactions with a specific client before a call with them.

Even if you’re not using an AI agent, you can also use access tokens in your own scripts and automatons, using the list of commands that Pass CLI accepts.

How Proton Pass protects your credentials

Proton Pass uses end-to-end encryption to secure your usernames, passwords, API keys, bank cards, and other items. Whatever you store in Proton Pass is only accessible to you, unless you choose to securely share it. AI access tokens are our newest secure sharing option to bring password management into the age of agentic AI.

Read-only vault access

Proton Pass vaults are encrypted digital containers for your items, such as logins, aliases, and credit card details. You can assign items to different vaults and then create access tokens specific to those vaults. AI agents only access the items they need and nothing else, and they won’t be able to create or edit items.

For extra security, you can also set an expiration for each token, from one hour to one year, after which it can no longer be used.

Every access is logged and explained

Every time an AI agent uses an access token, this is logged and a reason for the access must be provided. These logs are easy to access, so you always know exactly what your AI agents are doing and why.

Learn how to use access tokens

Your agent does the work – you stay in control

Agentic AI can greatly amplify your personal productivity or improve your team’s workflows, but it’s vital that we harness its full power securely. Proton Pass lets you do just that, allowing you to embrace the efficiency of autonomous agents without surrendering control.

Whether you’re managing Jira tickets, analyzing energy usage, or researching papers, you can let your AI do the heavy lifting with greater peace of mind. Thanks to granular permissions, strict time limits, and full audit logs that explain every action, your sensitive data remains secure while your agent gets to work.

Get Proton Pass

Passkeys for business: should your company move beyond passwords?

Ben Wolford — Wed, 20 May 2026 14:12:59 GMT

For many companies, passkeys are growing in popularity. They’re a practical way to reduce phishing risk, improve login security, and cut down on the weaknesses that come with password-only authentication.

However, businesses can’t replace passwords everywhere overnight. Passkey support has expanded across major platforms, identity providers, and business tools, but most companies still run in mixed environments. Some apps are ready for passkeys today, but others still depend on passwords, two-factor authentication (2FA) flows, or security questions for admin workflows and account recovery.

So the real question is not whether passwords disappear tomorrow. It is whether your organization should start adopting passkeys for business accounts now, where they make the most sense, and how to manage the transition without creating unnecessary difficulty for employees or your IT team.

What are passkeys and how they work

A passkey replaces a traditional password with a cryptographic key pair. One key is public and stored by the service or app. The other is private and stays on the user’s device or in their credential manager.

A password is a shared secret between the user and the service. Passkeys remove the shared-secret model and are designed to authenticate only with the legitimate service, not with a fake site set up to capture login information.

When you sign in to a service with a passkey, the service sends a cryptographic challenge. The private key responds only after you unlock your device with a biometric method or a local PIN. The key never leaves the device, and the service does not store a password-equivalent secret that can later be stolen or cracked.

Passkeys are both secure and easy to easy. Instead of typing a password, you can choose the account they want to log in to and unlock your device the same way you already do every day, whether with Face ID, a fingerprint, Windows Hello, or a local PIN.

For businesses, passkeys require extra consideration. They’re secure and useful but they require proper management. Passkeys are created, stored, and managed by a chosen credential manager, often the standard one built into the operating system or browser unless another provider is used.

Passkeys are an authentication technology, but they’re also a management decision. If employees are going to use them across work devices, shared workflows, and multiple SaaS tools, your business needs a clear approach to storage, syncing, recovery, and governance.

Passkeys vs passwords: what should businesses choose?

The main security advantage of passkeys for business is that they remove several of the weaknesses attackers rely on most in password-based systems.

Passwords can be weak and easy to guess with brute force attacks. Weak passwords can also be reused across work and personal accounts. They can be phished, intercepted, and exposed in third-party breaches. Even when businesses enforce strong password policies, the underlying password model still leaves room for credential theft.

Passkeys improve on that model. Because authentication is tied to a cryptographic key pair rather than a shared secret, there is no password for an employee to type into a fake login page and no reusable credential for an attacker to steal and use elsewhere. Passkeys authenticate only with the legitimate service they were created for, which makes them resistant to phishing attacks designed to imitate real login pages.

They also reduce the risk created by stolen credential databases. In a password-based environment, a data breach can expose password-related data that may later be cracked or reused in credential stuffing attacks. With passkeys, the service stores only the public key, which cannot be used to recreate the private key held by the user. That makes large-scale credential theft far less useful to attackers.

For businesses, this translates into practical security gains. Passkeys can reduce account compromise linked to phishing, lower the risk created by password reuse, and strengthen protection for high-risk identities such as admins, finance teams, HR, and executives.

However, stronger authentication doesn’t eliminate the need for sound access management. Businesses still need trusted devices, clear identity policies, an incident response plan, and role-based access controls. Passkeys make the authentication layer more resilient, but they work best as part of a broader security model rather than as an isolated fix.

The current state of business passkey adoption

For businesses, the market has clearly moved past the experimentation stage.The shift is already visible in enterprise adoption data. In early 2025, the FIDO Alliance reported that 87% of organizations surveyed in the US and UK had either deployed passkeys or were in the process of rolling them out, and 47% had already deployed them to at least some employees. Among organizations using passkeys, 62% reported improved sign-in success rates, 58% reported a better user experience, and 50% said passkeys had helped reduce IT costs linked to passwords and account recovery.

Passkeys are a viable option for businesses today, especially in identity layers, email environments, and high-value administrative workflows. But it is still not enough to assume that every application in a real-world SaaS stack is ready for a full passkey rollout.

Many business tools, legacy enterprise applications, vendor portals, and niche SaaS products still rely on passwords, MFA patterns, or recovery models that do not fully support passkeys. Even when a major platform offers passkey support, that support may not extend cleanly across every workflow, fallback path, or administrative scenario.

So the state of adoption in 2026 is best understood as transitional. Passkeys are real, valuable, and increasingly mainstream, but hybrid authentication is still the operational reality for most businesses.

How to adopt a hybrid model for passkeys for business

The operational reality is that the path forward is not a clean break from passwords. It is a hybrid model that combines passkeys where they are available with strong password security where passwords are still necessary.

A fully passwordless environment is possible in more controlled settings, especially when a company has tight control over its devices, identity systems, and application access. But that is not the norm for most organizations.

In practice, teams still depend on a mix of third-party tools and services: some already support passkeys and others still rely entirely on passwords or fallback credentials for recovery, administration, and legacy workflows.

A more practical adoption model is necessary. Businesses need to introduce passkeys where they meaningfully reduce risk, especially in high-value or phishing-prone environments, while continuing to protect the systems that remain password-based. Just as important, they need to manage both models in a way that feels consistent for employees and does not create gaps in oversight or governance.

Because passkeys aren’t universal yet, password management is still essential. A business password manager is no longer just a place to store passwords. It becomes the layer that helps companies manage the transition from one authentication model to another without losing control of either.

For businesses, that means passkey adoption is not only a question of authentication technology. It is also a question of how credentials are stored, synced, recovered, and governed across the organization.

A closer look at passwordless authentication for business

Most businesses aren’t moving from passwords to passkeys in a single step. They are managing a mixed environment where some accounts can use passkeys today, while others still rely on passwords, legacy login flows, or fallback credentials. That makes credential management more complex, not less.

In that context, the role of a business password manager starts to shift. It is no longer only a place to store passwords. It becomes the layer that helps teams manage both password-based and passkey-based access in a secure, consistent way across devices, browsers, and operating systems.

Proton Pass for Business can help organizations support both passwords and passkeys. It gives businesses a practical way to move toward modern authentication without losing control over the systems that are not ready to follow at the same pace.

For IT teams, that matters not just from a usability perspective, but from a governance one as well. Policy enforcement, 2FA enforcement, audit logs, provisioning, and role-based sharing controls all become part of the transition.

This is what makes passkey adoption a broader operational decision, not just a login experience upgrade. If employees create and manage passkeys in fragmented ways across personal devices and default consumer tools, your business can end up with inconsistent recovery processes, weak visibility, and unclear ownership. A managed platform helps avoid that by giving IT a way to support adoption while maintaining oversight.

Why businesses will always need access management

Even in a future where passkeys are supported across most business systems, your organization still needs an access management layer. The challenge of managing access does not disappear just because passwords do.

Businesses still need a consistent way to store and sync credentials across devices, manage recovery if an employee loses access to a device, control how credentials are shared or delegated, and maintain visibility over access as people join, change roles, or leave the organization.

In that scenario, the value of an enterprise password manager shifts from simply storing passwords to helping IT manage passkey-based access in a more controlled, secure, and governable way.

Your first steps to implementing passkeys

Not every account needs to move at the same pace. Passkeys should be implemented for accounts that would create the greatest risk if compromised.

Admin accounts are usually the clearest first priority. If one of these accounts is phished or misused, the impact can extend far beyond a single team member’s account.
Finance teams are another strong early priority, since they are frequent targets for fraud, payment redirection, and executive impersonation.
HR accounts also deserve attention because they often sit close to sensitive employee data, onboarding workflows, and identity-related systems.

It also helps to look beyond the job role in your organization and think about exposure in terms of workflow. Passkeys tend to make the most sense in environments where employees regularly sign in to high-value systems from managed devices and where phishing risk is a real concern. That often includes identity platforms, email ecosystems, cloud consoles, and other security-sensitive internal tools.

By contrast, low-risk applications, rarely used tools, or vendor-controlled systems may not need to be part of the first rollout, especially when support is still limited or recovery flows are not mature. A phased approach usually creates better outcomes than trying to make every system follow the same timeline.

How to start your phased passkey adoption program

Introducing passkeys to your business environment requires a structured rollout. The goal is to introduce stronger authentication where it makes the most impact, while keeping the rest of the environment secure and manageable during the transition.

