The Proton Blog

How to improve password manager adoption for teams

Ben Wolford — Fri, 19 Jun 2026 16:23:22 GMT

Business password manager adoption isn’t automatic. A company can choose the right solution, pay for the seats, announce the rollout, and still end up with employees saving passwords in browsers, sharing credentials through chat, or writing down passwords.

The real implementation problem comes after the purchase decision. Once an IT manager, COO, or founder invests in a business password manager, setup is just the first part of the work. Adoption is what determines whether the investment will be able to change daily behavior.

If you want adoption, your business password manager needs to make work easier. Team members still need to protect and remember their primary password, but they should be pleased to no longer have to carry the full burden of everyday credential management on memory or bad habits alone. If the rollout feels like another security task added to an already busy day, that’s adoption can stall.

We’ll explain why password manager adoption fails, how to choose a password manager your team will actually use, and how to roll it out in a practical way. It also covers what IT teams can measure, what policies can and can’t enforce, and how Proton Pass for Business helps make adoption easier across small and growing teams.

Why password manager adoption fails

The 3 barriers to password manager adoption

How to choose a password manager your team will actually use

How Proton Pass for Business supports team adoption

Practical steps for rolling out a password manager

How to measure password manager adoption

Why password manager adoption fails

Employees don’t avoid password managers because they want to weaken your security. They avoid them because their current habits already help them get through the day.

Browser-saved passwords, reused credentials, notes, spreadsheets, and old message threads all feel faster and more convenient than learning a new process, even though they create risk. If a password vault is introduced only as a policy enforcement tool rather than as something that actually makes their daily work easier, employees may see it as one more task to manage.

Adoption becomes easier when the rollout connects security to convenience. Messaging really matters at this point: you need to impress upon your team members that this will help them log in faster, create stronger passwords without extra effort, and share securely without digging through chats or documents.

The three barriers to password manager adoption

Password manager adoption usually runs into some barriers: inertia, learning effort, and skepticism.

1. Inertia: people already have a system

Old habits cause inertia, which prevents picking up a new tool. Employees may already rely on browser-saved or reused passwords, personal password managers, spreadsheets, or informal team practices.

These systems are risky, but they feel familiar. Moving to a company-approved password manager asks people to change where they store credentials, how they share access, and how they log in. Even a solution that’s better than what they currently use can feel disruptive if the rollout doesn’t explain what changes and why.

This is why password manager onboarding for a team should begin with practical migration support. Show employees how to import passwords, clean up duplicates, save new logins, use autofill, and organize credentials in vaults. The faster people see their daily logins become easier, the faster the old system loses its appeal.

2. Learning effort: a new solution needs a clear first use

A password manager can be simple, but it is still a new workflow. Employees need to understand where passwords live, how autofill works, how to generate a password, how to share access safely, and what to do when something does not work.

Long training sessions are rarely the answer. Short, task-based onboarding works better. For example:

Save your first work password.
Generate a new password for one account.
Use autofill to log in.
Share one credential through a managed vault.
Turn on two-factor authentication for your password manager account.

This gives employees a first useful experience instead of a long explanation.

3. Skepticism: employees need to know what problem it solves

Some employees may wonder why they need a password manager at all. They may believe their passwords are already strong, that browser storage is enough, or that password security is mainly an IT issue.

The rollout should answer that skepticism without blaming people. Show them that business access has become too complex to manage safely by memory or informal habits alone.

If you need educational resources, this guide to why you need to use a business password manager is helpful for explaining that business password managers give administrators oversight and help employees access and share information more securely. That is the adoption message that gets through to people: this password manager means better security and easier daily access.

How to choose a password manager your team will actually use

Adoption starts before rollout. If the new password manager is difficult to understand, slow to set up, or disconnected from how employees work, usage will suffer. A good business password manager should reduce security risk, make everyday access easier, and stay simple enough for employees to use confidently.

Here are the criteria that matter most for password manager adoption.

Easy onboarding

Employees should be able to start using the password manager quickly. Look for simple account setup, clear migration from browsers or other solutions, straightforward vault organization, and training materials that don’t require deep security knowledge.

Autofill that works in daily tools

Autofill is one of the strongest adoption drivers because employees immediately feel the convenience. If the password manager helps them log in faster, they have a reason to keep using it.

A password manager for employees should work across browsers, devices, and the tools people use every day. If employees constantly need to copy and paste credentials manually, old habits may return.

Secure sharing that replaces chat-based sharing

Many businesses rely on shared accounts, especially for vendor tools that don’t support individual accounts or role-based access. Shared access is sometimes unavoidable, but passwords should not move through email, chat, tickets, screenshots, or documents.

A business password manager gives teams a safer way to handle that access. Credential access can be shared through vaults, limited to the right people, and revoked when someone changes roles or leaves.

Admin visibility without heavy overhead

IT teams need enough visibility to manage adoption and reduce risk. That includes usage reporting, logs, user management, vault access, and policy controls. With that visibility, password management becomes an active security tool that helps teams spot gaps, guide rollout, and reduce unmanaged access risk. This helps you understand whether the rollout is working, which teams need more support, and where credentials may still be unmanaged.

Strong security model

Usability shouldn’t come at the expense of trust. A password manager stores sensitive business access, so teams need to understand how credentials are protected, who can access them, and whether the vendor’s security claims can be verified. For a business, this means looking for encryption, transparent security practices, admin controls, and a clear model for shared access.

How Proton Pass for Business supports team adoption

When your business starts comparing password managers for adoption, all of the criteria we listed above have to be taken into consideration. The solution also needs to fit daily work, encourage real adoption, and give IT enough control without creating more manual work.

Proton Pass for Business is a business password manager that supports that transition by replacing scattered password habits with a system employees can use every day. Teams can generate strong, unique passwords, store them in encrypted vaults, use autofill, enable 2FA, store time-based one-time password (TOTP) codes where appropriate, and share access securely instead of sending credentials through chat, email, or documents.

A secure password manager for IT teams supports centralized user management, secure sharing, detailed activity logs, SCIM provisioning, SSO integrations, enterprise-wide security policy enforcement, 2FA enforcement, and password health monitoring. Together, these features help teams scale deployment, manage access changes, reduce password sprawl, and avoid tracking credentials manually.

For small and growing teams, adoption often fails when security features feel heavier than the problem they solve. Proton Pass gives employees a simpler way to handle passwords, while administrators gain clearer oversight of how work credentials are stored and shared.

A password manager is only valuable if people use it. Proton Pass for Business gives teams the security features they need for a secure foundation, but adoption still depends on rollout quality: clear policies, practical training, champion users, measurable usage, and a solution that makes secure behavior easier than the workaround it replaces.

How to frame the adoption process

The way you introduce a password manager shapes how people respond to it. If it sounds like another security requirement, employees may expect more work. If it sounds like one place for work passwords, faster logins, and safer sharing, the value is much easier to see.

Lead with the practical benefit: fewer passwords to remember, fewer password resets, faster access with autofill, strong passwords without manual effort, and no need to send credentials through chat or old message threads.

Data breach protection is essential, but it should not feel like a burden placed on employees. The password manager exists to remove an unrealistic expectation: asking employees to manage hundreds of unique work credentials through memory alone.

That message is especially important for smaller teams, where people often move quickly, share responsibilities, and adopt solutions before formal IT processes exist.

Practical steps for rolling out a password manager

Rolling out a password manager is part technical setup, part change management. The goal is to make the first few weeks clear, useful, and easy to follow.

Step 1: Start with a password and access audit

Before inviting the whole team, map the current password situation within your business. Identify where credentials live, which shared accounts exist, which teams rely on browser storage, and which tools create the highest risk.

Prioritize accounts tied to email, finance, customer data, cloud storage, admin tools, and shared operational systems. These should move into your new password manager first.

This audit doesn’t need to be perfect, it just needs to reveal the main risks and quick wins.

