The Proton Blog

The law that lets the US government spy without warrants is about to expire. Here’s what comes next

Edward Komenda — Thu, 11 Jun 2026 23:06:04 GMT

Section 702 of the Foreign Intelligence Surveillance Act lets US intelligence agencies collect communications from foreigners abroad without a warrant, and routinely sweeps in Americans’ emails, messages, and calls in the process. It’s set to expire Saturday. And Congress has all but assured it will.

In a 218-to-198 vote, the House rejected a short-term extension. Senate Democrats blocked a parallel effort hours later. Enough lawmakers from both parties refused to renew these powers without a warrant requirement attached. Speaker Mike Johnson called the lapse “dangerous, and very, very shameful.”

Privacy advocates have argued the opposite for years: Renewing Section 702 without reform is the danger.

Collection continues. The “going dark” warnings don’t hold up

The Foreign Intelligence Surveillance Court renewed its procedures for the Section 702 program in March. On Thursday, Representative Jamie Raskin said “government surveillance activities will continue unchanged” and that “current FISA authorizations will continue unaffected, at least through March 17, 2027,” according to CBS News. Even Representative Rick Crawford, the Republican chairman of the House Intelligence Committee and a supporter of renewal, confirmed the 702 database “would remain available to search.” The concern is that data grows stale over time, not that collection stops.

The more immediate problem is that some carriers have privately warned they will stop cooperating once the statute lapses, fearing legal liability without an active law behind the government’s requests. Intelligence agencies and telecoms face uncertainty about what collection can legally continue. Reform legislation would have resolved that. Congress chose not to pass it.

A warrant requirement needed three more votes

Axios reported that lawmakers in both parties were close to a longer-term extension. What they couldn’t agree on was whether to attach the reforms a substantial bloc of lawmakers has demanded for years.

Conservative Republicans who have long pushed back on FBI abuses of the Section 702 database refused to vote for a clean renewal. Democrats who previously supported the program did the same.

The warrant requirement is not a fringe position: when it came to a House vote in 2024, it failed 212-212. This week, a clean extension couldn’t reach a majority. The reform bloc, for the first time, had enough votes to block renewal outright.

Both parties expand surveillance when in power

We’ve documented this pattern for years. Section 702 has grown under every administration that has touched it. The party in power defends and extends these authorities. The party out of power raises objections, until it wins.

The 2024 renewal makes this plain. As a candidate, President Trump said “KILL FISA” days before Congress passed a renewal that President Biden signed into law, expanding Section 702 by broadening which companies can be compelled to assist with surveillance. The warrant amendment failed. Surveillance expanded. Both parties voted for it.

The case for reform doesn’t depend on who is in office. These powers have no meaningful checks on how they are used.

When searching Americans’ private communications requires no warrant, the only protection users have is whether the people in charge choose to exercise restraint.

That is not a protection.

The warrant requirement is the specific reform that matters

The Government Surveillance Reform Act, backed by senators including Ron Wyden and Mike Lee, would require a warrant before agencies can search Americans’ data collected under Section 702.

It would close the loophole that lets the government buy personal data from brokers instead of going to court, so location data and browsing history can’t be purchased to avoid judicial oversight. It would also roll back the expanded definition of who can be forced to assist with surveillance, with direct implications for how VPN traffic is classified under the law.

The bill has bipartisan support. When Congress returns, the administration will need reauthorization. Reform advocates will have the same ask and, for the first time, real leverage.

What this means for you

The lapse doesn’t fix what’s broken with Section 702. But it creates pressure that clean renewals never did.

The program collects the communications of hundreds of thousands of people each year. That data sits in a searchable database. The FBI has used it to query the records of George Floyd protesters, January 6 participants, political donors, and a sitting member of Congress, without a warrant. Renewing the law without addressing how that database gets searched leaves all of that in place.

A VPN encrypts your traffic and prevents your internet provider, network operator, and anyone monitoring your connection from seeing what you do online. The risk we raised in April, that VPN traffic could be classified as “foreign” by default and routed into the Section 702 collection pipeline, is still unaddressed. It won’t be resolved until the law changes.

Congress should pass a warrant requirement. Not in the next reauthorization. In this one.