A practical adoption plan usually includes a few core steps:

Map your current authentication environment. Start by identifying which tools already support passkeys, which support FIDO2 or WebAuthn more broadly, which are tied to identity providers that can enforce phishing-resistant authentication, and which still remain password-only. This gives you a realistic view of where passkeys can deliver immediate value and where existing login flows still need to stay in place.
Define how passkeys will be managed. This is one of the most important decisions in the rollout. You’ll need to determine whether passkeys will be handled through platform-native credential managers, third-party tools, or a hybrid approach. A business password manager that also supports passkeys can be especially valuable here, because it helps reduce fragmentation across supported and unsupported apps.
Prepare employees for the new sign-in experience. Teams do not need a technical explanation of the cryptography behind passkeys, but they do need to understand what changes in practice. That includes how sign-in will work, what recovery options exist, and how passkeys fit alongside the passwords they may still need in other systems. A good rollout makes secure behavior feel simple and familiar.
Keep your password program strong during the transition. Passkeys may reduce dependence on passwords over time, but they do not eliminate the need for strong password security in the meantime. Businesses still need unique passwords, 2FA where appropriate, secure sharing controls, and clear lifecycle governance for the systems that are not yet ready to move.

A phased rollout works best when it treats passkeys as part of a broader authentication strategy, not as a standalone feature. The companies that get the most value from passkeys are usually the ones that introduce them gradually, manage them centrally, and keep the rest of their credential environment under control at the same time.

Common business concerns about passkeys

What happens if an employee loses their device?

If the lost device is the only place where the passkey is stored, the employee may not be able to sign in until access is recovered through another enrolled device, a backup authenticator, or an approved recovery process. Passkey rollout should not depend on a single device with no fallback plan.

Businesses need to decide in advance how employees will regain access, who can approve recovery, and which accounts require stronger safeguards. A business password manager can help by storing and syncing passkeys across authorized devices, which reduces dependence on one phone or laptop and gives the business a more controlled way to manage access continuity.

Can passkeys work across multiple devices and operating systems?

Yes, but the experience depends on how passkeys are stored and managed. Some organizations may be comfortable with synced passkeys across employee devices, while others may prefer more tightly controlled or device-bound approaches for higher-risk roles. The important point is that cross-device use should be designed deliberately, not assumed to work the same way in every team or every environment.

What if some apps support passkeys and others still require passwords?

That is the reality for most businesses today. Passkey adoption does not require every application to move at once. In practice, most companies will run a hybrid authentication model for some time, using passkeys where they are supported and keeping strong password management in place for systems that are not yet ready.

Will passkeys make password managers unnecessary?

Not really. Even in a more passkey-heavy environment, businesses still need a way to manage credentials consistently across users, devices, and systems. That includes storage, syncing, access control, recovery, visibility, and governance. In other words, the need for credential management remains, even as the credential type changes.

Are passkeys ready for every business system today?

No. Support has expanded significantly, especially across major platforms and identity providers, but many business tools still rely on passwords, older MFA flows, or fallback recovery models. That is why phased adoption tends to work better than trying to force universal rollout too early.

Do passkeys remove the need for broader access controls?

No. Passkeys strengthen authentication, but businesses still need device trust, role-based access controls, recovery planning, and clear governance. They reduce phishing risk and remove reusable secrets, but they work best as part of a broader security model.

So, should your company move beyond passwords?

For most businesses, the answer is yes, but through a phased transition rather than an all-at-once replacement. If your company already relies on major enterprise platforms with passkey support, faces meaningful phishing risk, and wants to reduce its dependence on shared secrets, then passkey adoption is worth starting now.

For businesses, that usually leads to a clearer conclusion: start adopting passkeys where they offer immediate security value, keep strong credential management in place for everything else, and make sure both are supported within a secure, well-governed access strategy.

Building the bridge from passwords to passkeys

That is ultimately what good passkey adoption looks like in business: not hype, not all-or-nothing migration, but a controlled shift toward phishing-resistant authentication where it matters most.

Enterprise support for passkeys is now real across major platforms. But coverage is still incomplete enough that most businesses need a bridge strategy rather than an immediate transition.

That is where Proton Pass for Business fits naturally. It helps teams manage credentials securely, enforce policies consistently, and support both modern authentication workflows and password-based systems. Access management, identity management, and monitoring are made easier for IT teams: Proton Pass offers centralized administration, SCIM provisioning, SSO support, audit logs, vault-level permissions, and company-wide policy controls.

If your business is ready to adopt passkeys and improve password security, try our business password manager for free or get in touch with our sales team.

How businesses can detect and prevent account takeover attacks

Kate Menzies — Tue, 19 May 2026 16:53:22 GMT

Account takeover attacks against businesses are increasing. According to research from Abnormal Security, 83% of organizations surveyed had been impacted by at least one account takeover attack in the previous year, and 26% reported facing an account takeover attempt every week. And in Proton’s SMB Cybersecurity Report, we found that 1 in 4 small businesses have been hacked despite their cybersecurity measures.

The financial impact can be severe, too. Research from IBM reports that data breaches involving vendor compromise and account takeover average nearly USD 5 million in costs, with containment timelines often exceeding 250 days.

That combination of frequency and impact helps explain why account takeover is so dangerous for businesses: attackers can simply sign in with legitimate credentials and begin operating from inside the organization, often before anyone realizes the account is no longer trustworthy.

In the UK, the government’s Cyber Security Breaches Survey 2025 report also shows that takeover attempts and compromised accounts form part of the wider incident picture. For businesses, that makes account takeover more than a login issue. It is an identity security, fraud, and business continuity risk.

What is an account takeover attack?

How account takeover differs from traditional attacks

The most common account takeover methods

Why business accounts are high-value targets

Detection signals businesses should watch out for

The business impact of account takeover

Your practical response plan for a suspected account takeover

Building a stronger security culture around account access

How Proton Pass for Business reduces account takeover risk

What is an account takeover attack?

Cybercriminals launch account takeover attacks by gaining unauthorized access to a legitimate account and then using it for malicious purposes. In business environments, that usually means obtaining an employee’s password, intercepting their authentication flow, or otherwise gaining valid access to a work account.

Once inside, an attacker can read internal communications, change account settings, move into connected apps, export confidential files, or impersonate the employee in conversations with colleagues, vendors, or customers. Because the attacker has gained valid access rather than forcing their way in through a visibly broken system, the activity looks like business as usual.

This is what makes business account compromise so dangerous. An attacker may appear to be a normal user until damage is already underway.

How account takeover differs from traditional attacks

Account takeover is so disruptive because it isn’t as easy to spot as the kind of obvious attack or breach many teams expect.

Business security teams often look for malware, exploited vulnerabilities, corrupted systems, or suspicious code execution. In an account takeover incident, no system may have been breached in the usual sense because the attacker has used legitimate credentials and ordinary sign-in flows.

This difference is important because teams need to look for credential abuse rather than perimeter intrusion. When an attacker signs in using the same login page as everyone else using valid credentials, the activity doesn’t appear suspicious in isolation.

Detection then depends less on spotting technical issues and more on noticing unusual behavior, such as strange login patterns, unexpected password resets, or abnormal access requests.

In other words, account takeover often succeeds by abusing the organization’s normal trust model.

The most common account takeover methods

Attackers can use several well-established methods to gain access to business accounts. Some are opportunistic, while others are highly targeted.

Credential stuffing

Credential stuffing happens when attackers take usernames and passwords leaked in data breaches and test them against other services. This works because people often reuse passwords across both personal and work accounts.

This makes unique passwords one of your organization’s best defenses against account takeover. Proton’s Data Breach Observatory shows that names and email addresses appear in nearly 9 out of 10 breaches, while passwords are exposed in 47% of incidents. When those credentials are reused across services, one breach quickly creates account takeover risk.

Phishing

Phishing remains one of the most common routes into business accounts. It can be used to steal passwords, session tokens, or MFA approvals, all of which can feed directly into account takeover.

SIM swapping

SIM swapping happens when an attacker convinces a mobile carrier to transfer a victim’s number to a SIM card they control. If a business still relies heavily on SMS-based authentication, then attackers can easily intercept login codes.

To protect against sim-swapping, two-factor authentication (2FA) methods are much more secure and suitable for higher-risk business accounts.

2FA fatigue and session theft

Even when 2FA is enabled, attackers may try to wear users down with repeated approval prompts or steal session tokens through phishing and malware. 2FA is essential, but it isn’t sufficient on its own.

Password spraying

Password spraying is a type of brute force attack, where attackers try a set of commonly used passwords across many accounts. Instead of hammering one user with hundreds of guesses, they test weak defaults like “Welcome123!” or predictable company-based patterns against a wider pool of employees.

Why business accounts are high-value targets

Business accounts are attractive because of the data and funds they potentially hold. A compromised email account can enable business email compromise: for example, business payment fraud is a scam in which criminals tailor an email to an organization, impersonate a legitimate contact, and try to redirect payments or obtain sensitive information.

A compromised admin account can be even more damaging. It may allow attackers to reset passwords, access additional systems, export data, or weaken security controls. Once that happens, a single compromised identity can lead to a much larger incident.

Even ordinary employee accounts may connect to:

Email and calendars.
CRM and customer support tools.
HR and payroll systems.
Cloud storage.
Internal chat and collaboration platforms.
Shared credentials and password vaults.
Developer or infrastructure tools.

Corporate account hijacking goes beyond just fraud. It’s an access control problem that can have organization-wide consequences.

Detection signals businesses should watch out for

Because account takeover often begins with valid credentials, detection depends on spotting irregular behavior.

Unusual login times or locations: A login from an unfamiliar country, region, or time pattern can be suspicious, especially if it is followed by configuration changes.
Unexpected password reset requests: Employees receiving reset emails they did not request may be seeing early signs of an attempted takeover.
Unfamiliar devices or browsers: a login from a never-before-seen device is worth reviewing, particularly when paired with unusual app access or sharing behavior.
2FA prompts not initiated by the account owner: Unexpected 2FA approvals can signal that someone already has an account password and is trying to get through the second layer.
Mailbox or forwarding rule changes: Attackers who compromise email accounts often create rules to hide messages, forward mail, or preserve access.
Unusual activity in sensitive tools: A user suddenly accessing finance systems, admin dashboards, exports, or shared secrets in ways that don’t fit their normal responsibilities may indicate compromise.
Suspicious changes in vaults or shared credentials: if passwords are modified, re-shared, or accessed in unusual ways, it may be a sign of account misuse rather than normal collaboration.