Step 2: Set a clear password policy

A password manager works best when it is supported by a clear password policy. Employees should know which credentials must be stored in the company password manager, when to generate new passwords, how sharing should work, and what is not allowed. A policy gives the rollout structure, but it should be realistic enough for employees to follow.

Step 3: Pilot with champion users

Start with a small group before rolling out to everyone. Choose people from IT, operations, finance, sales, or client-facing teams who use multiple tools and can give practical feedback.

These champion users can test onboarding, identify confusing steps, and show other team members how the password manager helps in real workflows. And the goal of a pilot is not only to find bugs, but also to create internal examples of successful adoption.

Step 4: Train in short, practical sessions

Keep training short and focused on real tasks. A 20-minute session that helps employees save, generate, autofill, and share credentials is more useful than a long security lecture.

Training should answer:

How do I save a work password?
How do I generate a strong password?
How do I use autofill?
How do I share access securely?
What should I do if I lose access?
Which passwords must be moved first?

Record the session or turn it into a short internal guide so new hires can follow the same process later.

Step 5: Create quick-win use cases

Adoption improves when employees feel the benefit immediately. Start with use cases that solve existing pain.

Examples include:

Move shared vendor logins into a team vault
Replace chat-based password sharing with secure sharing
Generate new passwords for the most reused accounts
Store backup TOTP codes in an approved secure location
Use autofill for the five most common business tools

Quick wins make the password manager part of everyday work instead of a security project people only think about once.

Step 6: Build it into onboarding and offboarding

Password manager adoption will stall if it is rolled out as a one-time deployment with no follow-up. Add it to employee onboarding so every new hire learns the approved process from day one.

Offboarding is just as important. When someone leaves, admins should revoke access, transfer ownership where needed, remove vault permissions, and rotate shared credentials if appropriate.

This is where a business password manager setup becomes an operational control, not just a convenience solution.

How to measure password manager adoption

You can’t improve adoption if you just announce the new solution and hope that people will use it. IT teams can use simple metrics that show whether the password manager is becoming part of daily work.

Useful adoption metrics should track not only whether employees are logging in, but whether they are using the password manager in safer ways over time, including stronger password practices, secure sharing, and 2FA enrollment:

Active users: How many invited employees are using the password manager regularly?
Vault usage: How many credentials are stored in approved work vaults?
Password health: Are employees using the password manager to generate and store unique, strong passwords instead of reusing weak or familiar ones?
Secure sharing: Are shared credentials moving out of chats and documents?
2FA enrollment: Have employees enabled two-factor authentication on their password manager accounts and other high-risk work accounts where required?
High-risk account coverage: Are admin, finance, email, and customer systems stored and managed properly?
Offboarding completion: Are vault permissions and shared credentials reviewed when someone leaves?

These metrics should be used to support adoption, not shame employees. Low usage may mean training was unclear, autofill is not working as expected, or employees do not know which credentials they need to move.

Outlook attachment size limit: How to send large files via email

Alanna Alexander — Thu, 18 Jun 2026 17:27:41 GMT

Nothing wrecks an organized day faster than a stuck email with an oversized attachment. When a deadline is approaching, the last thing you want is to be troubleshooting how to send an email with an attachment that exceeds the allowable size limit.

This guide covers what Outlook’s attachment limits actually are, what happens when you hit them, and how to send your large files without the headache.

What is the Outlook attachment size limit?

Outlook’s attachment size limit depends on which version of the service you’re using. Here’s a simple breakdown:

Outlook for Microsoft 365	35 MB per email
Outlook 2013-2024	20 MB per email
Personal Outlook accounts	25 MB per email
School or work Outlook accounts	25 MB per email
Exchange (on-premises)	10 MB per email

This limit covers your entire email, from your attachments to your message, and any embedded images. Even if your email looks like it’s under the limit, it may still get blocked as emails sometimes increase in size as they get delivered, or if your recipient’s email server has a lower cap.

What happens when you hit the size limit?

If you’ve attached a file that blows through the attachment size limit, Outlook will stop the message from sending and give you an error message like:

The attachment size exceeds the allowable limit.

Sometimes, Outlook doesn’t flag the problem up front. Microsoft servers sometimes reject your email and send you a bounce-back notification after you hit send. By the time the bounce-back lands in your inbox, it may already be too late.

For businesses, that could mean a contract never gets sent and falls through instead, and on a personal level, it could mean your job application never made it to the recruiter before the deadline.

Can you increase the Outlook attachment size limit?

Technically, yes, but you need to be comfortable with technical settings. On a Windows device, you can raise the limit of a personal Outlook account by editing the Windows Registry — but we’d recommend against this unless you really know what you’re doing, as changes can affect your computer.

If you’re using a Microsoft 365 or Exchange account, the limit is controlled at the server level, so your IT administrator is the only one who can change it.

That said, this isn’t a reliable fix. Your recipient may not be able to receive your file if their email service doesn’t support large attachments. For most people, finding a smarter way to send large files is the more practical route; let’s explore.

How to send large files via email

If Outlook’s file size limit is getting in the way, you still have a few good options.

Compress your files

Compressing files into a .zip folder reduces their overall size and keeps everything tidy in one place. You can compress files right from your Windows or Mac, so there’s nothing extra to install:

On Windows: Right-click → Send to → Compressed (zipped) folder
On Mac: Control-click → Compress

This method works well for documents and folders, but it has limits. Already-compressed formats like JPEGs and MP4s won’t shrink much, and much larger files won’t compress their way under Outlook’s limit.

For businesses, compression alone rarely cuts it, and for personal use, compressing photos and videos can lead to quality loss.

Pros:

Works offline and without third-party tools
Multiple files and folders can be packed into a single .zip file

Cons:

Makes little difference for large or already-compressed files
Compression can potentially degrade the quality of some files
The privacy of your .zip files is limited by the security model of your email provider

Use a file transfer service

File transfer services let you upload a file and share a download link instead of attaching anything directly. They’re quick to use, and most don’t require an account to get started.

But their tradeoffs are worth knowing upfront. On free tiers, you have no visibility into what happens after you hit send — you can’t see who downloaded your file or revoke access if it went to the wrong person. Some services also decrypt files on their servers before re-encrypting them, meaning your data briefly exists in an unprotected state, giving the service access to it.

For businesses in regulated sectors, this can create real compliance issues with regulations like GDPR or HIPAA. For personal use, it’s worth knowing your files may pass through servers where third parties have some level of access.

Pros:

Quick and simple, with no account required on most services
Generous size limits even on free tiers

Cons:

No way to track downloads or revoke access after sending
Encryption standards vary and may not meet compliance requirements
Password protection is typically reserved for paid plans

Use cloud storage

Using cloud storage to share files means simply uploading a file, generating a shareable link, and dropping it into your email; no attachment size limits to worry about.

For Outlook users already in the Microsoft ecosystem, OneDrive is the natural starting point. It integrates directly with Outlook and makes sharing straightforward, though its free storage is limited and shared across your Microsoft account, and you’re subjected to Microsoft’s data collection policies. This can give pause, especially when sharing personal and confidential files.

When looking for a OneDrive alternative, it’s worth thinking about how your data is handled. Some platforms, like OneDrive, can access the files you store with them, while others protect your files with end-to-end encryption so that only you and the people you share with can see them.

For businesses, working with a non-compliant provider can expose your organization to regulatory penalties and reputational damage. For personal users, the question is simpler but still worth asking: do you want your provider to use your files for their own purposes?

Pros:

Bypass attachment size limits with sharing links
Links stay current even if you update the original file
Some providers offer end-to-end encryption and advanced sharing controls

Cons:

Privacy and security vary significantly between providers
Free storage tiers tend to be limited and fill up quickly
Misconfigured sharing permissions can expose files to unintended recipients

Securely send large files via email with Proton Drive

When Outlook blocks your attachment, Proton Drive gets your file to your recipient without compromise — no size or format restrictions, and no quality compression.

For any business that cares about privacy and access control, most sharing options come with caveats. Proton Drive is different. We protect all your files with end-to-end encryption, so only you and the people you share with can access them, not even Proton can.