Your business’s practical multi-factor authentication implementation guide

Kate Menzies — Wed, 10 Jun 2026 12:05:11 GMT

Multi-factor authentication (MFA) is no longer just a security recommendation for large enterprises. It’s one of the most practical ways for businesses to reduce the risk of account takeover and make stolen passwords less useful. As access to business systems spreads across cloud apps, remote teams, shared devices, and third-party platforms, MFA is becoming a more useful tool.

But during implementation, IT managers face the challenge of being able to assess whether MFA is useful or effective. Making MFA work across an organization requires making a lot of decisions: Which accounts need it first? Which MFA methods should be allowed? How do you avoid employee pushback? How do you make sure MFA is actually enforced, not just encouraged?

This guide is written to help your business MFA implementation work. It explains what MFA is, why passwords alone are no longer enough, how common MFA methods compare for business use, and how to roll out MFA in a way your team can adopt. It also shows how a business password manager with built-in 2FA support can make stronger authentication practices easier to manage at scale.

What is multi-factor authentication?

Why passwords alone are no longer sufficient

Types of MFA and business trade-offs

Where MFA implementation fails

The employee resistance problem

How to roll out MFA across your business

How Proton Pass for Business makes MFA manageable

What is multi-factor authentication?

MFA is a security process that requires more than one type of identity verification to access an account. Instead of relying only on a traditional password, MFA asks for an additional factor that makes unauthorized access harder.

The three common authentication factors are:

Something you know, such as a password or PIN.
Something you have, such as a phone, authenticator app, hardware security key, or trusted device.
Something you are, such as a fingerprint or facial recognition.

In practice, MFA usually means an employee enters a password and then verifies the login through another method, such as a time-based code (or TOTP), push approval, passkey, or hardware key. The goal is simple: if a password is stolen, guessed, phished, or reused, the attacker still needs another factor to get in.

Multi-factor authentication in business environments

For businesses, implementing MFA is a way to strengthen account security with an additional access control, not just to replace passwords. In business environments, the challenge is deciding where those methods are most needed and how to deploy them consistently across different systems, roles, and levels of risk.

Nevertheless, not all MFAs are equally strong. A code sent by SMS is better than a password alone, but it does not offer the same protection as a hardware security key or a well-implemented passkey. The right choice depends on risk, usability, device access, compliance needs, and how much administrative control your business can maintain.

Why passwords alone are no longer sufficient

Strong passwords still matter, but they are no longer enough on their own. Employees manage more accounts than ever, and attackers know that business access often begins with one compromised credential.

A password can be exposed through phishing, malware, data breaches, credential stuffing, password reuse, or unsafe sharing. Once attackers have a valid username and password, their activity may look like a normal login attempt unless another layer of verification is required.

This is why data breach protection for businesses needs to include credential controls, endpoint security, and employee training. A strong password policy helps, but it can’t stop every stolen password from being tested against email, cloud storage, finance tools, admin portals, or customer systems.

The financial stakes are high. IBM’s 2025 Cost of a Data Breach Report places the global average cost of a data breach at $4.4 million. MFA can’t eliminate breach risk, but it does reduce one of the most common paths into business systems: unauthorized access through compromised credentials.

MFA is especially important for accounts that control other accounts. Email, identity providers, password managers, admin consoles, developer platforms, payroll tools, and finance systems should be treated as high priority because gaining access to them can unlock further access elsewhere.

Types of MFA and business trade-offs

A good MFA implementation starts with choosing the right methods. The best option is not always the same for every business, team, or system. IT managers, for example, need to balance security strength, employee usability, device availability, administrative overhead, and support needs.

SMS one-time passwords

SMS one-time passwords (OTPs) send a code to a phone number during login. This is one of the easiest MFA methods for employees to understand, and it can be useful where better options are not available.

The downside is security. SMS can be vulnerable to SIM swapping, interception, social engineering, and phone number recovery attacks. It also creates operational problems when employees change numbers, travel internationally, have poor reception, or use personal phones for work.

For businesses, SMS OTPs are best treated as a fallback option rather than the preferred MFA method. It is still better than passwords alone, but it should not be the default for high-risk accounts.

Authenticator apps and TOTP codes

Employees open an authenticator app, such as Proton Authenticator, copy the code generated for the service they’re logging into, and then enter it during login.