The business impact of account takeover

The reason account takeover fraud is so serious is that one compromised identity can suddenly create several kinds of damage. There is the immediate fraud risk. An attacker may impersonate an executive, employee, or vendor to request payment changes or confidential information.

There is also the data risk. A compromised account may expose contracts, customer data, internal files, or sensitive communications.

Then, there is the operational risk. Teams may have to lock accounts, rotate credentials, revoke access, review logs, verify communications, and check for lateral movement.

If the attacker reaches privileged systems, the incident can escalate far beyond one compromised account. They may be able to deploy ransomware, maintain access to critical systems, or enable wider compromise across the environment.

At that point, the issue is no longer simply securing a user’s identity. It can disrupt operations, delay recovery, and affect the organization’s ability to function normally, which is why account takeover must be accounted for in business continuity planning.

Your practical response plan for a suspected account takeover

Even with strong preventive controls in place, businesses still need to be ready to respond quickly when an account takeover is suspected. A fast, structured response can help contain the incident before it spreads to other systems or workflows.

The first step is to contain the risk by temporarily disabling the affected account, revoking active sessions, and resetting credentials. Teams should then review recent login activity and any suspicious changes linked to the account. If the account has broader permissions or access to sensitive tools, the response should move even faster.
From there, the focus should shift to scope. Businesses need to understand what the attacker may have accessed, changed, or used while inside the account, including email rules, connected apps, shared credentials, and signs of lateral movement.
It is also important to contain any related exposure. A compromised identity may affect finance processes, vendor communications, internal tools, or customer data, so response should not stop at the account itself.
Once the immediate risk is under control, the incident should be used to strengthen what failed, whether that means improving credential hygiene, tightening 2FA enforcement, or improving detection through activity logs and identity monitoring workflows. These tools help surface suspicious login patterns, such as unusual locations, repeated failed attempts, odd-hour access, or unexpected account changes, so security teams can investigate earlier.

Building a stronger security culture around account access

Account takeover thrives when access is treated as a convenience issue instead of a security discipline.

A stronger security culture means employees understand that credentials are not just personal logins. They are access keys to business systems, customer trust, and operational continuity. It also means organizations make the secure path the easy path by giving teams proper tools, clear policies, and centralized support.

That is where enterprise password managers, passkeys, dark web monitoring, stronger 2FA practices, and secure offboarding work together. These controls help reduce credential reuse, improve account hygiene, and limit how much damage one compromised account can do.

Detection belongs to the wider monitoring layer, but password managers can still support it by generating logs and reports that feed into investigation and alerting systems. Together, these controls make account takeover harder to execute and easier to contain.

How Proton Pass for Business reduces account takeover risk

Many account takeover incidents start with exposed, weak, or reused credentials, then escalate because employees don’t have a consistent way to generate strong passwords, store them securely, use 2FA reliably, or spot early signs of exposure. Proton Pass for Business reduces that risk by making stronger account practices easier to apply across teams, not just easier to recommend.

Stronger password hygiene at scale

A secure password manager supports strong password generation, autofill, secure storage, and secure sharing, which helps teams move away from reused passwords, browser sprawl, and informal credential handling.

This is essential for preventing account takeover because attackers often rely on password reuse and predictable login habits to turn one exposed credential into access across multiple services. Proton Pass also supports passkeys, which reduce reliance on passwords for supported services and offer phishing-resistant sign-in protection. It also offers a built-in 2FA authenticator and autofilling TOTP codes, which makes stronger login habits easier to use consistently.

Better visibility into exposed and risky credentials

Proton Pass includes Pass Monitor, which offers password health insights, dark web monitoring alerts for breached emails, and visibility into inactive 2FA. In practice, that helps organizations identify weak, reused, or already-exposed credentials before they are abused in credential stuffing or follow-on takeover attempts.

A business password manager is ideal for account takeover prevention. It helps team members safely store and manage credentials, as well as helping teams identify the ones most likely to create downstream risk.

More usable 2FA in day-to-day work

2FA helps make a stolen password less useful on its own, but adoption often breaks down when it feels inconvenient or fragmented. Proton Pass helps here by supporting a built-in 2FA authenticator and autofill for OTP codes, which makes stronger login habits easier to use consistently across supported accounts. That does not replace broader identity controls, but it does narrow one of the practical gaps attackers often exploit.

Admin control and security signals that support investigations

Proton Pass also contributes useful admin and security visibility through reporting, logs, and activity information. This helps organizations review credential-related activity, support internal investigations, and feed relevant signals into broader security workflows where needed.

How Proton Sentinel complements Proton Pass for Business

Proton Sentinel is an advanced account protection program available across eligible Proton plans that creates a stronger layer of protection for Proton Accounts themselves, including stricter challenges for suspicious login attempts, greater visibility into logins and account changes, and 24/7 escalation of suspicious events to security analysts.

That makes it relevant for protecting access to the Proton Account and, by extension, the sensitive data stored inside Proton services. But it should not be presented as if it detects suspicious logins across a company’s entire SaaS stack.

Proton Pass for Business helps reduce account takeover risk by improving password hygiene, making MFA easier to use, surfacing exposed or weak credentials earlier, and giving teams better control over how credentials are managed across the organization. Proton Pass for Business strengthens the credential practices that attackers most often exploit, while Proton Sentinel can add another layer of protection for the Proton account itself.

Ready to start? Protect your business accounts from takeover with Proton Pass — try it for free or speak to our sales team.

Why secure file sharing is your competitors’ biggest bluff

Alanna Alexander — Mon, 18 May 2026 15:41:51 GMT

The tools your company uses to manage and share files are a statement about how seriously that company considers its data security.

More organizations are recognizing this, with the majority of businesses now touting it as a selling point.

Yet our latest research shows that nearly half of businesses actively marketing secure file sharing as a selling point can’t actually back up the claim — and most may not even be aware their file sharing service is unsafe. The clients evaluating them, however, are increasingly able to tell the difference.

If you’re already operating with genuinely secure file-sharing practices, including end-to-end encryption, this is your moment to use that as a competitive edge.

How SMBs actually handle file sharing

Our SMB Cybersecurity Report 2026 surveyed 3,000 founders, executives, and IT leaders across the US, UK, France, Germany, Brazil, and Japan, giving a detailed picture of how small and mid-sized businesses actually handle file sharing in practice, not just in policy.

When asked if they highlight file-sharing as a selling point in competing for new business, nearly 76% of companies said “yes” or “sometimes, depending on the client”.

Additionally, 65% said it was “critically important” or “very important” to demonstrate secure handling of client data when winning new business.

But of these same companies:

46% use non-end-to-end encrypted (non-E2EE) cloud services
35% still share sensitive client files by regular email
32% do so by physical means, including USB drives and printed copies.

Despite the prevalence of non-secure means of file sharing, 45% of SMBs are very confident or completely confident in the security of their file-sharing practices in protecting client confidentiality.

This is a significant disconnect — and a significant opportunity. Nearly half of the businesses leading with security as a selling point are doing so without the proper tools or practices to support the claim.

That means the playing field isn’t as competitive as it looks. For businesses that have genuinely embedded secure file sharing into how they operate, the gap isn’t a threat; it’s an opening.

All this points to the fact that security is no longer a nice-to-have, but an expectation.

File sharing safety has become a standard competitive argument, and the businesses that can immediately prove this — with specific tools, verifiable practices, and documented processes — are the ones converting security from a back-office investment into a genuine differentiator.

Where does your business stand?

File sharing sits at the intersection of operational efficiency and client trust. Many businesses have optimized for the former without fully accounting for the latter — and that’s precisely where the gap opens up.

Taking a close, hard look at your company’s file sharing practices is key to understanding which side of the camp you sit on. This includes asking the following questions:

Who holds your encryption keys? If your files are stored with a mainstream cloud provider, the answer is most likely with them, not you.

Standard encryption on platforms like Google Drive, Dropbox, or Microsoft OneDrive protects data in transit, but the provider retains access to the files themselves. Your data isn’t private from the platform — it’s only protected from outside parties.

That’s a meaningful distinction, and one that increasingly sophisticated clients are aware of.

Has your team shared a client file by email or other non-secure means in the last 30 days? Regular email, Slack messages, and printed documents aren’t end-to-end encrypted.

Files sent this way are prone to being exposed and intercepted at multiple points in transit. If the answer is yes, that’s a gap between your security posture and the claims your business may be making.

Can you prove the security of your file sharing platform or systems? If that question would give you pause, your security practices may not be as embedded — or as defensible — as you think.

Being able to explain and ideally demonstrate your business’s security measures will inspire confidence in prospective clients and facilitate deals.

Strategies for secure file sharing

For most businesses, file sharing happens dozens or hundreds of times a day across multiple tools, teams, and client relationships.

That scale is exactly why getting it right matters — and why getting it wrong compounds exposure and risk.

The good news? Closing the gap between claiming security and demonstrating it doesn’t require rebuilding how your business operates.

It means making a few deliberate choices and enforcing them consistently enough that they become a credible part of how you present yourself to clients.

1. Move to end-to-end encrypted cloud storage. Look for a provider like Proton Drive where files are encrypted on-device before upload, and where you — not the provider — hold the encryption keys. Zero-access architecture means that even if the provider is compromised, your data isn’t readable. That’s a key difference from mainstream cloud storage, and a claim you can easily make to clients with full confidence.

2. Make secure sharing the default by design. Security policies only work when they’re easier to follow than to bypass. Build your file-sharing workflow so that the most secure option is also the most intuitive. Every file sent by email because it was faster, every link shared through an unencrypted channel because the client preferred it — those are liabilities your business is choosing to accept.

3. Extend encryption to your backups. Encrypted storage provides limited protection if your backups live somewhere that doesn’t apply the same standard. Ensure that the zero-access principle extends to how and where you store backup copies of client data — and that you, not a third-party provider, control the keys.

4. Document and communicate your practices clearly. This is where security stops being a compliance checkbox and starts being a business development asset. Be specific about what your tools protect and how, and anticipate questions that clients have at the top of mind on how their files are managed, stored, and shared. The businesses that can answer that clearly and demonstrably aren’t just more secure — they’re more compelling.