You can password-protect links, set expiry dates, track downloads, and revoke access at any time, giving you full control over who can access your files and for how long. And because Proton is based in Switzerland, your data is protected by some of the world’s strictest privacy laws.

For businesses, Proton Drive supports compliance with regulations like HIPAA and GDPR, making it a dependable choice for regulated industries. For everyone else, it’s simply a more private and secure way to share files online.

You can get started with 5 GB of storage for free

World Cup 2026: How to avoid scams, phishing, and fake ticketing websites

Nihad Chabroud — Wed, 17 Jun 2026 18:14:04 GMT

The 2026 World Cup is in full swing in the United States, Mexico, and Canada, with 48 teams and 104 matches until July 19. But for cybercriminals, the tournament began well before kickoff.

More than 13,000 domain names linked to the World Cup have reportedly been registered within five months, with about 9% considered suspicious or malicious. More than 270,000 compromised credentials have already been reported in connection with scams targeting ticketing, fake websites, and platforms used by fans.

The zLabs research team (Zimperium) has identified three major mobile phishing campaigns exploiting this excitement:

Fake ticket-selling websites
Fake promotions for official jerseys
Fraudulent job offers posted in the name of FIFA

Scammers vs. fans: Who is in the lead?

A group nicknamed Ghost Stadium by researchers is reportedly operating more than 300 phishing pages on its own that imitate the FIFA login screen. Some of these pages go as far as loading visuals directly from official servers to appear genuine.

Thousands of fake World Cup 2026 ticketing websites imitating the official platform have also been recorded, as well as fake accounts on social media, notably on Facebook and Instagram.

Fraudulent streaming, the 4th type of threat

Streaming applications have become one of cybercriminals’ favorite playgrounds. Behind pirated streaming applications that claim to broadcast matches live, some actually conceal Android banking trojans, such as:

Massiv, spotted in February 2026 and active in France, Spain, Portugal, and Turkey.
BTMOB, detected in May 2026 and offered as a turnkey service that lowers the technical barrier for cybercriminals.

These fake services replicate the interface of legitimate platforms while capturing banking credentials and keystrokes.

How to stay safe while enjoying the 2026 World Cup

Each threat calls for a different response. Here are some tips you can follow to stay safe while watching the 2026 World Cup:.

Secure your online transactions

Ticket purchases and peer-to-peer resale are prime opportunities for scammers to harvest your banking data.

1. Against fake FIFA tickets and fraudulent resale

Buy your tickets only on the official FIFA website and systematically verify the URL before entering your payment information. For peer-to-peer resale, favor payment by bank card with validation (SMS code or banking app) rather than a wire transfer or gift card, which are impossible to recover once sent.

With Proton Pass, you can generate a different email alias for each account created on a ticketing or resale website, to limit exposure of your primary address in case of a leak, and create a unique, strong password for each account.

2. Against mobile phishing (SMS, WhatsApp, social media)

For better World Cup 2026 mobile security, do not click on links received by SMS or WhatsApp claiming to be from FIFA or official sponsors, and never share this type of link with your contacts to “unlock” a gift or offer.

Proton Mail automatically flags suspicious senders and spoofing attempts in your email, allowing you to spot these fraudulent messages before responding. In addition, you can enable two-factor authentication (2FA) on your sensitive accounts with Proton Pass: Even if a password leaked, your accounts remain protected thanks to this second layer of security.

Protect your downloads and streaming

1. Against fake streaming applications

Only download apps from official stores (Google Play, App Store) and beware of applications promising free access to matches outside recognized platforms.

If your usual broadcaster is inaccessible from abroad, Proton VPN allows you to maintain that access and enjoy your subscription, rather than turning to an unofficial website or application. You can thus watch the entire World Cup via streaming securely and privately with a VPN, in your own language, just as you would at home — wherever you are.

2. Against public WiFi risks

Public WiFi networks in hotels, airports, or fan zones can expose your data through fraudulent access points. Proton VPN allows you to encrypt your connection on these networks to secure your access in all circumstances.

Avoid World Cup 2026 scams with Proton VPN

The World Cup remains an unmissable sporting event that brings together fans from around the world. The constant evolution of new technologies and their exploitation by cybercriminals should not stop you from lifting the trophy.

Proton is offering up to 70% off for all 2026 World Cup supporters! Put on the jersey and take to the field securely and confidentially throughout the tournament and beyond.

Get 70% off Proton VPN

For journalists covering the 2026 World Cup, security starts before you travel.

An introduction to cloud document management

Alanna Alexander — Wed, 17 Jun 2026 17:18:44 GMT

Moving documents to the cloud can simplify how your team stores, finds, and shares files. But without the right setup, you could find that the process quickly becomes messy.

Duplicate files, unclear ownership, and stale permissions get carried over from your existing systems.

In this guide, you’ll learn about cloud document management and the best practices for organizing your documents in the cloud so that your team can find, share, and control access to files more effectively.

If you’re wondering what document management is more broadly, check out our guide to document management.

What is cloud document management?

Cloud document management is a system that adds structure and control to your cloud storage solution.

Business cloud storage services like Proton Drive, Dropbox, and Google Drive give you a place to store and consolidate files online. The process of defining the rules of how documents are stored, shared, named, and worked on is what makes those document management systems effective.

Without clear structure and strong controls, your team spends more time searching for files, risks sharing the wrong information, and loses visibility over who can access sensitive data.

Why do businesses need a cloud document management system?

Managing documents effectively in a cloud-based environment enables you to:

Work from anywhere: When documents are stored in the cloud, work can continue even when someone isn’t at their desk or on the right device. This way, your team can work efficiently, and no one’s blocked waiting for a forwarded file.

Keep sensitive data safe and compliant: A centralized cloud system lets you apply consistent access controls, encryption, and audit logging across everything — from internal HR policies to client’s financial data. That consistency is what auditors look for and what regulators expect.

Scale as your needs grow: Document volume tends to grow unpredictably as new products are launched and audits loom. Cloud systems let you scale without paying for capacity you don’t use yet or provisioning new infrastructure.

Collaborate from the same version: Cloud-based systems often include online document editors that let your teams work together on a single file. This eliminates version confusion and the risk of someone working from an outdated contract.

A note on prioritizing security over convenience

Businesses move documents to the cloud to make them easier to access and share. But too often, security becomes a secondary concern, which can lead to data exposure or compliance risks.

Review how your provider handles encryption and where data is stored. This is especially important if you store financial records, customer data, or confidential contracts — and enables you to ensure compliance with GDPR and industry-specific regulations.

If your provider can access your files, a breach on their side can expose your data. Choose a provider that uses end-to-end encryption (which means only you can access your files).

6 best practices for cloud-based document management

Once you have selected a solution, you can set up clear rules and processes so your team can manage documents securely and consistently.

Make the cloud your team’s default workspace

If your team continues to store files locally, email attachments, or treat the cloud as a backup, you lose visibility and control over your documents.

Set the expectation that work happens in the cloud. Create and edit files there, share links instead of attachments, and store documents in shared folders, not on local devices.

When onboarding new team members, start them in the cloud from day one and show them where to find, store, and share documents. Check out our onboarding checklists for more information on how to create a smooth experience for new employees from day one and ensure they know how your cloud document management system works.

Making the cloud your default workspace ensures your team follows consistent processes, improves collaboration, and keeps documents secure.

Understand how your team creates and collaborates

Your file management system should reflect how your team works, not force your team to adapt to it.

Start by identifying a few common document types, such as contracts, invoices, or internal reports. For each one, define:

Where it is created
Who needs access at each stage
How it is reviewed and approved
Where it is stored once finalized

Use this to set up folders, permissions, and naming rules that reflect how your team works.

Build a folder structure and guidelines that is user-friendly and easily reference-able

An effective file management structure helps your team find the right documents quickly, reduces errors, and protects sensitive information.

Start with a simple, predictable structure based on how your team works — by department, project, or client — whichever reflects how people naturally look for files.