This is usually stronger than SMS because the code is generated on the device and doesn’t depend on the mobile network. It is also widely supported across business tools, making it a practical baseline for many MFA rollouts.

The trade-off is usability and recovery. Employees need to set up the app correctly, keep access to their device, and understand how recovery works if a phone is lost or replaced. IT teams also need to create clear policies for backup codes, device changes, and offboarding.

TOTPs works well as a general business MFA method, especially when paired with strong password management and clear admin processes.

Hardware security keys

Hardware security keys, such as YubiKeys, provide strong authentication because the employee must physically possess the key to gain access to business accounts. Many security keys also protect against phishing because they verify that the website itself is legitimate before completing authentication.

For high-risk roles, hardware keys can be one of the strongest MFA options. They are especially useful for administrators, executives, finance teams, developers, and anyone with access to sensitive systems.

The trade-off is rollout complexity. Businesses need to purchase keys, distribute them, train employees, manage backups, and handle lost or damaged devices. A hardware key strategy also needs a recovery process that doesn’t weaken the security benefit.

Passkeys

Passkeys use cryptographic authentication instead of a traditional password. In many cases, employees unlock the passkey with a fingerprint, face recognition, PIN, or device approval. The private key stays on the device, which makes passkeys more resistant to phishing than many older authentication methods.

For businesses, passkeys can improve both security and usability. They reduce reliance on shared secrets and can make login faster for employees. The main challenge is ecosystem readiness. Not every business tool supports passkeys yet, and IT teams need policies for device enrollment, recovery, shared workstations, and employee offboarding.

For many organizations, the practical solution is a hybrid model: use passkeys where supported, keep strong passwords and MFA where they are still required, and manage both through clear access policies.

MFA method	Security strength	Business suitability	Best-use scenario
SMS OTP	Basic	Easy to adopt, but weaker than other MFA methods	Fallback option when stronger MFA is not available
Authenticator apps	Moderate to strong	Practical default for many teams	Everyday business accounts and SaaS tools
Hardware security keys	Very strong	Best for high-risk roles, but requires device management	Admins, executives, finance teams, and sensitive systems
Passkeys	Very strong	Secure and user-friendly where supported	Modern apps, passwordless workflows, and phishing-resistant access

Where MFA implementation fails

MFA can still fail even when a business has implemented it. Implementation quality actually matters as much as the MFA method itself. Some of the reasons for failure can include:

Weak recovery. If employees can bypass MFA through easy account recovery, help desk shortcuts, or poorly protected backup codes, attackers may target the reset process instead of the login screen.
Inconsistent enforcement. MFA may be enabled for some tools but left optional for email, admin accounts, finance systems, shared operational accounts, or certain employees. In that situation, MFA becomes an aspiration rather than a control, and attackers can still look for the weakest available path.
Poor usability. If employees are constantly interrupted, locked out, or unclear about what to approve, they may become frustrated and more likely to make mistakes. Push fatigue is one example: repeated approval prompts can train people to accept requests without thinking.

A strong MFA rollout needs enforcement, monitoring, and support. It should be easy for employees to do the right thing and difficult to leave important accounts unprotected.

The employee resistance problem

Employee resistance is one of the biggest barriers to MFA rollout. Employees may see it as an extra step, a productivity blocker, or another security rule added without context.

This reaction is understandable, especially when MFA is introduced abruptly or with unclear instructions. Resistance often comes from poor implementation, not from opposition to security itself.

The solution to this problem is to make MFA predictable and easy to follow. Explain to employees that it protects business accounts even if a password is stolen, start with familiar tools such as email and shared business platforms, provide clear setup steps, and support employees through device changes.

Avoid framing MFA as a punishment or a sign of distrust. It should feel like a practical safeguard for the company, its clients, and employees’ own work accounts.

A bring your own device (BYOD) policy also helps. If employees use personal devices for work, clear rules for authentication apps, device security, lost-device reporting, and access revocation make MFA rollout smoother.

How to roll out MFA across your business

A successful MFA rollout is a change-management project. IT managers need to decide what gets protected first, how enforcement will work, how exceptions will be handled, and how adoption will be measured.

Step 1: Map your accounts and risk levels

Start with an access inventory. Identify the systems your business depends on and the accounts that create the most risk if compromised.