Turn security into your new selling point

Most businesses share files dozens of times daily without giving it a second thought.

Every document shared through non-encrypted means another avenue of risk, while simultaneously leaving opportunity on the table. With much of the market still making claims they can’t back up, this is your chance to close the gap in verifiable ways and cut ahead of the competition.

But true business security doesn’t stop at just how you share and manage files.

Our SMB Cybersecurity Report 2026 shows where your peers stand on security today, where gaps often appear (and are likely to be missed), and what businesses getting it right are doing differently. Get all these insights for free in our full report.

6 document management best practices

Alanna Alexander — Mon, 18 May 2026 15:21:59 GMT

When you’re running a business, documents pile up fast. Contracts, employee records, and commercially sensitive client data tend to accumulate haphazardly unless you have a clear document management system.

Digital disorganization has real risks. It’s not just time-consuming to find what you need later, it can lead to operational errors or even security breaches.

When the wrong version of a document circulates, agreements could be executed on incorrect terms, and sensitive information could be unintentionally disclosed. These problems stem from poor document management and result in compliance issues and eroded trust.

Documentation management isn’t just about keeping your files organized; it’s about maintaining control. It helps ensure the right information is trusted, limits unnecessary access to sensitive data, and gives you visibility into who can view, change, or share business data.

In this guide, you’ll learn:

What documentation management is
Why businesses need a method for managing documents
6 document management best practices

What is documentation management?

Document management is how your business stores, organizes, retrieves, and controls access to its files.

Most businesses use document management systems (DMS) to control documents centrally. These are cloud storage platforms, such as Google Drive and Proton Drive, that let teams upload files, organize them in folders, set access permissions, and keep everything in one place.

A good DMS reduces version confusion and duplicated work, while giving teams clear visibility into where important files are kept.

File management vs. document management

File management focuses on basic organization — folder structures, naming conventions, and storage locations. Document management builds on this foundation by introducing governance features such as version control, permissions, and activity tracking. If file management is your filing cabinet, document management is the cabinet plus the lock and the logbook.

Note: Organization is not the same as control

Many businesses implement document management systems to centralize files and restore order. But structure alone doesn’t guarantee that sensitive information remains protected. Not all DMS offer end-to-end encryption, which means files remain readable by the provider. This leaves you without control over your data and open to security risks — a breach of their systems becomes a breach of your data. Staying in control means your business data stays protected, and that access is limited to the people you authorize, no matter what happens to the provider.

Why businesses need a method for managing documents

Poor document management creates problems you’ve likely encountered:

Slow down your productivity: The most obvious cost of poor document management is wasted time. And research backs this up — 96% of employees struggle to locate the most recent version of a document, and 83% have had to recreate files because they couldn’t find the original. That’s hours lost on searching for and recreating files, time that could’ve been spent on work that moves your business forward.
Create confusion in collaborative work: When no one knows which version of a document is current, work gets duplicated, decisions stall, and errors slip through. In distributed teams, this uncertainty spreads quickly, leading to missed deadlines and underbaked deliverables.
Accidentally expose sensitive data: Weak access controls leave you vulnerable to breaches and careless mistakes. In a study of financial services companies, over 64% had sensitive files accessible to every employee. One misconfigured folder is all it takes to expose client data and end a business relationship.
Make compliance harder to prove: In sensitive industries such as healthcare and finance, clear evidence of how documents are stored, accessed, and retained is required. If you can’t show compliance, you’re facing regulatory fines and damaged client relationships.

6 document management best practices

Here are six best practices to help you build a document management system that’s organized, secure, and easy to use.

1. Store your files in a single location

Centralizing makes finding the right file much easier and eliminates the need to search across inboxes, local drives, and cloud accounts. Set rules and permissions that contain documents in one place rather than spread across multiple systems with different limitations.

2. Establish folder structures and naming conventions — and apply them consistently

Organize folders by function or department (marketing, finance, HR, etc.), then by consistent subcategories such as year, project, or client name. For file names, include identifiers that make searching easy, such as dates, version numbers, and document type: ClientName_Contract_2025-01-15_v2.pdf. It’s much easier to find than “Final_revised_FINAL.pdf”.

3. Control who accesses sensitive documents

Not every employee needs access to every document in your company — a graphic designer doesn’t need to see employee records or financial reports. Set permissions that limit access to documents for only the right people and review permissions regularly. Outdated permissions from role changes, project completions, or employee departures create hidden security and privacy liabilities. If your team handles financial records, customer information, or product plans, maintaining confidentiality is part of running the business. When you lose track of who can access that data, the consequences can include regulatory scrutiny, lost deals, and reputational damage.

4. Track versions closely

Imagine this: Five employees, editing five different copies of the same document. Which one do you use? When work goes through multiple hands, version control is essential. Tools, like collaborative documents, that allow your team to work on the same document simultaneously, make version control even easier. Changes become visible as they happen. Features such as inline comments, suggested edits, and version history reduce the back-and-forth that can slow teams down, especially when working across time zones.

5. Password-protect files that are shared externally

Sensitive files often need to be shared with investors, partners, or customers. When you share externally, follow a simple rule: access should remain identifiable, time-bound, and easy to revoke. Use sharing links with password protection and expiration dates rather than open links or email attachments. This way, access remains under your control; you can see who has it, limit how long they have it, and revoke it when necessary.

6. Choose a DMS with strong security foundations

Familiar tools like Google Drive are convenient solutions, but that convenience comes at the expense of your privacy and security. A fully encrypted DMS ensures files are encrypted before they leave your device, and that only you and your intended recipients can decrypt them.

Not sure which platform to choose? Ask who holds the encryption keys and what jurisdiction the provider operates under. This reduces the risk that sensitive business data can be read, leaked, or misused. It also influences how well your security holds up during incidents, audits, or disputes.

Build your document management system with Proton Drive

Proton Drive is a privacy-first platform that supports document management best practices without compromising on security.

Enterprise DMS solutions are complex and costly; not every business needs or wants that. Proton Drive lets you build your document management system on a privacy-driven foundation that allows your teams to safely organize, manage, and share files.

Proton Drive is end-to-end encrypted by default, so you can trust that no one but you and the people you share with can access your files — not even Proton can. And being based in Switzerland, your documents are protected by some of the strictest privacy laws in the world.

With Proton Drive as your document management system, you can:

Store all your business files in one place, protected by end-to-end encryption. Proton Drive is ISO 27001 certified and supports compliance with HIPAA and GDPR.
Set permissions at the file or folder level to control who can view or edit sensitive documents.
Access previous versions of your files for up to 10 years, so you can review or restore earlier drafts when needed.
Create and edit documents with your team using Proton Docs and Sheets. Changes sync instantly, and version history keeps everyone aligned.
Share files with password-protected links and expiration dates. Recipients don’t need a Proton account, and you can revoke access at any time.

Look no further for a document management solution that prioritizes security without the complexity.

If you don’t control your data, who does? A European strategist explains

Alanna Alexander — Fri, 15 May 2026 17:00:06 GMT

“What’s the problem?”

That was the response Austrian data strategist Fritz Fahringer got when he raised concerns about companies using private emails to train AI systems when he spoke to an employee at a major US tech company.

The exchange stayed with him. It reinforced something he had already seen firsthand: In parts of the global tech ecosystem, access to customer data is more than a technical capability. It’s a business model.

To Fahringer, that represents a growing breach of trust between technology providers and the organizations that depend on them.

Fahringer, who previously led the development of datahub.tirol — one of Europe’s first trust-based regional data spaces, has spent years designing secure data-sharing systems and digital infrastructure for businesses and public institutions.

He saw firsthand how uncertainty over who can access, control, or benefit from data has held organizations back. It has slowed innovation, increased risk, and made leaders hesitant to adopt new technologies.

Fahringer isn’t alone in questioning these assumptions. For many European organizations, the possibility that providers may access, analyze, or monetize sensitive information is becoming a practical business risk.

Could a provider processes or transfers data in a way that conflict with GDPR or local regulations, the company using the tool may still be responsible? Could sensitive customer data, product plans, negotiations be exposed, accessed internally by the provider, or used in unintended ways? Could their data might be used to train models or improve services that ultimately benefit the provider or even competitors?

These are the concerns that bring businesses to VALTYROL, Fahringer’s business that is singularly focused on helping decision-makers take a more intentional approach to how their data is handled.

In this conversation, we speak to him about how breaking away from inherited tech dependencies — and owning the systems your data flows through — often begins with everyday tools like email and meetings

Let’s start with the fundamentals. Why should companies question who they depend on to run their technology?

Because those decisions have long-term consequences. If you rely heavily on providers whose priorities or legal environments you don’t control, you can gradually lose strategic flexibility and visibility over how your data is used.

In the past, it was sometimes difficult to explain why sovereignty matters. Many people didn’t really think about where their data was stored or who ultimately had access to it.

But in the age of AI — and also with the current geopolitical tensions — people are starting to understand that data is a strategic resource. If your data is stored and processed by companies outside your jurisdiction, you lose a certain level of control over how it can be used.

That’s why many organizations in Europe are beginning to rethink their dependencies. They want to understand who operates their infrastructure and what happens to their data.

What’s stopping businesses from breaking away from default reliance on global technology providers?

When I started my own company, I wanted to do things differently from the beginning.

My digital tools were scattered across many providers — Gmail, different cloud services, a VPN from another company. Most of them were based in the United States.

I decided to move everything into a more sovereign setup. I switched my email, password manager, VPN, and cloud storage to Proton.

It was important for me to bring everything together in one ecosystem that aligns with the values I talk about professionally.

But I know this well: Moving your entire IT infrastructure at once is very difficult. Most companies have built their systems over many years.

Sovereignty has to happen step by step. Some of the easiest places to start are communication tools — email, meetings, and collaboration platforms. These are areas where companies can adopt more sovereign solutions without rebuilding their entire IT architecture.

Over time, those decisions add up to a more independent and resilient digital infrastructure.

Why are tools like private email, VPNs, and secure meetings important for businesses today?

Businesses shouldn’t have to choose between usability and privacy.

A lot of work today happens outside the office — on trains, in cafés, or while traveling. In those situations, you’re often connecting through public networks, so using a VPN is a simple way to protect your connection.