Use clear, consistent naming for folders so it is obvious what belongs where. For example:

Client–Project–Document type–Version–Date
AcmeCorp–WebsiteRedesign–Contract–v2–2026-04-20

Document a few basic rules, such as where to store drafts versus final versions, and how to name files. Share these guidelines with your team and apply them consistently.

Keep the order consistent across all files
Use clear, descriptive names (avoid abbreviations unless they are widely understood)
Use version numbers (v1, v2) instead of “final” or “latest”
Use ISO date format (YYYY-MM-DD) so files sort correctly
Use document templates whenever relevant

Treat version history as an audit trail

Without version history, you lose visibility into who changed a document, what changed, and when. This makes it harder to fix mistakes, resolve disputes, or demonstrate compliance.

Enable version history by default for key folders and avoid downloading files to edit locally, as this breaks the record of changes.

Go the extra step by leaving version comments or notes (if available) to explain significant changes. This helps you understand why updates were made, not just what changed.

Review access regularly

According to Proton research on SMBs’ spreadsheet security practices, 61% of US employees say they have opened documents from a previous job, project, or team.

Access permissions often accumulate over time. Someone is added to a folder and, gradually, former employees, contractors, or external collaborators all have access to sensitive data.

To avoid ghost access:

Open your cloud storage and go to a shared folder or file
Check the Sharing or Access settings
Review who has access and what level (view, comment, edit)
Remove anyone who no longer needs access
Review active shared links and disable or expire any that are no longer needed

Set role-based permissions from the start so people only have access to what they need. Then schedule regular reviews (for example, once a month or at the end of each project).

Regular access reviews help you maintain control over sensitive data and reduce the risk of unauthorized access.

Manage your business documents securely with Proton Drive

Proton Drive is business cloud storage built to give you the tools you need without compromising on security or requiring you to trust them with access to your files.

With end-to-end encryption enabled by default, you can be assured that your files are only accessible by you and those you share them with.

Proton can’t access them, so we have nothing to hand over to anyone. Proton is also based in Switzerland, which means your data will be protected by some of the world’s strongest privacy laws.

Proton Drive is also ISO 27001 certified and supports compliance with HIPAA and GDPR.

Using Proton Drive for cloud document storage means you can:

Set permissions at the file or folder level and manage your team’s access from a central admin panel.
Track file versions for up to 10 years, giving you the long-term audit trail that compliance demands.
Share files with anyone using password-protected links, set expiration dates, and revoke access at any time.
Create and edit documents and spreadsheets with your team in real time using Proton Docs and Sheets.
Access your files from any device with easy-to-use apps.

Start building your secure cloud document management system with Proton Drive.

The European tech sovereignty package explained

Alanna Alexander — Wed, 17 Jun 2026 15:16:41 GMT

The European Commission has announced an ambitious plan to free itself from its almost complete reliance on foreign tech.

In what it has called “a defining moment to assert its technological sovereignty,” the commission has presented a European Technological Sovereignty Package: a comprehensive proposal to strengthen Europe’s capacity in semiconductors, AI, cloud and open source.

Its goal is unambiguous: to reduce Europe’s infrastructure dependency on foreign tech. Official communication from the Commission states that “the EU remains structurally reliant on non-EU providers for over 80% of its digital products, services, infrastructure and intellectual property”.

The plan is essentially a call to action for European businesses to examine their own US tech liabilities. This article provides an overview of each of the four components of the package:

Chips Act 2.0
The Cloud and AI Development Act (CADA)
The EU Open Source Strategy
A strategic roadmap for digitalization and AI in energy

Why Europe is prioritizing infrastructure independence now

The bloc is now acknowledging what many tech experts have long warned: Europe needs to stop treating structural dependency as an acceptable price for convenience.

As Commission President Ursula von der Leyen put it: “We cannot afford to depend on others for the technologies that keep our hospitals running, our energy grids stable and our services secure. This is about protecting our citizens, defending our interests and making our own choices.”

Infrastructure dependency leaves every nation within the EU open to the risks of:

Kill switches. A foreign government can disable or disrupt the services your hospitals, energy grids, and public institutions depend on. EU tech chief Henna Virkkunen named it explicitly: “We want to be sure that in the critical fields we are always able to control the services and control the data in Europe.”
Legal backdoors. US law requires US-based cloud providers to hand over data to American authorities, even when it’s stored in Europe. European data on US infrastructure isn’t protected by European jurisdiction. GDPR compliance doesn’t change that.
Locked-out procurement. Critical public contracts — healthcare, energy, defence are currently fulfilled by vendors who aren’t European-controlled. The commission’s proposed fix, requiring EU-made software and hardware for the most sensitive public tenders, is an acknowledgment that the current situation is untenable.
Political leverage. When the companies running your infrastructure have close ties to a government hostile to your interests, dependency becomes a negotiating liability. The ICC didn’t choose to leave Microsoft — it was effectively pushed. That’s a kill switch by other means, and it’s already happened.

What the European Technological Sovereignty Package proposes

The package has four components. For European businesses, two matter most: the Cloud and AI Development Act and the Open Source Strategy.

Chips Act 2.0

Europe produces only around 10% of global semiconductors and remains heavily dependent on the US and East Asia for both mainstream and advanced chips. Chips Act 2.0 act sets out to strengthen Europe’s semiconductor industry and supply chain.

For European businesses: Watch for semiconductor supply chain disclosures becoming more common. They would be required during a “declared crisis”, conditional for companies seeking EU funding, and encouraged for procurement. If your vendors can’t tell you where their chips come from, expect for it to be treated as a trust deficit.

The Cloud and AI Development Act (CADA)

More than 70% of Europe’s cloud market is controlled by three US providers while the EU’s own share fell from 29% in 2017 to 15% in 2022.

CADA introduces four Union Assurance Levels that push cloud sovereignty beyond data residency toward harder questions of control, jurisdiction, ownership, software supply chain transparency, and third-country interference.

Level 1: Data is processed and stored in infrastructure located in the EU.
Level 2: Providers must demonstrate independence from third countries and transparency over their software supply chain.
Level 3: Providers must be owned and controlled in the EU and meet additional criteria, while leaving room for recognized trusted third-country providers.
Level 4: Providers must have full transparency and control over their software supply chain and no third-country interference.

For European businesses: Data residency is not the same as sovereignty. Watch for vendors rebranding existing US-controlled infrastructure as “European” without meeting the ownership and control requirements the assurance levels actually demand. Level 3 requires EU ownership and control. A European-branded wrapper around AWS is not Level 3.

The EU Open Source Strategy

The EU currently spends €264 billion a year mostly on US proprietary IT products and services. The strategy’s answer is software that can be inspected, reused, adapted, and maintained in Europe — backed by an Open Source Maintenance Instrument to fund the security and upkeep of essential components, plus dependency mapping and mirroring capabilities to ensure continued access to the most critical infrastructure.

It specifically targets cloud infrastructure, digital workplace applications, collaboration and productivity tools, instant messaging, and secure email, with a goal of 30 million active users of open-source alternatives by 2030.

The “public money, public code” principle commits public administrations to default to open source where possible.

For European businesses: Procurement criteria are shifting toward auditability, interoperability, and software you can inspect. If your current tools are closed, proprietary, and US-controlled, expect pressure — regulatory and competitive — to justify that choice.

A strategic roadmap for digitalization and AI in energy

A new Delegated Regulation will introduce EU-wide sustainability ratings for data centers, creating transparency on environmental performance and cutting off greenwashing. If the software running critical energy infrastructure sits outside European jurisdiction, energy sovereignty is as theoretical as data sovereignty.

For European businesses: Watch for sustainability ratings becoming a procurement signal — and for domestic data center capacity unlocking a new generation of European providers that weren’t previously competitive on infrastructure alone.

What the package will mean for Europe

The European Commission’s package is important, but it’s not a revolution yet. The package is ambitious, but the mandates are limited. Much depends on how the proposals are developed, negotiated, implemented, audited, and enforced.