Prioritize:

Email and identity provider accounts.
Admin accounts and privileged roles.
Password manager accounts.
Finance, payroll, and billing tools.
Cloud storage and file sharing.
Developer, infrastructure, and production systems.
Customer data platforms and CRMs.

This creates a rollout sequence for your business that’s based on risk rather than convenience.

Step 2: Choose approved MFA methods

Decide which MFA methods your business will allow. For many teams, authenticator apps or passkeys may become the default, while hardware security keys are reserved for high-risk roles. SMS can remain a fallback where necessary, but should not be the preferred method for sensitive systems.

Document the decision clearly. Employees should know which methods are approved, which are discouraged, and what to do if they lose a device.

Step 3: Pilot before enforcing everywhere

Run a pilot with IT, operations, finance, leadership, or another group that can provide useful feedback. The goal is to test the setup process, support documentation, recovery flows, and policy settings before the rollout reaches the whole organization.

A pilot also helps identify where MFA prompts are too frequent, where employees need clearer instructions, and which systems require special handling.

Step 4: Enforce MFA for high-risk accounts first

Encouragement is not enough for critical systems. Once the pilot is complete, enforce MFA for the accounts that create the highest risk.

This includes admin accounts, email, identity systems, password managers, and financial tools. If these accounts remain optional, attackers may still find a path into the business.

The key is to enforce with support. Give employees advance notice, setup guides, office hours, and recovery instructions. Enforcement works best when people aren’t surprised by it.

Step 5: Expand to the rest of the organization

After high-risk accounts are protected, expand MFA to remaining business tools. This can happen by department, tool category, or risk level.

Track adoption as you go:

Which accounts have MFA enabled?
Which employees haven’t enrolled?
Which systems still allow password-only access?
Which exceptions are open, and who owns them?

A business password manager can support this process by giving teams visibility into which accounts already have MFA enabled and which still need stronger authentication.

This is where many rollouts stagger or fail. MFA needs ongoing governance after the rollout date.

Step 6: Review exceptions and recovery paths

Every exception should have an owner, reason, and expiration date. If MFA cannot be enabled for a tool, document why and decide whether a compensating control is needed.

Recovery also deserves regular review. Backup codes, account recovery flows, admin overrides, and device resets can become weak points if they are not controlled. MFA implementation should make recovery safe, not simply convenient.

How Proton Pass for Business makes MFA manageable

MFA rollout becomes easier when credential management is already controlled. If passwords are reused, shared informally, stored in browsers, or scattered across spreadsheets, MFA becomes harder to enforce consistently.

A business password manager like Proton Pass for Business helps by doing more than strengthening the password layer. It can also support the second factor directly. The built-in 2FA support means teams can store TOTP codes securely and use the password manager itself as the MFA device, which makes stronger authentication easier to adopt and easier to share securely where appropriate. Employees can generate strong, unique passwords, store them in encrypted vaults, autofill logins, use built-in 2FA support for TOTP codes, and manage passkeys where supported.

This also improves visibility. Administrators need to know not only whether employees have strong passwords, but also which accounts already have 2FA enabled and which still rely on password-only access. Proton Pass can help IT admins surface that information, making MFA adoption easier to track across the organization.

Passkeys are also a key consideration. As businesses move toward stronger, phishing-resistant authentication, a password manager that supports passkeys like Proton Pass helps teams manage both traditional MFA flows and newer passwordless methods in one place. That makes rollout more practical in mixed environments where some systems still use passwords and TOTP, while others are ready for passkeys.

For IT teams, Proton Pass for Business supports centralized management, policies, secure sharing, and visibility through reporting and logs. That makes MFA more operationally realistic because teams can reduce password sprawl while also making stronger authentication easier to deploy and govern across the organization.

A business password manager doesn’t replace MFA. It makes MFA much easier to implement because it strengthens the first factor, supports the second, and gives the business a more manageable path toward stronger authentication overall.

A journalist’s safety guide to the 2026 FIFA World Cup

Proton Team — Tue, 09 Jun 2026 18:05:07 GMT

Three countries and 16 cities are slated to host the 23rd FIFA World Cup this June. The event, which will be held in the United States, Mexico, and Canada, is expected to bring in more than 5 million fans from around the world, including an estimated 50,000 journalists.