But communication tools are just as important. Email and video meetings are where a lot of sensitive information is exchanged.

When you look at the common meeting tools, each one comes with a trade-off. Zoom has limitations on free calls. Microsoft Teams can be difficult to use. Google Meet works well, but then your data sits inside Google’s ecosystem.

So in many cases you’re choosing between different disadvantages.

What I liked about Proton Meet is that it removes that trade-off. It’s simple to use, and at the same time it respects privacy. For me, that combination is very important.

What made Proton stand out compared to the tools you were using before?

What stood out to me was that Proton offers a complete ecosystem.

With many services, you get only one piece — maybe email, or maybe storage — and everything else comes from another provider. Over time you end up with a fragmented setup.

Proton offered email, Drive, VPN, password management, and other tools within the same privacy-focused system. For a small business, that combination is very powerful.

It allowed me to move away from a patchwork of different services and consolidate everything under a provider that prioritizes privacy.

How do clients or partners react when they see that you’re using Proton?

Often people notice the Proton email address and ask about it.

They say something like, “Oh, you really take this seriously.”

For me, it’s not about selling Proton or convincing people to switch. But it shows that I try to live by the principles I talk about — especially around data sovereignty. When people see my Proton email, they realize I take sovereignty seriously.

It becomes a signal that these values are not just theoretical.

What advice would you give to European businesses that want to take more control over their data?

Moving your entire IT infrastructure at once is very difficult. Most companies have built their systems over many years.

But sovereignty can happen step by step.

Many European businesses are curious about AI, but at the same time they are cautious about how their data is used.

When data goes into large platforms outside Europe, companies often feel that they lose control over it. They worry that the data could be used to train models, generate value somewhere else, or even benefit competitors.

One practical approach is to start building a more sovereign stack over time. For example, I combine regional providers with European privacy-focused tools. My website is hosted with an Austrian provider that I can reach and trust locally, while Proton provides the communication infrastructure — email, storage, meetings, and VPN.

This kind of setup allows companies to keep more control over their data while still using modern digital tools.

You don’t have to change everything overnight. But each step toward more trusted infrastructure helps build a more independent and resilient digital environment.

How to build a security awareness training program for your organization

Kate Menzies — Fri, 15 May 2026 15:16:02 GMT

Most organizations understand that people play a major role in cyber risk. Far fewer have built a security awareness training program or adopted a business password manager, which can genuinely change behavior.

Human-related security risk is rarely one dramatic incident. Realistically, it appears in ordinary moments: an employee clicks a convincing phishing email, reuses a password across business tools, shares a login in a chat, or ignores a two-factor authentication (2FA) request because it feels like an interruption rather than a protective step.

Over time, those everyday decisions determine the organization’s exposure. In the UK, the broader threat picture makes that impossible to treat as a minor issue. The UK government’s report Cyber Security Breaches Survey 2025 found that half of businesses suffered a cyber security incident or breach in the previous 12 months, and phishing remained the most common type of cyber crime among affected businesses.

For HR leaders, CISOs, COOs, IT managers and security teams, that makes security awareness training much more than just a compliance exercise. It’s how businesses reduce preventable risk. The challenge is that many programs are still built around just completing exercises rather than actually changing behavior. Team members watch an annual video, tick a box, and return to the same habits that created the risk in the first place.

A more effective approach treats awareness as part of workplace culture. It’s reinforced over time, shaped by role, backed by usable policies, and supported by tools that make the secure choice easier to follow.

We’ll explain what an effective security awareness program actually looks like, why so many organizations get it wrong, and how to build one that improves day-to-day behavior rather than simply documenting that training happened.

Why security awareness training fails in most organizations

Security awareness training often fails because it is treated as an event, instead of as a system. In many organizations, the program consists of an annual compliance module, a short quiz, and little else. Staff are expected to absorb generic advice once a year and then apply it consistently across hundreds of real world workflows, tools, and decisions. This just isn’t enough to change behavior in a lasting way.

The problem is not that awareness training lacks value. It is that many programs are outdated or too detached from how people actually work. They rely on abstract reminders, while the real risks appear in inboxes, shared drives, password resets, urgent requests from managers, and day-to-day access decisions. If the training does emulate what people actually see or do every day, they’re unlikely to retain or apply it.

Training programs should include induction and refresher training for all staff on data protection and information governance, while awareness raising should use regular communication methods to keep information governance, data protection, and information security visible over time. That points to a continuous model rather than a single annual intervention.

Another reason programs fail is that they focus too narrowly on what employees should not do, while ignoring the root cause of bad habits. Telling staff not to reuse passwords helps in theory, but it does little if the business has not given them a secure, practical way to create, store, and share credentials. Telling them how to spot phishing is useful, but less effective if reporting suspicious messages is unclear or cumbersome.

What a real security awareness program looks like

A real security awareness program is not something employees complete once and forget. It is an ongoing set of habits, expectations, and safeguards that helps people make better security decisions over time.

This begins with continuity. Use training resources designed to complement existing policies and procedures. They should cover practical areas such as strong passwords, BYOD best practices, phishing, and incident reporting. That mix is useful because effective awareness does not stop at one topic. It should reflect the full set of routine actions that shape security in real workplaces.

But continuity alone is not enough. The program also needs to reflect the real differences in how teams encounter risk.

An effective program also needs to be role-specific. A finance team member handling payment requests does not face the same day-to-day risk as a marketing manager sharing social accounts, or an HR lead managing employee records. Generic advice has its place, but it works better when followed by training relevant to the systems, data, and attack patterns most relevant to each group.

The next component is practice. Employees do not develop better judgement only by reading rules. They improve through repeated exposure to realistic scenarios: phishing simulations, reporting exercises, access reviews, and short reminders tied to actual tools or workflows. Simulated attacks are particularly useful because they test whether the program is affecting behavior in the moments that matter, rather than only in a quiz environment.

Clear security and password policies are just as important. Staff need to know how credentials should be created, stored, shared, and removed when no longer needed, how suspicious messages should be reported, when 2FA is required, and what to do if they think they have made a mistake.

Finally, a real program treats security as a shared workplace norm rather than a specialized IT concern. That means managers reinforce it, leaders model it, and teams talk about it as part of how the organization operates day to day. Building that kind of culture takes more than a policy document, but it is one of the strongest ways to reduce repeated human error over time.

Proton’s guide on small business cyber security culture in the workplace is helpful here because it frames awareness not as a fear-based campaign, but as part of how a business works every day.

Why phishing and credential abuse belong at the center of the program

If a security awareness program tries to cover everything equally, it can lose focus. Most organizations are better served by starting with the risks most likely to produce real damage.

Phishing belongs near the top of that list. The UK government’s report Cyber Security Breaches Survey 2025 found that phishing remained the most prevalent type of attack vector among businesses that experienced cyber crime, affecting 93% of those businesses. That reflects a wider reality across UK businesses, where phishing remains one of the most common attack methods.

Phishing rarely ends with the message itself. In many organizations, the real damage begins once stolen credentials are used to access accounts, exploit password reuse, move into other systems, or take advantage of shared logins that were never tightly controlled.

Businesses need to use a layered approach. It needs to be harder for attackers to reach users and easier for users to identify and report suspected phishing messages. This protects organizations from the effects of undetected phishing emails and helps them respond quickly to incidents.

A strong security awareness program should reflect that same logic. Employees need to be able to recognize suspicious behavior, but they also need the surrounding controls that reduce the impact of one mistake.

That is where credential hygiene becomes central. Training staff to avoid weak or reused passwords is useful, but it becomes much more effective when supported by tools that reduce reliance on memory and make secure credential use easier in practice. We also cover this broader preventive mindset in our guide to data breach prevention for businesses, which emphasizes the role of practical controls in reducing avoidable exposure.

The role of tooling in reducing human risk

Security awareness is only part of the picture. People are far more likely to follow secure practices when those practices fit naturally into the way they work. If the safest option is also the easiest one to use, adoption is much more consistent. If it feels slow, awkward, or hard to use, even well-intentioned employees will start looking for shortcuts.

Password management is one of the clearest examples. Organizations often tell staff to create strong, unique passwords, use 2FA, and avoid sharing. But unless employees are given a practical way to do that, the instruction remains aspirational. They fall back on memorable, easy passwords, browser storage, spreadsheets, notes apps, or messaging tools because those options feel faster in the moment.

A business password manager helps close that gap. Proton Pass for Business is designed to make secure password creation, storage, and sharing easier across teams, while also giving organizations stronger control over credential practices. These capabilities help employees create and autofill strong, unique passwords, use 2FA across accounts, and protect stored credentials with end-to-end encryption.

That does not replace security awareness training. It reinforces it by making secure behavior easier to follow. Instead of asking staff to remember dozens of complex password rules, you give them a system that supports the behavior you want. That makes good security practice easier to sustain and policy enforcement more achievable.

The same applies to incident reporting, access control, and onboarding. In these areas, tools are often necessary to give employees a clear process to follow and to give the organization consistent oversight and control. Tooling cannot replace judgement, but it can make secure actions easier, faster, and more consistent in everyday work.

A practical 6 step framework for launching or improving your security awareness program

A security awareness program works best when it is designed as an operating rhythm rather than a single campaign. The framework below can help you get started.

Step 1: Define the specific behaviors you want to change

Begin with risk. Identify the behaviors most likely to expose your organization. That may include clicking suspicious links, reusing passwords, sharing credentials informally, failing to report incidents, weak offboarding workflows, or mishandling personal data such as customer or employee information.

Step 2: Prioritize the highest-risk scenarios

Not all training topics need equal weight. Focus first on the scenarios most relevant to your organization’s threat profile and operating model.

For many businesses, that means phishing, credential handling, access control, and incident reporting. The aim at this stage is to focus staff training on the behaviors and scenarios most likely to reduce day-to-day risk.

Step 3: Segment training by role

Security awareness is much more likely to change behavior when employees can recognize their own working reality in the training. Different roles create different types of exposure, whether that means handling sensitive records, approving high-risk requests, managing privileged access, or sharing information with external contacts.

A more effective program reflects those differences instead of giving everyone the same abstract advice. The closer the training is to the decisions people actually face, the easier it becomes to apply in practice.