If Europe wants technological sovereignty to mean something, it must move beyond diagnosis. Procurement rules, public funding, certification frameworks, and risk assessments must reward providers that reduce dependency rather than reinforce it.

Digital independence is built through thousands of technology choices by governments, businesses, and individuals.

At Proton, we’re helping to ease the digital transition toward sovereign, privacy-first European alternatives. Proton is already strongly aligned with the EU’s tech sovereignty package: All our apps are open source and use strong cryptography, including end-to-end encryption and zero-access encryption. As a Swiss-based provider, customers benefit from strong privacy protections.

To help more businesses switch to European tech, we have recently introduced Easy Switch for Business, which allows teams to migrate their emails, calendars, and contacts from Google Workspace to Proton with minimal effort and zero downtime.

Learn more about Proton Workspace

Introducing Easy Switch for Business: Ditch Google for private email and calendar

Matteo Manni — Wed, 17 Jun 2026 11:43:46 GMT

Google was never a safe place to run a business, because Google can scan your inbox, track your events, and share data with third parties. However, in recent years the risks have become intolerable.

Google is a nightmare for compliance, it gives AI access to user emails, and it’s a single point of failure. The market is catching up to what security teams already know. In surveys, consumers say they are eager to ditch US tech over privacy concerns.

Then, there’s jurisdictional risk. In an increasingly unpredictable geopolitical climate, US authorities can even compel Big Tech to suspend your access or hand over your data even if your business is based outside its jurisdiction.

Proton Mail launched over 12 years ago to give people a private email alternative. Based in Switzerland and backed by end-to-end encryption, Proton has helped over 100 million people and 100,000 businesses take back control of their data.

To support a secure future for organizations that care about data privacy, we’re making it easier than ever to ditch Google.

Today we began rolling out Easy Switch for Business, a seamless way for any sized company to move their emails, calendars, and contacts to Proton with no downtime.

How Easy Switch for Business works

The fear of data loss, broken inboxes, or downtime is what keeps most companies on Google longer than they should be. With Easy Switch for Business, you migrate your company from Gmail to Proton Mail in six simple steps.

Here’s how:

Choose what comes with you. Emails. Calendars. Contacts.
Connect Proton to Google Workspace.
Set up your domain. Your team can work across both while you make the move. You can even use a custom domain from Squarespace with Proton Mail.
Pick the accounts you would like to bring over.
Onboard your team on Proton.
Say goodbye to Google. Private. Secure. Sent from Proton.

Learn more: Set up your custom domain with Squarespace

Easy Switch for Business automates and guides you through the entire process. It’s so easy anyone can do it. Google and Proton run in parallel during the transition, so your team keeps working as normal while everything moves over.

Why businesses are leaving Google

The core of your business is how you communicate with your team and clients through your company inbox and calendar. That’s why over 100,000 organizations — from newsrooms and law firms to tech companies, consultancies, non-governmental organizations and government agencies — have already moved to Proton.

Here’s what these organizations tell us:

They want a provider that can’t be acquired. Proton is owned and governed by a nonprofit foundation. You won’t have to worry about private equity shenanigans, endless price increases, or your data ending up in the ecosystem or jurisdiction you were trying to avoid.

They want to decouple from US Big Tech. The risks of vendor dependency — AI training, warrantless surveillance, geopolitical pressure — are well documented. Proton is headquartered in Switzerland, outside US jurisdiction, so laws like FISA and the CLOUD Act don’t apply.

They want stronger data protection. Google can access your data, share it with third parties, or leak it in a data breach. Proton’s use of end-to-end encryption and zero-access encryption by default means your data is not accessible to us, and we can never hand it over or accidentally leak it to third parties. Proton is open source, and anyone can audit our code to validate that our encryption works as described.

They want to strengthen trust with customers. For some businesses, using Proton is a trust signal as much as a security decision. You can point clients, partners, and regulators to Proton’s public source code and audits, encryption by default, Swiss jurisdiction, and nonprofit ownership structure.

They want a business continuity fallback. Many customers start by running Proton in parallel with their existing provider — a backup that keeps running if an outage, ransomware attack, or geopolitical disruption hits. It’s also how most CISOs we work with begin testing a migration.

Shield your business from Google’s prying eyes

Your business data has value precisely because it reflects how your company thinks, operates, and competes. It deserves to be protected. With Easy Switch for Business, you can leave Gmail without disrupting a single workday in the process.

Switch to Proton Mail

Running Microsoft 365 instead? Stay tuned. We have a Microsoft 365 migration path planned for you this year.

FAQs

Should I expect my team to experience any downtime?
No. Gmail and Proton stay in sync during the transition, so there’s no disruption to your day-to-day work.

Can I test before switching fully?
Yes. The dual-send period lets you run both systems in parallel, so you can test everything before making the full switch.

Can I migrate from Google Drive?
Drive migration isn’t available yet, but it’s planned for a future release.

Is my email still encrypted if I send emails externally to Gmail or other providers?
Of course, sometimes you’ll need to send email externally, such as to contractors, vendors, or freelancers. If they’re using Gmail or another provider that doesn’t use PGP, your emails will be protected in transit (using TLS) and encrypted on Proton’s servers, but your recipient’s email provider will still have access. To ensure emails to any recipient remain encrypted end to end, no matter what provider they use, just send a password-protected email from your Proton mailbox.

Supply chain attacks: how to protect your business from third-party risks

Kate Menzies — Tue, 16 Jun 2026 17:58:54 GMT

A supply chain attack happens when criminals compromise a trusted third party to reach the real target. That third party could be a software vendor, IT provider, SaaS platform, or business partner with access to systems or data.

For small and medium-sized businesses, this risk is easy to underestimate. You may not run complex infrastructure or have a large IT team, but your company probably depends on many external services: business email, payroll, accounting, cloud storage, customer support, CRM, and payment systems. Every connected vendor creates a potential path into your environment.

We’ll explain what a supply chain attack is, how these attacks happen, why SMBs are exposed, and how to assess and reduce third party supply chain risk.

What is a supply chain attack?

How supply chain attacks happen

Why SMBs are more valuable

Real-world examples of supply chain attacks

How to assess your third-party risk

What your business can do to reduce exposure

The credential connection in supply chain attacks

Build third-party security into daily operations

What is a supply chain attack?

A supply chain attack is a cyberattack that reaches an organization through a trusted external relationship. Instead of attacking your business directly, criminals compromise a vendor, software update, service provider, integration, or third-party account and use that access to reach your customers downstream.

A weakness outside your organization can still affect your systems, data, or operations if the supplier is connected to them. In practice, a supply chain cyber attack can involve:

A software vendor with a compromised update mechanism.
A SaaS platform through which attackers access customer data.
An IT provider whose admin credentials are stolen.
A contractor account that still has access after a project ends.
A third-party integration with more permissions than it needs.
A vendor employee account used to access client systems.

Supply chain attacks rely on and exploit trust. Your business allows the connection because the vendor had a legitimate role, and then attackers abuse that trust to get closer to your data, accounts, or systems.

How supply chain attacks happen

Supply chain attacks usually begin with a trusted connection. An attacker doesn’t need to break directly into your business if a vendor, software provider, contractor, or integration already has access to something valuable.

The path can vary, but the pattern is often similar:

Compromise the third party
Use that trusted relationship to reach customers or connected systems
Expand access to your business network

Through compromised vendor accounts

Attackers may steal or guess credentials from a vendor, contractor, agency, or managed service provider. If that third party has access to your systems, the attacker can use a legitimate account to enter through a trusted route.

This is especially risky when vendor accounts have broad permissions, weak passwords, no multi-factor authentication, or access that was never removed after a project ended. That is why third-party access should be reviewed regularly and revoked promptly through a controlled admin process when it is no longer needed.

Through software updates and applications

A software supply chain attack can happen when attackers compromise the way an application is built, distributed, or updated. Your business might then install or update software from a trusted vendor, not realizing that the update has been tampered with.