Large crowds and global security threats like cyber, drone, or mass-casualty attacks pose risks to reporters and fans at all locations. In the US, travel bans and increased ICE activity should also be considered. If you are a journalist or media professional covering the 2026 FIFA World Cup, there are ways to ensure your safety as you travel through the event’s host cities.

Proton has assembled a guide to assist journalists navigate the World Cup safely. The tips below can help protect journalists and media against security threats while reporting from the ground at the World Cup.

Reporting from the United States

11 cities in the United States are hosting FIFA World Cup games in 2026, including Atlanta, Boston, Dallas, Houston, Kansas City, Los Angeles, Miami, New York, Philadelphia, San Francisco, and Seattle.

According to The Athletic, the Federal Emergency Management Agency granted $625 million in security funding toward those 11 US cities for operational exercises, staff background checks, and cybersecurity defense.

Travel restrictions and border crossings

Given the location, size, and scope of the World Cup, journalists traveling from outside the US should consider the risks when entering the country. In 2025, the Trump Administration announced a travel ban for citizens of Afghanistan, Myanmar, Chad, Republic of Congo, Guinea, Eritrea, Haiti, Iran, Libya, Somalia, Sudan, and Yemen. There are partial restrictions for residents of Burundi, Cuba, Laos, Sierra Leone, Togo, Turkmenistan, and Venezuela.

According to the Committee to Protect Journalists, border agents in the US “maintain broad discretionary authority to implement travel restrictions.” Additionally, “increased vetting, inconsistent enforcement, and sudden policy changes suggest an unpredictable environment,” in which traveling journalists should prepare.

Media personnel can anticipate being questioned at the border by Customs and Border Protection (CBP), especially if journalists represent a country on the travel ban list or have a history of covering politically sensitive issues. Journalists with dual citizenship from a country on the travel ban list should use the passport of their nation that does not appear on the banned list.

Protecting your devices and data

Precautions should be taken to encrypt or back up sensitive or personal information on electronic devices, as CBP does not need a warrant or probable cause to search your person or electronics. To protect your personal data and ensure it isn’t copied or stored by CBP, journalists should:

Use strong passwords and store them in a password manager like Proton Pass.
Use an end-to-end encrypted email service like Proton Mail so messages can’t be surveilled.
Employ email aliases so your personal or work email isn’t exposed.
Enable two-factor authentication so CBP can’t access your accounts.
Back up sensitive information on a cloud storage service like Proton Drive, so privileged documents don’t live on your phone or electronic devices.
Make social media accounts private and/or delete any apps that may be subject to search.

Legal resources for journalists

If a legal concern should arise during your coverage of the FIFA World Cup, journalists can call the Reporters Committee for Freedom of the Press legal hotline at 1-800-336-4243.

Media members can also text CPJ’s chatbot for assistance using the number 1-206-590-6191 or email the committee at emergencies@cpj.org.

If you are denied entry into the country or into the World Cup, are facing detention or arrest, have been assaulted, or had equipment damaged, you can file a report using the U.S. Press Freedom Tracker.

General safety tips for all host cities

Whether reporting from the United States, Mexico, or Canada, you should familiarize yourself with the country’s local laws. Before heading to your destination, research the location and have an exit strategy should an emergency arise.

Have an emergency contact on standby, work in pairs whenever possible, and designate meet-up locations ahead of time should cell service or Wi-Fi go down. Identify exits, medical tents, rideshare drop off and pickup locations and media areas before arrival.

Proton for journalists and newsrooms

To counter unprecedented threats toward journalists, Proton offers discounts on Proton for Business to news media. Protect your emails, contacts, documents, sources, and other sensitive data with end-to-end encryption, so your team can work safely no matter where they are.

Proton has been committed to press freedom for more than 10 years. Learn more about how Proton protects journalists and get Proton for your newsroom today.

Cybersecurity compliance 101: What small businesses need to know

Alanna Alexander — Tue, 09 Jun 2026 17:34:04 GMT

You’ve likely experienced this scenario: You’re in the final stages of a deal with a promising enterprise client. The contract is ready, the price is agreed upon, and then the conversation stalls.

The reason? They asked for your cybersecurity compliance documentation, and you couldn’t provide it.