Step 4: Build a rhythm of reinforcement

A one-off annual training session is not enough to change behavior. Use induction, refresher training, short reminders, simulation exercises, and regular communications to keep key messages active. Reinforcement can be lightweight, but it needs to be ongoing.

Step 5: Support training with policy and tooling

Training becomes far more credible when employees can see how to apply it in practice. So, make sure policies are clear, easy to find, and written in language employees can actually use. Then support them with features that make secure behavior easier to follow in practice.

If your policy says staff must use strong, unique passwords and avoid informal sharing, give them a secure password manager that makes this easier. If your policy says suspicious emails should be reported immediately, make the reporting path obvious and low-friction.

Step 6: Review, measure, and improve

A security awareness program should evolve with your business. New tools, role changes, incidents, and types of attack all create new pressure points.

Review outcomes regularly, update training based on incidents and near misses, and adjust the program when you find recurring weak spots. The goal is not to finish the program, but to make it more effective over time.

How to measure impact

One of the easiest mistakes to make with security awareness training is to measure what is convenient instead of what is meaningful. Completion rates may tell you who watched the training or clicked through the module, but they say very little about whether the program is influencing behavior in the moments that actually carry risk.

A more useful approach is to look for changes in how people respond to real situations over time. Phishing simulation results can help you understand whether employees are becoming more cautious, more observant, and more likely to question and report suspicious messages.

Credential-related incidents can show whether risky habits such as password reuse, insecure sharing, or poor account handling are becoming less common. Policy adherence can also reveal whether employees are actually applying the expectations set by the program, rather than simply being exposed to them.

It is equally important to watch for operational signals. How quickly are suspicious emails or unusual requests being reported? Is MFA being enabled consistently where it should be? Are access rights being revoked promptly during offboarding? Are teams with greater exposure showing stronger judgement in realistic scenarios as the program develops?

These are often the indicators that show whether awareness is becoming part of how the organization works, rather than remaining confined to a training environment.

Ultimately, the real test is not whether employees completed the program. It is whether your organization sees fewer avoidable mistakes, better reporting habits, and stronger day-to-day security behavior as a result.

Proton Pass can help you enforce your organization’s security policies and monitor the results. Try it for free or get in touch with our team.

How to prevent and recover from ransomware attacks on small businesses

Kate Menzies — Thu, 14 May 2026 14:25:44 GMT

Many small business owners still think ransomware attacks only happen to hospitals, global brands, or public infrastructure. In reality, ransomware small business risk is one of the clearest examples of how attackers are consistently targeting organizations with valuable data, limited time, and weaker defenses.

Recent findings from Proton’s Data Breach Observatory show that SMBs are frequently the victims of breaches. They’re also disproportionately represented in the most damaging incidents, including breaches involving high-risk data and large record exposures.

Ransomware is a business continuity, credential security, and data protection problem. The UK government’s Cyber Security Breaches Survey found that 1% of UK businesses identified ransomware incidents in the previous 12 months, up from less than 0.5% in 2024. At national scale, that equates to an estimated 19,000 businesses.

Despite the rise of ransomware, phishing is still the most common type of cyberattack. Attackers most frequently get access to business networks through people, credentials, and routine workflows rather than through large-scale cyberattacks. They can essentially use a phishing attack to then launch a larger ransomware attack if they sense a greater payday.

For a small business, the damage from ransomware can cause significant disruptions to business continuity. Team members lose access to files and can’t continue their work, operations slow or stop, and customers or clients don’t get adequate services. If personal data is compromised, reporting obligations will follow. A practical ransomware strategy for SMBs has to cover both aspects of an attack: prevention and recovery.

How does ransomware work?

Ransomware is a type of malware that prevents you from accessing devices or data, usually by encrypting files, and then demands a payment in exchange for decryption. In many cases, attackers now do more than lock files. They also steal data and threaten to leak it if the ransom is not paid, which turns the incident into both an availability crisis and a potential data breach.

Victims are often instructed to communicate through anonymous email or web pages and to pay in cryptocurrency. For small businesses, that distinction is important because cryptocurrency is anonymous, decentralized, and unregulated by traditional financial institutions: it’s almost impossible to trace payments.

A ransomware event is not always limited to losing access to files. It may also mean that customer information, employee data, financial records, contracts, or login credentials have already been exfiltrated. Ransomware can lead to loss of timely access to personal data and, where backups are not appropriate or available, even permanent loss.

The attack chain is usually more ordinary than you might expect. The easy-to-miss incidents that can lead to a ransomware attack include:

Phishing links being followed.
Reused passwords being exposed in a data breach.
Remote access service left exposed.
Known vulnerabilities being left unpatched

Once an attacker gets access to a business network, they move laterally, escalate privileges, disable recovery paths where possible, and deploy encryption or extortion where it will hurt most. No single tool or solution can prevent ransomware attacks. Instead, organizations must focus on reducing the number of easy paths into their network.

Why small businesses are disproportionately targeted

Small businesses are attractive ransomware targets for a simple reason: they hold valuable data that isn’t as well-protected as it should be. Proton’s latest observatory findings show that SMBs account for 63% of breaches tracked since January 2025 and more than 352 million leaked records.

They also account for 61% of breaches involving high-risk data, with small businesses alone representing 48% of those critical incidents. Among breaches exposing more than 100,000 records, SMBs account for 60%, and small businesses represent 42%.

Small businesses aren’t careless. In fact, Proton’s SMB Cybersecurity Report 2026 proves that small businesses are trying to improve their cybersecurity. The problem is that their defenses are breaking in real-world conditions. Inconsistent enforcement, human error, shared access habits, and limited internal security capacity are what make small businesses tempting targets.

In Proton’s survey of 3,000 leaders at companies under 250 employees, 39% said incidents stemmed from human error, and 48% said they did not have a password manager in place.

Larger companies may have dedicated response teams, segmented environments, tested backup plans, and external incident support already in place. Smaller ones often have one lean IT function, outsourced support, or no dedicated security expert. When the attack hits, the business is forced to make high-stakes decisions while under operational pressure. That pressure is exactly what ransomware operators count on.

The most common entry points for ransomware in SMBs

After examining the studies carried out in the UK, we know that phishing remains the dominant cybercrime vector for businesses. But why? It’s because phishing is often the first step toward credential theft, account compromise, malware delivery, or remote access abuse.

Weak or reused credentials are another major problem. Small businesses often have shared logins, passwords reused across multiple services, or old accounts that stay active after someone changes roles or leaves. Once attackers obtain one working login, they don’t need to hack into accounts. They can simply sign in.

From there, a poorly protected admin account, an exposed cloud console, or a remote access point without two-factor authentication (2FA) can become the bridge into a broader ransomware incident. Realistically, organizations need to deploy 2FA, least privilege access, and regular permission reviews to reduce how easily stolen credentials can be reused and how far malware can spread.

Unpatched software is another recurring entry point. The NCSC notes that ransomware is increasingly deployed via exposed services such as RDP or unpatched remote access devices, and recommends patching vulnerabilities in remote access and internet-facing systems as soon as they become available. For SMBs, this is where a missed incident quietly becomes an attack surface.

How to protect against ransomware: a layered approach

There is no single control that can prevent ransomware. The most effective approach is layered and practical.

Start with identity management

The data in team members’ accounts needs thorough protection to repel ransomware attacks. Make two-factor authentication mandatory where possible across business-critical accounts, especially email, admin tools, cloud storage, finance platforms, remote access points, and any systems that store customer personal data or other sensitive personally identifiable information (PII).

Improve password hygiene

Attackers don’t always break into accounts. Often, they log in with stolen or reused credentials. Every business account must have a unique, strong password, and shared access should be replaced with managed, secure credential sharing through a business password manager rather than through spreadsheets, chats, or email.

Proton’s own SMB report highlights that even businesses with tools in place still often fall back on insecure password-sharing habits. This is exactly where a secure business password manager like Proton Pass for Business can reduce risk: it helps teams create strong and unique credentials, store them securely, and share access in a controlled, secure way.

Patch management has to be disciplined

Security updates for operating systems, apps, VPNs, remote access tools, and boundary devices should be treated as operational essentials, not optional maintenance. Install security updates as soon as possible and enable automatic updates where feasible.

Robust mail and web protection

Mail filtering, attachment controls, blocking known malicious sites, and safe browsing protections all reduce the likelihood that ransomware is delivered in the first place. Because phishing is so common, these controls are essential.

Address human error

Even when you’ve implemented security measures and a password policy, Security awareness training is still necessary. Training helps staff spot suspicious emails and social engineering attempts, but people will still make mistakes.

Stronger tools or features and access controls should assume that. The NCSC explicitly recommends awareness training, but Proton’s research also points out that training alone does not catch every slip. Good security design reduces the damage when someone does click by making one mistake less likely to become a full-scale incident, whether through 2FA, least-privilege access, stronger email protections, segmented access, or tested backups that support recovery.

Protect recovery before you need it

Backups need to be regular, isolated, and tested. The ICO recommends taking the 3-2-1 approach: three copies, on two different devices, with one stored off-site. The NCSC adds an important operational warning: ransomware may have infiltrated your environment before discovery, so backups should be scanned before restoration, and backup systems themselves should be protected.

The credential connection: why passwords still matter in ransomware defense

It is easy to think of ransomware as malware and forget that passwords play a part in a successful attack. But many ransomware incidents begin with the theft, reuse, or abuse of logins.

That might mean a staff member reusing a password from another service, a former contractor account remaining active, an admin credential being shared among several people, or an exposed remote access point being protected only by a password. Each of those shortcuts expands the attack surface.

This is one reason strong credential management belongs inside any ransomware recovery plan and prevention framework. Unique passwords per service reduce the blast radius of one stolen login. MFA makes that stolen password less useful on its own, while centralized credential storage removes the need for insecure workarounds.

Secure sharing means employees get the access they need through controlled, trackable methods rather than through informal password sharing. Regular review of who has access to what also supports least privilege, which the NCSC recommends as part of limiting lateral movement and spread.

We’ve written extensively about the ransomware threats that SMBs face. Over and over, we see the same thing: attackers are increasingly looking for the businesses that are easier to break, not just the businesses with the biggest names.

