With around 16.9 million people working for small- and medium-sized businesses in the UK, Proton’ s findings suggest that millions of current and former employees could still have access to company spreadsheets they no longer need. In practice, this can mean former staff or contractors retaining access to files containing budgets, salary information, client details or internal plans – sometimes long after they have changed roles or left a company. In many cases, no one inside the company is even aware that this access still exists.

The research reveals a growing disconnect between how important spreadsheets have become and how poorly access to them is controlled. Almost seven in 10 of the SMB employees surveyed( 64 %) say they retain access to files they no longer need, often because off boarding processes fail to keep pace with workforce changes. Manual, link-based sharing remains common, increasing the risk of unauthorised access, data leaks and GDPR non-compliance.

As spreadsheets evolve into systems of record, these access gaps carry serious consequences. Proton’ s survey of 250

SMB employees in the UK shows that spreadsheets are now routinely used for core business functions, including project management( 64 %), financial reporting( 47 %) and managing client or customer data( 45 %). Yet without proper governance, automation or visibility into who can access what, businesses are leaving some of their most sensitive information unprotected.

The research also reveals widespread mismanagement of sharing permissions. Thirty-nine percent of respondents have set link permissions to‘ Anyone with the link’( view or edit), a behaviour likely influenced by productivity tools like Google Sheets and its weaker default sharing settings. Access reviews are infrequent, with 20 % only checking who has access to their spreadsheets annually. Manual offboarding remains the dominant approach: 44 % of access removals are handled manually, compared with just 36 % that are automated. This lack of automation is a key reason sensitive data continues to be accessible long after employees leave.

“ Spreadsheets, like other critical tools used by SMBs, are often treasure troves of sensitive data – from financial and strategic planning information to HR and client data,” said Patricia Egger, Head of Security at Proton.“ Yet they’ re often not handled as would other high-risk data. When someone leaves a company, access to shared spreadsheets is often nobody’ s problem: links stay active, permissions aren’ t reviewed and data remains accessible without anyone noticing. This isn’ t about bad intent, but everyday process gaps and manual offboarding that leave businesses unnecessarily exposed long after an employee has moved on.” �

32 Intelligent SME. tech