It’s a frustrating moment. It’s understandable to feel that cybersecurity compliance is a game for large corporations with dedicated security teams and massive budgets. For a growing startup or a small business, it can feel like an overwhelming administrative burden.

The good news is that there are simple ways to prove you take data protection seriously.

This guide breaks down what compliance actually means for your business, the key frameworks you’ll encounter, and how to get started without needing a team of IT experts.

What is cybersecurity compliance?

Cybersecurity compliance is how you prove you are protecting sensitive data according to recognized standards. It’s not just about having the right tools; it’s about having the right processes and the documentation to back them up.

Think of it as your business’s “report card” for security. It shows prospects and partners that you have rules in place, you follow them, and you can prove it.

It’s not optional. Regulations like GDPR and HIPAA carry real legal weight. Fines, lawsuits, and operational restrictions are all on the table. And cybersecurity threats aren’t theoretical. Four in five small businesses have suffered a recent data breach.

The risks of data non-compliance

Skipping compliance might seem like a way to save time and money, but it’s a short-sighted gamble. The fallout hits in three critical areas:

Financial penalties: A single GDPR violation can cost millions. For a small business, even a mid-range fine can mean layoffs, frozen growth, or closure.
Operational disruption: A breach takes systems offline for weeks. Your staff gets pulled from revenue-generating work to manage the crisis. Recovery costs can easily exceed $1 million when you factor in downtime, legal fees, and lost contracts.
Reputation damage: Customers who trusted you with their data may not give you a second chance. In tight-knit industries, word travels fast. A compliance failure doesn’t just hurt your brand; it can shrink your sales pipeline for years.

Key cybersecurity frameworks every business should know

These are the standards your customers, regulators, and enterprise partners will likely ask about.

GDPR (General Data Protection Regulation)

If you have even one customer in the European Union, or if you collect email addresses from EU visitors on your website, GDPR applies to you—regardless of where your company is based. Non-compliance can result in fines of up to €20 million or 4% of your annual global revenue, whichever is higher.

What it means: You must be transparent about how you collect and use data. You must give people the right to access, correct, or delete their information.

HIPAA (Health Insurance Portability and Accountability Act)

Are you a SaaS company serving a US healthcare provider? Or perhaps a clinic managing appointments? The moment patient data touches your systems, HIPAA applies.Penalties range from thousands to millions of dollars, depending on the severity and whether negligence was involved

What it means: You need strict safeguards like data encryption, controlled access, and clear procedures for reporting breaches.

NIS2 (Network and Information Security Directive)

This is an EU directive strengthening cybersecurity in essential sectors like energy, transport, and digital infrastructure.Even if you aren’t directly regulated, your enterprise customers may require you to meet NIS2 standards as part of their vendor checks.

What it means: It requires risk management practices and strict incident reporting.

ISO 27001 & SOC 2

These are international standards that evaluate how you manage and protect data. The stakes: For enterprise clients, having ISO 27001 certification or a SOC 2 report is a massive trust signal. It tells them, “We have been audited by independent experts, and our security is solid.”

What it means: You need to implement documented security controls, submit to independent audits, and maintain that certification on an ongoing basis.

How to get started with compliance in cybersecurity

Compliance can feel like a long list of boxes to check, but the basics come down to five practical steps.

Map out what data you have, where it lives, and who has access. You might be surprised to find a customer list saved on a contractor’s personal Dropbox or a shared spreadsheet with sensitive info that anyone can edit.
Write down your policies. Who can access what? How do you report a breach? How do you dispose of old data? If it isn’t written down, it doesn’t exist. Keep these documents clear, current, and ensure your team actually follows them.
Give your team a business password manager. It generates strong credentials, stores them securely, and makes good habits the default. It removes the friction of remembering complex passwords.
Use a business VPN. It encrypts all your team’s internet traffic, ensuring data stays protected no matter where they log in. This is a straightforward way to meet network security requirements for almost every major framework.
Assign a specific person (even if it’s part of their role) to be accountable for your compliance posture. They should track regulatory changes, keep documentation updated, and ensure leadership stays informed.

How to stay compliant with cybersecurity regulations

Regulations change, your team grows, and the tools you use evolve. That’s why requires ongoing attention.