What to do if your small business gets hit

1. Contain the incident

If your business is hit, your first priority is containment. Disconnect infected devices from the network, disable compromised accounts if you can identify them, isolate remote access pathways, preserve evidence and avoid wiping systems too quickly if you may need forensic support later.

2. Report the incident

The NCSC advises UK organizations to report incidents and provides dedicated ransomware guidance for response and recovery. Proton’s guide to incident response is also a useful reference for structuring the broader decision-making process around containment, investigation, communications, and recovery.

3. Don’t pay the ransom

The NCSC and UK law enforcement do not encourage, endorse, or condone paying ransom demands. They note there is no guarantee you will regain access, your systems may still be infected, you will be funding criminal groups, and you may be more likely to be targeted again.

The ICO is similarly clear that paying a ransom does not reduce the risk to people and does not safeguard the information. Even if a decryption key is offered, there is no guarantee it will work or that stolen data will not still be leaked.

4. Start recovery

Recovery should focus on slow and secure restoration. That means rebuilding from clean backups, validating that the attack path has been closed, rotating affected credentials, re-enabling access carefully, and documenting what happened. If backups are connected to live systems or have not been tested, this is often where businesses discover a second failure after the first one. A good ransomware recovery plan really starts long before an incident even occurs.

UK reporting obligations: when the ICO may need to be involved

If a ransomware incident affects personal data, this may be a personal data breach under the UK GDPR. The ICO explains that loss of access to personal data can itself be a breach where it creates risk to individuals, and that you must notify the ICO without undue delay and, where feasible, within 72 hours if the breach is likely to result in a risk to people’s rights and freedoms. If the risk is high, affected individuals may also need to be informed without undue delay.

Some organizations still assume that if they restore systems quickly or there is no obvious public leak, reporting is unnecessary. That is not a safe assumption. The ICO’s ransomware guidance explicitly addresses breach notification scenarios and makes clear that the assessment turns on risk to individuals, not just whether stolen files have already surfaced online.

Ransomware is a SMB problem now

Small businesses are being hit by ransom attacks more and more frequently, and when they are hit, the impact can be severe because attackers exploit their weaknesses. Proton’s latest breach data makes that visible: the threat is measurable, growing, and operationally disruptive.

The good news is that the fundamentals can do much of the heavy lifting for any SMB. Measures such as using a business password manager to deploy 2FA and create unique credentials, patching, mail filtering, staff awareness, permission review, tested backups, and incident response planning may not seem flashy on their own, but together they make a meaningful difference. They reduce the chances that a single stolen password, one phishing email, or one exposed remote service escalates into a business-wide outage.

How to change email password on Gmail, Outlook, and Proton

Elena Constantinescu — Wed, 13 May 2026 17:27:44 GMT

Whether you’ve noticed suspicious activity in your email account or just want to improve your security, this guide shows you how to change your email password on some of the most popular services: Gmail, Outlook, and Proton Mail.

Your email is the master key to your online life. Anyone with access to it can reset the password on every other account tied to that address, such as your bank, social media, or shopping accounts. That’s why a leaked email password is far more dangerous than a leaked Netflix password, and why you should treat email security as the foundation everyone else sits on.

You should change your email password if:

You’ve noticed suspicious sign-in activity, especially if no one else has access to your email account.
A service you use has been involved in a data breach.
You’ve been reusing the same password on multiple websites, which can expose you to credential stuffing attacks.
You clicked a suspicious link or entered your email credentials on a website you later realized might be fake (phishing).
Your account provider warned you that your password appeared in a known leak.
You received password-reset emails or security alerts you did not request.

Changing your email password takes only a few minutes and can be done from your provider’s account settings, not from your mail app.

How to change your email password on Gmail
How to change your email password on Outlook, Hotmail, or Live
How to change your email password on Proton Mail
How to change email passwords on iPhone
How to change email passwords on Android
Tips for creating a strong email password
Best practices for email password security
What to do if you forgot your email password
Keep your email accounts safe

How to change your email password on Gmail

To change your Gmail password, update it through your Google Account:

Log in to your Google Account at myaccount.google.com.
Click Security and sign-in from the left menu.

Under How you sign in to Google, click Password.

Enter your current password to verify your identity.
Type your New password, confirm it, and click Change Password.

Google will keep you signed in on the device you’re using. To sign out everywhere else, go to Security → Your devices and remove any sessions you don’t recognize.

How to change your email password on Outlook, Hotmail, or Live

If you use a Microsoft account for Outlook, Hotmail, or Live, you can change your password through the Microsoft security portal:

Go to account.microsoft.com and Sign in.
Open the Security accordion and click Change password.

Enter your New password, then click Save.

To sign out of every other session, go to Security → Sign-in activity and click Sign out everywhere.

How to change your email password on Proton Mail

You can change your Proton Mail password directly in your account settings:

Open Proton Mail and go to Settings → All settings.
In the sidebar, click Account and password.
Click Change password.

Enter your Current password.
Enter and confirm your New password, then click Save.

Proton Mail uses end-to-end encryption, so changing your password also re-encrypts your data. Make sure you have your recovery method set up before you change it. Without one, you can lose access to old encrypted messages.

How to change email passwords on iPhone

Open Settings.
Select your account.
Go to Sign-In & Security.

Tap Change Password.

Authenticate with your current password or Face ID.
Enter the new password and confirm it.

How to change email passwords on Android

If you’re using Gmail, you can change your password in your Google Account settings. The exact steps may vary slightly depending on your device.

Open Settings.
Tap Passwords, passkeys and accounts.

Select your account.
Tap Google Account.

Go to the Security or Sign-in tab.

Under How you sign in to Google, tap Password.

Enter your new password and tap Change password.

Once you’ve updated your password, your device will usually ask you to sign in again. You may also see a message like “Account action required” if your email stops syncing. Enter your new password when prompted.

If you don’t see a prompt, remove the account and add it again:

Open Settings.
Tap Passwords, passkeys and accounts.

Select the account you want to update.
Tap Remove account.

Add the account again and sign in using your new password.

Tips for creating a strong email password

A password should be hard for a stranger or a computer to guess, but easy for you to manage.

Make it long: Aim for at least 12 characters. Longer passwords are harder to crack.

Make it unique: Don’t reuse passwords across different accounts.

Avoid personal information: Don’t use names, birthdays, or common words.

Make it random or memorable: A random password is more secure than a predictable one.

A password generator makes all of this easier to manage.

Best practices for email password security

Changing your password is a great start, but security is about more than just a secret word or phrase. You can make your inbox a much more difficult target by using tools that do the heavy lifting for you:

Use a password manager: Proton Pass can safely create, store, and autofill your passwords across your devices. It has a built-in password generator to help you create unique passwords for all your accounts.

Enable two-factor authentication (2FA): This adds a second layer of security, such as a one-time code sent to your authenticator app, so a password alone isn’t enough to access your account. Proton Pass provides 2FA for every account that supports it, along with a Pass Monitor feature that alerts you to repeated passwords and inactive 2FA.

Review active sessions regularly: Check where your account is signed in and revoke access from devices or locations you don’t recognize. All Proton Accounts come with a free account monitor to help you track active sessions.

Keep recovery options up to date: Make sure your recovery email address and phone number are current, secure, and belong only to you.

Be careful with third-party app access: Remove connected apps, browser extensions, or email clients you no longer use or don’t recognize.

Watch for phishing: Always check the sender, domain, and URL before entering your login details. Avoid signing in from links in unexpected emails. Proton Mail has built-in phishing protection that keeps you safe from known offenders.

Keep your devices updated: Install security updates for your operating system, browser, email app, and password manager.

Use account alerts: Turn on notifications for new sign-ins, password changes, recovery changes, and suspicious activity. On Proton paid plans, you can enable Proton Sentinel to prevent account takeovers.

Secure your password manager account: Use a strong master password and enable 2FA for the password manager itself. You can use Proton Authenticator to enable 2FA for your Proton Account.

What to do if you forgot your email password

If you can’t log in, look for the Forgot password link. Most websites place this link directly under the sign-in box on their login page. Clicking it will usually let you verify your identity using a backup email address or phone number.

For Proton Mail, you may also need your recovery phrase or recovery file to regain access to your encrypted messages.

Keep your email accounts safe

A weak or exposed email password can quickly turn into a much bigger security problem. If you’ve received security alerts, reused passwords across websites, or suspect your account may have been exposed in a breach, you should change the affected passwords as soon as possible.

Changing your password is one of the fastest ways to reduce the risk of someone else accessing your information. Using a password manager like Proton Pass and an end-to-end encrypted email like Proton Mail can help you keep your inbox safe.

Password security: Why breaches still happen

Ben Wolford — Tue, 12 May 2026 13:31:42 GMT

Most people use passwords every day, so it’s easy to forget that they can cause an extraordinary amount of damage if not managed properly. Most teams know they should use strong passwords, avoid reuse, enable two-factor authentication (2FA), and store credentials securely. But password-related breaches happen every day, not only in large enterprises but also in small teams managing a growing mix of SaaS tools, shared accounts, and fast-moving workflows.

The problem isn’t a lack of awareness. Many companies know about cybersecurity risks but believe they aren’t valuable targets for phishing attacks or ransomware, especially SMBs. Hence, they don’t look for solutions until it’s too late.

The gap between knowing the rules and having the right systems of password security in place to follow them is another common issue. When teams are expected to remember too much, move too quickly, and work across too many tools without secure ways to create, store, share, and review credentials, bad habits proliferate.

This is why breaches still happen. This article explains why passwords remain a common entry point for data breaches, which risks affect small teams most often, which tools and practices help reduce them, and where passkeys and biometric authentication fit into a stronger password security strategy.

Why are passwords still a leading cause of data breaches?

Compromised passwords are one of the easiest ways for attackers to gain access to accounts because they guard so many network entry points. In many modern organizations, employees log in to dozens of systems across email, storage, collaboration, finance, HR, development, and client-facing tools, all of them being a potential entry point for breaches.

Weak credentials create a wide attack surface, and the more passwords that team members have to manually manage, the more likely they are to use simple and weak passwords, reuse or store password insecurely, or fall for phishing scams.