This type of attack is difficult to spot because the activity appears to come from a known software provider, not from an unknown source.

Through third-party integrations

Many software as a service (SaaS) tools connect to each other through integrations, plugins, APIs, and permissions. These connections help teams work faster, but they can also create hidden access paths.

If an integration is compromised or has more permissions than it needs, attackers may be able to reach data, accounts, or workflows beyond the original tool.

Through shared credentials and unmanaged access

Supply chain risk also grows when vendor access depends on shared logins, passwords stored in documents, or credentials sent through chat and email. If one of those credentials is exposed, your business may not know who used it, where it was shared, or how many systems it can still access.

Access control is your strongest mechanism to protect the security of your supply chain. The more controlled each vendor connection is, the easier it becomes to limit damage if something goes wrong.

Why SMBs are more vulnerable

SMBs often assume supply chain attacks are a large-enterprise problem. In reality, smaller businesses can be easier to reach through third parties because vendor access is often less formal, less monitored, and less frequently reviewed.

Every SaaS service adds a dependency

Most small businesses now depend on SaaS services for daily work. They can help businesses move with speed and flexibility, but it also expands the number of systems that can hold business data or connect to business accounts.

A small agency, consultancy, law firm, or startup may use dozens of external services without calling it a supply chain. But from a security perspective, those services are part of the chain.

Smaller teams may lack vendor review processes

Large organizations often have procurement, vendor risk questionnaires, security reviews, and legal processes. SMBs may rely on informal trust and speed instead.

Since the beginning of 2025, Proton’s Data Breach Observatory identified 512 breaches exposing more than 902 million records. That kind of visibility matters because many breaches do not stay isolated to one company once credentials, contact details, or business data are exposed.

That doesn’t mean small businesses need enterprise bureaucracy. It does mean they need a practical way to ask basic questions before granting access and to review access after the work changes.

Vendor access is often broader than necessary

Vendor access within a business usually expands for practical reasons. Sometimes a contractor needs access to a shared drive, or an agency needs analytics or ad account access. In the moment, granting access feels like the fastest way to keep work moving, especially for a small business without many people or resources.

The risk only appears later, when those permissions aren’t narrowed, reviewed, or removed. A vendor may retain access after a project ends, a shared login may keep circulating, or an integration may stay connected long after the original need has passed.

Real-world examples of supply chain attacks

Recent breach data shows that third-party risk is not theoretical. During research for our Data Breach Observatory, we uncovered several incidents linked to third-party or supply chain exposure, showing how customer, employee, or business data can appear in breach datasets even when the affected organization was not necessarily the original point of compromise.

Amtrak

In April 2026, the Data Breach Observatory listed uncovered a third party incident associated with Amtrak, with more than 7.4 million exposed records. The compromised data included names, physical addresses, postal codes, phone numbers, email addresses, and usernames.

For businesses, this is a clear example of how a third-party incident can expose identity and contact data at scale, creating downstream risks for phishing, impersonation, and credential-based attacks.

Canada Goose

Apparel company Canada Goose was affected by a third party incident in February 2026, with more than 921,000 exposed records. The compromised data included names, physical addresses, phone numbers, and email addresses.

Even without passwords, this kind of dataset can still increase business risk because attackers can use contact information to make scams, phishing attempts, and social engineering more believable.

How to assess your third-party risk

You don’t need a large risk team or a lot of resources to start assessing your business’s risk. Begin with a simple inventory and focus on the vendors that matter most.

1. Map your vendors and access

List the vendors, SaaS services, contractors, and partners with access to your systems or data. For each one, note:

What data they can access.
Which accounts or integrations they use.
Whether they have admin permissions.
Whether access is individual or shared.
Whether multi-factor authentication is required.
Who owns the relationship internally.
When access was last reviewed.

This inventory is much easier to maintain when vendor access is managed through a controlled system with clear ownership, admin visibility, and revocable access.

2. Rank vendors by risk

Not every vendor needs a detailed review. A payroll provider, cloud storage platform, IT provider, CRM, or managed service provider deserves more scrutiny than a low-risk service with no sensitive data.

Prioritize vendors that handle customer data, credentials, payments, employee information, production systems, or admin access.

3. Ask security questions before granting access

Before granting access, it’s helpful to step back and assess whether the third party is really necessary, what systems or data they need to access, and whether that level of access is justified. At this stage, many organizations discover they rely on more vendors, integrations, and external accounts than they assumed.

A lightweight vendor review can still be useful. Ask:

What happens to our data if we leave?
Do you support 2FA?
How do you protect customer data?
Do you offer role-based access controls?
Do you allow audit logs or activity reports?
Do you hold any relevant security certifications or follow recognized security standards?
How do you notify customers about incidents?
How do you manage employee access internally?
Do you support least-privilege access?

What your business can do to reduce exposure

Reducing supply chain risk starts with control. In practice, that means your business needs clear rules for how vendors are vetted, what they can access, how their activity is monitored, and what happens if a third party is compromised.

Vet third-party vendors for security practices

Before giving a vendor access to business systems or sensitive data, check whether their security practices match the risk. A vendor handling customer records, finance data, or admin access should meet a higher bar than a basic productivity app.

Look for 2FA support, role-based permissions, audit logs, incident notification commitments, data retention controls, and clear offboarding processes.

Apply least privilege to third-party access

The principle of least privilege reduces the blast radius if a vendor account is compromised. That means avoiding giving admin permissions when read-only access is enough, or broad shared folders when a specific folder will do.

Use zero trust principles for vendors

Zero trust does not mean distrusting every vendor. It means not assuming that a trusted relationship should create unlimited access.

For vendor access, this means verifying identity, limiting permissions, reviewing access regularly, requiring 2FA, monitoring activity, and treating every connection as something that needs governance.

Monitor unusual access patterns

Vendor-connected accounts should be monitored for behavior that doesn’t fit normal use. Watch for unusual login locations, unexpected downloads, new admin users, permission changes, after-hours activity, new integrations, or access to data outside the vendor’s role.

These signals do not always prove compromise, but they can help your team respond before a small issue becomes a wider breach.

Prepare for third-party compromise

Your incident response plan should include vendor incidents. If a supplier reports a breach, your business needs to know what to do next. We’ve written about data breach protection for businesses⁠, which can help you structure your business’s response to third-party compromise.

Define who contacts the vendor, who reviews access, who checks logs, who decides whether credentials should be rotated, and who communicates with clients or regulators if needed.

Use unique credentials for every vendor and third-party tool

Unique credentials are one of the simplest ways to reduce supply chain blast radius. If a vendor portal is breached and an employee reused that password elsewhere, attackers may try the same credential against email, SaaS platforms, finance tools, or admin systems.

A unique password per vendor prevents that direct reuse. It also makes incident response cleaner. When a vendor is compromised, you know which credentials need attention instead of wondering where the same password may have been used.

Proton Pass is a business password manager that can help your team generate strong, unique passwords for every vendor and third-party service, store them in encrypted vaults, use autofill, and share access securely. This makes credential hygiene easier to maintain across the many external services modern businesses rely on.

The credential connection in supply chain attacks

Supply chain attacks often begin with vendors, but credentials determine how far the impact can spread.

If a contractor account is compromised but has limited access, the damage may be contained. If that same account has broad permissions, shared credentials, reused passwords, or access to sensitive systems, the attacker has more room to move.

This is why password and access management belong inside supply chain risk management. For every vendor or third-party tool, your business should know:

Which credentials exist.
Who has access to them.
Whether the password is unique.
Whether MFA is enabled.
Whether access is still needed.
Whether the account is shared or individual.
Who owns the account internally.

A business password manager like Proton Pass helps make those questions easier to answer. Instead of credentials living in spreadsheets, browser profiles, chat messages, or personal notes, vendor passwords can be stored in a controlled system with secure sharing and clearer ownership.

That does not remove the need to vet vendors or monitor activity. It strengthens one of the highest-impact controls: making sure a third-party breach does not become a password reuse problem across your own business.