Review policies regularly: Conduct quarterly reviews to ensure your documentation reflects how you actually work.
Monitor for exposure: Don’t wait for a breach to find out your credentials leaked. Use tools that monitor the dark web and alert you if your company data appears in a breach.
Conduct internal audits: Test your controls before an auditor does. Find the gaps yourself — it’s always cheaper than having them exposed externally.
Train your team: Policies only work if people follow them. Short, practical training on phishing and data handling keeps security habits sharp.
Use tools that enable good security: Compliance is easier when security is the default. Choose tools that encrypt your business data, give you granular control over access, and flag risks like weak passwords automatically.

Make cybersecurity compliance a part of BAU

Compliance doesn’t have to be a scramble. With the right tools, it becomes part of how your business operates, giving you concrete answers to security questionnaires and audits.

Proton Pass and Proton VPN are built for this. Setup takes minutes, and you don’t need an IT team to manage them.

Proton VPN encrypts all company network traffic and restricts access to approved devices, meeting strict network security requirements.
Proton Pass lets you enforce two-factor authentication, manage credentials securely, and pull activity logs directly from the admin panel for audits. When a new hire joins, you can provision access in clicks; when someone leaves, you revoke it instantly.

You also get to leverage our compliance for yours. When enterprise clients ask about the security of the software you use, you can point to our credentials.

Proton is ISO 27001-certified and SOC 2 Type II-verified, based in Switzerland, and fully open-source. This gives you verifiable, third-party proof that your data is protected by the highest global standards.

Proton for Business gives you the tools you need not just to start your compliance journey, but to maintain it long term.

How to use Google Photos Locked Folder (and a safer alternative)

Elena Constantinescu — Tue, 09 Jun 2026 14:10:53 GMT

Most people have images meant for their eyes only, like snapshots of personal documents or intimate photos they’d rather keep out of the main gallery. These are the kinds of images people would not want to accidentally share with someone else or have exposed to anyone who gains physical access to their phone.

Traditional photo libraries like Google Photos aren’t safe for private photos because they are not built for privacy. They can help protect your pictures from unauthorized access, but that doesn’t necessarily mean your sensitive photos are hidden from the service provider. Because Google Photos is not end-to-end encrypted, Google can technically access and process your photos in accordance with its policies.

The Locked Folder feature in Google Photos can be useful, but it doesn’t change the underlying privacy model of the app. So before relying on it for sensitive images, it’s worth understanding what Locked Folder does, how to use it, and what its privacy limits are.

What is the Google Photos Locked Folder feature?
How to hide photos in the Google Photos Locked Folder
- Managing photos and videos
Limitations
- The privacy cost of backing up Locked Folder photos
A more private way to store sensitive photos

What is the Google Photos Locked Folder feature?

Locked Folder is a Google Photos feature that lets you store selected photos and videos in a separate, protected space on your device. When you add items to this hidden folder, they:

Don’t appear in your photo grid, albums, search results, Memories, or partner sharing
Are hidden from other apps on your device that have access to your regular photo library
Require your device screen lock to view and manage, such as your PIN, password, fingerprint, or face unlock

How to hide photos in the Google Photos Locked Folder

Setting up the Google Photos Locked Folder to hide your photos takes only a few moments:

Open Google Photos.
Tap Collections.

Scroll down, and tap Locked. You will be prompted to open the Locked Folder using your device screen lock option.
Tap Move items.
Select the photos or videos you want to add, and tap Move.

Confirm using your device screen lock option.
- If Locked Folder backup is off, you can turn it on by tapping Manage backup or skip by tapping Continue.
Tap Move to confirm.

To add new items, tap the new photo icon 🖼 on the bottom left. It’s not possible to create subfolders in the Locked Folder feature for organization.

Managing photos and videos in Locked Folder

To return a photo or video to your main Google Photos library, select it in Locked Folder, tap Move, and tap Move again to confirm. The item will leave Locked Folder and reappear in its original position in your photo timeline.

You can also permanently delete items by pressing Delete, and again Delete to confirm.

Limitations of the Locked Folder feature in Google Photos

The Locked Folder feature is useful for keeping private photos out of your main gallery, such as when you hand your phone to someone else and don’t want them scrolling into something sensitive. But it does not create a separate, end-to-end encrypted vault.