There’s data that proves this: Proton’s 2026 SMB cybersecurity report found that nearly one in four SMBs experienced a cyberattack in the previous 12 months, despite many already investing in tools, policies, and training. In addition, Proton’s Data Breach Observatory shows that passwords are exposed in nearly half of reported data breaches, underscoring the scale of credential-related risk.

How one password becomes a broader security risk

Passwords are still an enormous vulnerability because they can be compromised in multiple ways. A password can be easily guessed using a dictionary attack if it is weak. Reused passwords can compromise multiple accounts across different services. Passwords are also easily exposed if stored in insecure locations such as spreadsheets or message threads. Once an attacker has one valid credential, they often don’t need to “hack” anything; they just log in.

With so many underlying risks, a compromised password is not only an access problem: it’s a visibility issue, a response problem, and often a governance matter. Teams need to know which systems are affected, who had access, whether 2FA was enabled, whether the credential was shared, and whether any secrets/credentials need to be rotated or reviewed.

Modern guidance reflects that reality. The 2025 NIST password guidelines explicitly note that passwords alone are not phishing-resistant, even though they are still widely used. The document also recommends stronger controls around password length, blocklists, and secure handling, rather than relying on outdated complexity composition rules alone.

So when we discuss password security, it’s not merely a hygiene issue: it’s one of the most common ways everyday work leads to a real breach.

What common risks do small teams face with passwords?

Usually, small teams experience difficulty with password security because they need to move fast with limited time, scarce IT resources, and a growing set of tools that do not naturally create secure habits.

Password reuse

One of the biggest security threats to organizations is password reuse. A team member might use the same or similar password across multiple work accounts simply because it feels memorable and manageable. But if one of those credentials is exposed in a third-party breach, attackers can try it elsewhere. It’s incredibly easy for one leaked password to turn into multiple compromised systems.

Insecure credential storage

Another common issue is insecure credential storage. Even teams that are more conscious about security can fall back on familiar habits: passwords saved in browsers, copied into notes, kept in spreadsheets, or dropped into message threads, all increasing the risk of unauthorized access.

Over time, poor credential storage leads to a loss of control and poor access management throughout an organization. When credentials are stored in scattered places, offboarding becomes inconsistent, audits get harder, and incident response slows down because nobody knows exactly where credentials live.

Lack of visibility

Without clear visibility into credential management, many teams don’t have a clear way to answer basic questions like:

Who still has access to this account?
Has this password been reused anywhere else?
Was 2FA enabled?
Has this credential appeared in a breach?
How quickly can we identify and change it if something goes wrong?

Without these answers, password security can only be reactive. Teams only discover weaknesses after a phishing incident, a suspicious login, or even a breach.

Phishing

Strong awareness helps, but phishing remains one of the most common attack vectors. Passwords can still be entered into malicious sites, especially when attackers use convincing login pages or urgency-driven tactics. This is why passwords alone are not enough. Additional security layers like 2FA, passkeys, and secure credential workflows are essential.

Gaps in password and access policies

Many small teams rely on informal practices rather than defined policies. People may know they should use strong passwords, but there are often no clear requirements for password length, reuse, rotation, or how credentials should be stored, shared, monitored, and revoked.

Without a defined password policy, credential management becomes inconsistent. Over time, this leads to gaps in security, especially as teams grow and workflows become more complex.

Poor tooling and controls

Finally, controls around credential management and security are often inconsistent or nonexistent. As a result:

2FA is enabled in some systems but missing in others.
Passwords are handled in an ad-hoc way instead of using approved business tools.
Lack of centralized monitoring for weak, reused, or compromised credentials

The result is an ineffective security approach that appears reassuring on the surface but leaves common real-world threats unaddressed. Password security follows the same pattern: awareness exists, but the approach is ineffective.

Which tools and best practices help prevent password-related breaches?

A single control is rarely effective to protect against password-related breaches. Risk is reduced by combining practical measures that prevent weak habits and make secure practices easier to adopt.

Strong, unique passwords

Weak passwords are rarely chosen because people think they are ideal. They are used because they are easy to remember and quick to type in across multiple systems.

Using long, random, and unique passwords for every account helps reduce the risk and impact of password-related breaches.

Free tools like password generators and password strength testers can help to create strong passwords and identify weak credentials. However, strength alone is not enough if passwords are reused across services.

Two-factor authentication (2FA)

2FA remains one of the most effective ways to prevent account compromise from stolen passwords, especially in phishing and credential stuffing scenarios, because it adds a second layer of protection in case a password is leaked, guessed, or reused.

The best password security programs enforce 2FA where possible, especially for email, admin accounts, finance tools, identity systems, and remote access.

Password manager

A business password manager like Proton Pass for Business addresses the core causes of password-related breaches: the need for people to create, remember, and manually type passwords across too many systems.

Instead of relying on memory, teams can generate strong, unique passwords for every account, store them in encrypted vaults, and autofill them when needed, removing much of the reason to create weak passwords or reuse credentials.

A business password manager also provides greater access control, an operational need for businesses. Teams will always need secure password sharing; the difference is whether that happens within governed, secure workflows or through chat, email, spreadsheets, and copied plain text. When access is managed through a secure system, it can be granted and revoked more reliably.

Strong and enforceable password policies

Teams need clear, documented standards that are consistently applied and enforced, including:

Minimum password length
Unique passwords for every account, with no reuse across systems
Approved storage methods
Secure sharing rules
Event-based reset policies
Clear MFA requirements

A strong password policy backed by efficient and user-friendly tools helps turn password security from a personal preference into an organizational standard everyone can adhere to with ease. With a password manager, these policies can be enforced in practice and applied consistently across teams.

Monitoring for compromised passwords

Following best credential security practices is only the starting point. Teams also need the ability to know if credentials have been exposed in a breach, or when weak and reused passwords are creating preventable risk across the organization.

Monitoring provides early visibility. Instead of reacting only after suspicious activity or account compromise happens, teams can quickly identify vulnerable credentials and rotate them before attackers have a chance to gain unauthorized access.

Access control and review

Secure access is not only about how strong credentials are. It also depends on who can access, which accounts are shared, whether access remains appropriate, and whether former employees or contractors retain credentials they no longer need.

That is why effective access control improves security in two ways: by strengthening credentials, and by establishing clear processes for how access is granted, reviewed, and revoked over time.

Ongoing security awareness and training

Employees must understand how to identify phishing attempts, why password reuse creates risk, where credentials can and cannot be stored, what tools are approved to use, and how to report suspected activity quickly.

The key is to treat training and awareness as part of normal operations, not as a checkbox exercise. Password security is stronger when secure habits are built into everyday workflows and reinforced consistently over time.

Passkeys and biometric authentication

Alternative methods such as passkeys and biometric authentication are becoming increasingly important as part of a modern authentication strategy.

Passkeys rely on device-bound authentication rather than shared secrets, addressing key weaknesses of passwords, such as phishing and reuse risks.
Biometric authentication can also improve usability, especially on devices, but is typically used locally to unlock an authentication secret or device rather than being transmitted as the primary secret itself. That makes them useful, but not a direct replacement for all password and access management needs. NIST’s guidance makes this distinction as well when discussing activation secrets and authenticators.

For most teams today, the question is not whether to use passwords, passkeys, or biometrics. In practice, a layered approach is the answer: 2FA should be used when possible, passkeys should be adopted where supported, and secure password management remains critical, as passwords are still widely used across many systems and are unlikely to disappear anytime soon.

How does effective password management improve security and compliance?

Password security is typically framed in terms of breach prevention, but that is only part of the picture. Effective password management also strengthens governance, improves audit readiness, and makes day-to-day operations more efficient by ensuring access can be reviewed, updated, and revoked as needed.

Stronger day-to-day security

Security benefits are immediate. Unique passwords limit lateral movement from reuse, encrypted vaults prevent accidental exposure, and easy, secure sharing eliminates the need to send secrets through unsafe channels. Monitoring helps identify exposed credentials early, while MFA makes it less likely that a stolen password leads to account takeover.

Better operational control

Effective credential management provides greater control across onboarding, offboarding, role changes, contractor access, and incident response. When teams know where credentials are stored, who can access them, and how to quickly rotate them, they can respond faster and more precisely when something goes wrong.

Improved support for compliance

Most frameworks and customer security reviews go beyond asking whether a company uses strong passwords. They require evidence that:

Credentials are managed securely
Access is consistently reviewed
Sharing is secure and controlled
Access can be revoked
Risky behaviors can be addressed

A business password manager helps establish the repeatable controls that auditors and customers require, strengthening organizational compliance.

How does Proton Pass for Business help reduce password-related breach risk?

Password-related breaches usually happen when teams need to manage too many credentials without a secure, centralized system. This leads to the same familiar issues: password reuse, insecure storage, informal sharing, limited traceability, and inconsistent access control.

Proton Pass for Business reduces this risk by giving teams a secure way to create, store, and manage credentials. Instead of relying on browsers, spreadsheets, notes, or chat threads, teams can generate strong, unique passwords, store them in encrypted vaults, and share access using secure and controllable workflows.

Stronger passwords, used consistently

One of the most immediate benefits is reducing password reuse. When unique credentials are easy to generate and retrieve, teams are much less likely to fall back on repeated or slightly modified passwords across accounts.

Better visibility and control over access

Proton Pass for Business centralizes credentials in a managed environment, making access easier to review and control. Teams gain visibility into who has access, which credentials are shared, and what needs to be updated or revoked after a role change or suspected compromise.

Safer sharing for collaborative teams

Small teams often need to hand over access quickly, especially across operations, vendors, and shared tools. However, when this sharing occurs through insecure channels, risk arises. With secure and controlled sharing workflows, businesses can reduce that exposure while making access changes easier to manage and control.

Stronger support for policy enforcement

A password policy is much easier to implement when tools enforce the behavior they require. Proton Pass for Business helps teams put rules around password strength, sharing, 2FA adoption, and credential review into practice, rather than relying on memory or informal habits.

This is one of the benefits of a business password manager. It can’t eliminate all authentication risks, but it directly addresses many of the causes that lead to password-related breaches.