Build third-party security into daily operations

A supply chain attack turns trust into the path in. A vendor, software update, SaaS account, contractor, or integration that normally supports the business can become the route attackers use to reach data or systems.

Small businesses cannot avoid third parties, and they do not need to. SaaS tools, IT providers, contractors, and vendors are part of how modern businesses work. The goal is to manage those relationships with enough control that one compromise does not become a wider breach.

Start with the basics: map your vendors, assess access, ask security questions, apply least privilege, use zero trust principles, monitor unusual activity, and plan for third-party compromise. Then reduce credential risk by giving every vendor and third-party service its own unique password.

Proton Pass helps businesses put that control into daily practice. When every vendor login has its own unique credential, shared access stays inside encrypted vaults, and teams can revoke access the moment a relationship ends, a single breached password is far less likely to trigger a chain reaction across your business accounts.

Can a PDF have a virus? Here’s what you should know

Alanna Alexander — Tue, 16 Jun 2026 12:21:10 GMT

Opening a PDF could put your business at risk.

PDFs are one of the most reliable ways attackers deliver malware that can affect your company.

A single infected file can quietly install spyware, steal credentials, and give attackers the entry point they need to move across your network. That exposes client data that can leave your business with reputational and financial consequences that can take months or years to undo.

What feels like a routine action, such as reviewing an applicant’s CV or processing an invoice, can trigger a business-wide security incident.

But how can you get a virus from a PDF? And what can your business do to protect itself from this risk?

Why do PDF viruses spread fast?

PDFs are part of how businesses operate: The finance team reviews invoices and audit reports. Marketing downloads industry research. Legal receives contracts and compliance documents.

Modern work depends on PDFs. So, when work is fast and deadlines are tight, a malicious PDF can easily slip through.

When they slip through, they move through a business quickly because files are shared internally, forwarded as attachments, or stored in shared drives and can touch multiple workstreams.

What do PDF viruses look like?

For individuals, the general advice is not to open files — PDF or otherwise — from unknown senders.

But for businesses, emails and documents from unfamiliar senders arrive regularly, so you need to know what viruses look like. You might see them as:

Phishing links

You receive a PDF with an invoice, a legal notice, or a shipping confirmation. Inside, you find a link to a fake login page or a malware download.

What to look out for: To make the attacks convincing, cybercriminals usually send files with common names, such as “Receipt_ID3329.pdf,” so they blend easily into a business workflow.

Embedded JavaScripts

PDFs can run JavaScript for interactive elements. But malicious scripts can also run when a file is opened, exploiting vulnerabilities of your PDF reader — especially when you are using an outdated reader.

What to look out for: If a PDF triggers unexpected pop-ups or asks you to enable features, close it immediately. This can lead to credential harvesting, ransomware, data theft, and more.

Malicious attachments

Images or fonts inside a PDF can carry hidden executables. If you click on one, or the document is configured to launch it automatically, malware installs on the device.

What to look out for: Unusually large file sizes for simple documents. If your reader prompts you to open or run an attachment, don’t. This can further exploit the entire data on the computer, which is often confidential or sensitive.

What to do if you open a PDF with a virus

If you’ve received a PDF with a virus, act decisively to contain the damage.

If customer or regulated data could be involved, your organization may need to follow formal incident response or disclosure procedures.

How to protect your business from PDF Viruses

Malicious PDFs usually reach employees through email or file-sharing workflows. Reducing exposure means focusing on a few practical controls.

Filter risky attachments before they reach users: Secure business email services can detect spam campaigns, block known malware signatures before they reach you, and flag suspicious senders. This reduces the likelihood that employees ever interact with dangerous files.
Limit how files are shared internally: To reduce the chance of forwarding, look for services that scan for malware before downloading, and offer password-protected access.
Protect accounts even if a file is opened: Some PDF attacks aim to steal credentials through embedded phishing links or hidden scripts. Enforcing strong authentication and using a business password manager reduces the impact if employees are tricked into entering login details.

Protect your business from PDF viruses

Cyberattacks can come in many forms, and human error is a leading cause of data breaches. Employee awareness training and secure tooling are critical to protecting your business data.

At Proton, we build our encrypted business email, secure file sharing, and credential protection tools to address exactly these risks while keeping your data private by default. These tools provide security at every stage of your document workflow, protecting your business and your clients.

Read more: How do you develop a long-term strategy to
keep your business safe from modern IT threats? Learn more in our free security guide.

Survey: Europeans prefer businesses that don’t use US tech

Edward Shone — Tue, 16 Jun 2026 11:50:45 GMT

Earlier this year, we discovered that Europeans are leaving US tech and switching to more private local alternatives that align with their values. But we also wanted to know whether this growing consumer attitude affects non-tech businesses in Europe who merely rely on US technology for their email, payment systems, or web hosting.

We asked 3,000 people in the UK, France, and Germany whether they would avoid giving their business to a European company if it used US tech. And a surprising number of them said, “Yes.”

Some of the key findings of the new research released today show mounting resistance to US tech from multiple perspectives:

Mistrust over data protection: Forty-five percent said they were likely to avoid products and services that stored their data with US companies, due to privacy and security concerns.
Keeping euros in Europe: Sixty-five percent agreed European small businesses should prioritize European-based technology over US-based ones.
Communications privacy fears: Respondents were most worried about social media, email, and messaging apps invading their privacy.

European businesses are incredibly dependent on American tech companies to operate. Our previous research found that over 74% of all publicly listed European companies rely on US-based tech services, like Google and Microsoft.

There are many factors turning Europeans away from US tech, but their concern boils down to a lack of control. At the Open Source Policy Summit 2026, Finnish MEP Aura Sally vocalized the chief concern that this creates: “The EU runs on Microsoft. The US could turn us off inside one hour.”

In such a context, European alternatives are not only more urgent, they might also help your bottom line as consumer preferences shift.

Interest in European tech is growing

Tech sovereignty has never been more top of mind for European businesses. Geopolitical tensions between the US and the EU have grown steadily in recent years. In the last year, rising US tariffs, fines against Big Tech, and governmental threats of invasion have seen Europeans become more resolved to end reliance on US Big Tech companies.

One particular incident that generated concern for Europeans towards US tech occurred in May 2025: The ICC’s chief prosecutor Karim Khan lost access to his email inbox after Microsoft revoked his access — Khan has since moved to Proton Mail, which is based in Switzerland, to prevent further censorship.

Our research found that the last year has made a significant difference in European tech priorities. Fifty-six percent of respondents feel it’s more important now than a year ago that European businesses rely on local infrastructure.

Privacy and security concerns push consumers away

Forty-five percent of respondents will avoid US tech because they’re concerned about data privacy and security. The majority of European consumers would be uncomfortable having their data stored on US servers and it’s easy to understand why.

In 2025, US tech companies were hit with a number of high-profile data breaches and lawsuits leading to considerable fines. Their perceived lack of interest in protecting consumer privacy and exploitation of user data has led to poor perceptions in the EU. Monopolistic practices from businesses such as Google also made it obvious just how dependent the world has become on Big Tech’s services.

European small businesses feel US tech’s impact most

When it comes to European businesses, it’s the smaller ones that consumers feel should prioritize European-based technology.

Sixty-six percent of respondents agree that European small and medium businesses (SMBs) should be using European tech. This is a crucial insight into how important tech choices are for companies under 500 employees. If your SMB relies on US tech, your potential customers might opt for an alternative that uses European tech. This could be fatal: While larger institutions can weather loss of customers, regulatory fines, and loss of reputation, SMBs are much less likely to bounce back due to a lack of funds and resources.

This is further confirmed by our finding that 80% of respondents say that European tech is a factor in their decision-making when it comes to working with businesses. Investing in European tech is a way to not only protect sensitive data from leaving Europe, but to actively invest in European digital infrastructure and the economy more broadly.

Europeans want secure communication

When it comes to the apps and services that businesses rely on, respondents had three top priorities: email, messaging apps, and social media.

It’s interesting to note that these are all communications apps, indicating that Europeans prioritize being able to communicate securely and protect their personal data. A Gmail address or an X account could have consumers re-evaluating if they trust the business they’re communicating with.

This distrust is likely caused by high profile incidences of social media apps failing to protect their users against harassment and unwanted surveillance in email inboxes. It’s hard to overstate how much US tech has become both ubiquitous and feared.

European consumers want to invest in European tech

It isn’t just that European consumers actively want to avoid US tech, they want to be able to choose European tech.

Sixty-five percent of respondents said they agreed that people in Europe should rely more on European technology companies. The number of Europeans who want secure European tools such as email, cloud storage, and AI chatbots is increasing because this investment represents a future built to strengthen European countries and end outsourcing to the US.

With this insight into consumer preferences, it’s time for European businesses to make the choice to invest in EU tech sovereignty.

EU tech sovereignty is the future

Knowing that it’s time to break reliance on US tech, what are the options for European businesses? There are options that put your business’s security first and ensure that you’ll never lose access to your data because of geopolitical tensions.

Proton, headquartered in Switzerland, gives your business everything you need to move away from US Big Tech:

Proton Mail offers end-to-end encrypted email relied on by businesses, governments, and journalists to protect sensitive data.
Proton Drive offers cloud storage, docs, and sheets that ensures you’ll never lose access to critical business assets and protects you from Big Tech using your data to train its AI models.
Proton VPN offers secure VPN connections that encrypt data within your network, protecting your business from hackers and insider threats.
Proton Lumo is a secure AI tool that keeps no logs of your conversation, meaning your business can leverage the benefits of AI without giving away your data or training Big Tech’s models.
Proton Pass is a business password manager that centralizes your business’s passwords, preventing data breaches and helping your team work safely and effectively.
Proton Meet makes private videoconferencing possible with end-to-end encryption and seamless integration with Proton Calendar, so sensitive conversations are secure and convenient.

Correction: An earlier version of this article stated incorrect percentages for two graphs and overstated the priorities reported by survey respondents. Fifty-six percent of of respondents say it’s more important that European businesses use local infrastructure, and 45% would avoid US tech over privacy and security concerns. European tech is a factor in 80% of respondents’ buying decisions. And the top apps consumers consider are email, messaging apps, and social media.

Report: Reclaim tech sovereignty before Big Tech breaks your business

Risa Tang — Tue, 16 Jun 2026 11:50:09 GMT

Across Europe, most companies run on American technology — often without realizing just how much of their day‑to‑day operations depend on it. From email and video calls to customer support systems, hundreds of mission-critical tools pass through a handful of US platforms.

For decades, that felt like a reasonable trade‑off: powerful tools, competitive prices, and confidence in the US as a geopolitical ally. But those assumptions no longer hold: Big Tech tools are no longer the only option, and EU policymakers believe they’re not worth the price of European sovereignty.

As political tensions intensify and privacy demands increase, Europe’s reliance on US tech is starting to look less like a convenience and more like a liability — especially for small- and mid-sized businesses without a business continuity option.

To help European businesses navigate the uncertainty and the transition to tech sovereignty, Proton is releasing a new intelligence report today, US tech dependence: A risk report for European businesses. In it, we examine how this dependence developed, where it creates risk, and what leaders can do to regain control.

Download the free report

How deep does Europe’s dependence go?

Proton has been tracking Europe’s reliance on US tech for several years. The picture that emerges from our latest research and market analysis is clear:

Over 74% of Europe’s publicly listed companies rely on US‑based providers like Google and Microsoft for critical services.
As of 2025, US cloud providers control more than 70% of the European cloud market; European vendors hold less than 15%.
In a Proton survey of 3,000 people across the UK, Germany, and France, 73% said Europe is too dependent on US tech companies, and 83% expressed concern about that dependence.

This all means that sensitive business information, strategic plans, and everyday operations across the continent sit on infrastructure controlled outside Europe’s legal and political system, leaving European companies exposed to decisions taken elsewhere. The result is a structural dependence that underpins nearly every sector from finance and healthcare to manufacturing, media, and even the government.

Why tech sovereignty matters more than ever

Dependence on US tech is not new. What is new is the combination of pressures Europe now faces from Washington — and the way those pressures intersect with critical digital infrastructure.

As Finnish MEP Aura Salla puts it: “The EU runs on Microsoft. The US could turn us off inside one hour.”

Several recent developments have made this issue too big to ignore:

Sanctions and tech access are tightly linked. In recent years, US sanctions have cut off targeted individuals and institutions from mainstream American services overnight, including email, payment platforms, and cloud tools. When the chief prosecutor of the International Criminal Court lost access to his Microsoft inbox following US sanctions, it sent a clear signal: Access to US platforms can be wielded for geopolitical ends.
Transatlantic relations have become progressively strained. In his second term, President Trump has raised tariffs on European exports, floated the idea of leaving NATO, and threatened retaliation when the EU enforces its own laws against US tech companies. Senior US officials have framed EU fines on American platforms as attacks on “the American people.” In other words, digital infrastructure now risks becoming a bargaining chip.
US surveillance laws reach into European data. The CLOUD Act and Section 702 of the Foreign Intelligence Surveillance Act permit US authorities to request access to data held by American companies, even when that data belongs to Europeans and is stored in the EU.
Europe is trying to assert digital sovereignty, but still runs on US systems. European governments have announced plans to move away from US tech in favor of European alternatives in sensitive areas, launched initiatives to strengthen tech sovereignty, and passed laws such as the EU Data Act to constrain foreign access to European data. But the irony is most of its businesses and institutions still rely on US infrastructure for core operations.

These developments mean Europe now faces a paradox: It is trying to defend its laws, norms, and strategic interests while running those defenses on systems ultimately governed by someone else’s rules.

How much is your business at risk?

Some organizations are more exposed than others. Based on our research, certain patterns tend to correlate with higher risk.

Which of these statements are true for your business:

Most of your core tools sit with one US provider. Many organizations default to Big Tech ecosystems such as Google and Microsoft, mostly for convenience. But this also means a single outage or policy change can disrupt multiple functions at once.
Your SaaS vendors still rely on US clouds. While your stack may come from different vendors and look varied on the surface, they may still rely on a US cloud provider like AWS and therefore be subject to US data jurisdiction.
You manage EU customers or sensitive data on US platforms. If your business serves European or public‑sector clients, processes health or financial data, or operates in a regulated industry, that information is subject to US laws. This can cause potential conflicts with European privacy and data protection rules.
Security and compliance are left to your providers. If asked, would you be able to easily explain your vendors’ policies on security and privacy? Simply trusting that your providers will “do the right thing” means limited independent verification of how your data is actually accessed, logged, or shared — and these policies can change at a moment’s notice.
There is no clear exit plan. Migrating away from your main US provider would take months of preparation and significant disruption. There is no tested scenario, or any alternatives in mind, if access is suddenly affected.

If several of the points above sound familiar, your dependence on US tech may be deeper — and more precarious — than it appears. You’re not alone: The real question is what to do next.

Maneuver now, while you still have room

Over the past decade, we’ve seen how easily control can slip away when critical infrastructure is outsourced, and how hard it is to regain once that happens. As a privacy-first, Swiss-headquartered company, Proton is built on the belief that people and organizations should control their data — and, by extension, their future.

This report is part of that effort, providing detailed analyses and actionable insights that any business can use to understand its position and plan ahead. US tech dependence: A risk report for European businesses gives you:

An overview of the current landscape, including how and why Europe became reliant on US tech
A breakdown of the main risk areas, from geopolitics and outages to surveillance and compliance
Real‑world examples that show how these risks have already disrupted organizations
13 practical mitigation strategies you can implement now

The pressure on European businesses is already building. Waiting until a sanction, policy change, or major outage hits your providers is the most expensive way to find out how much your business is at the mercy of external forces. Acting now — while the choice is still yours — gives you options instead of emergencies.

Download the free report