End-to-end encryption means your data is encrypted on your device before it reaches a company’s servers, and only you hold the keys to decrypt it. Not even the service provider can read your files. Google Photos does not offer end-to-end encryption for your photo library — so Google retains access to your images — and the Locked Folder tool is governed by the underlying policy of the Google Photos privacy policy.

That matters because Google does not simply store photos passively. Its automated systems can scan content for policy violations, and mistakes can have serious consequences.

In one widely reported case, a father in California took medical photos of his toddler at a doctor’s request and sent them to the healthcare provider. Because the photos were also backed up to his Google account, Google’s systems flagged them as potential CSAM, reported him to law enforcement, and terminated his account. Police cleared him of wrongdoing, but Google still refused to restore the account, leaving him without access to years of emails, photos, purchase history, and other data.

The privacy cost of backing up Locked Folder photos

By default, items you move to the Google Locked Folder only exist on your local device. If you don’t turn on backup, you could lose your photos if your device is damaged or lost.

On the other hand, backing up your Locked Folder photos means keeping them stored on Google’s servers and giving the company broad access to your sensitive content that you don’t feel comfortable sharing with anyone else.

That leaves you stuck between two bad options:

Keep photos on your local device only and risk losing them, or
Back them up to Google Photos and accept they may be scanned by Google’s automated systems and reviewed by humans if an algorithm flags something, even by mistake.

If neither option sits right with you, there’s a better, safer way to store sensitive photos without risking that your cloud storage provider can take a sneak peek.

A more private way to store sensitive photos

If you want to safely store sensitive photos long-term, use Proton Drive. While Proton Drive does not have a direct equivalent to Google Photos’ Locked Folder, it approaches photo privacy differently by protecting your photos with end-to-end encryption so no one can see them except you and the people you choose to share them with — not even us.

You can enable automatic photo backup on your phone to keep them synced across your devices, browse photos in a timeline, organize them into albums, mark favorites, filter by media type, and securely share individual photos or full albums with passwords and expiration dates. Shared links can be easily revoked anytime.

Unlike Google Photos and Google Drive, Proton Drive is transparent when it comes to your data: All Drive apps are open source and independently audited, which means anyone can verify our security. We never scan your files or photo library, show ads, use your photos for AI or product improvement, or share your information with anyone.

When you’re ready to move on from Google Photos, you can easily migrate your memories to Proton Drive. And when you’re ready to deGoogle more broadly, you can take the next steps toward a privacy-first ecosystem built to protect your data rather than exploit it.

Top 7 internal communication tools for companies

Alanna Alexander — Tue, 09 Jun 2026 13:19:20 GMT

Every internal communication tool was built simply to host workplace conversations. They do far more than that today.

Platforms like Slack, Microsoft Teams, and Zoom have become the vaults for a company’s most valuable intellectual property, retaining critical decisions, sensitive documents, and proprietary data.

The problem is that all this valuable data is often protected only by basic encryption — a security measure that leaves the door wide open for providers, third parties, and even AI models to access it.

This guide explores the top seven internal communication tools available in 2026, weighing their functionality against their privacy practices.

What are internal communication tools?

Internal communication tools are software platforms designed to facilitate real-time interaction and information sharing within an organization.

They were designed to solve a specific friction point: the latency of poorly designed email platforms. A quick answer from a colleague would require hours of waiting and valuable ideas would get lost in a thread of replies.

Businesses adopted internal communication tools with the hope that it would break down silos, enabling real-time collaboration across departments and time zones. It did. It’s now become the digital water cooler and the virtual conference room.

Teams now use internal communication tools to make hiring decisions, finalize product roadmaps, store legal contracts, and conduct sensitive client negotiations — high stakes for a tool designed to facilitate the exchange of information, not secure it.

Why modern communication stacks are actually failing businesses

Fast and convenient internal communication often comes at a cost. Because many modern communication tools are built to prioritize speed and scale over security, they rely on basic encryption that doesn’t adequately protect your data.

This means providers can access your messages, calls, and files which can be shared, leaked, or sold to advertisers. In some cases, they’re even used to train AI models.

This creates real business risks. These range from compliance violations to data exposure in a breach. Together, these risks make it even more important to choose the right internal communication tool. In addition to affordability and convenience, you should prioritize security.

What to look for in an internal communication tool

Internal communication software is essential to keeping teams aligned. When choosing a secure internal communication tool, look for:

End-to-end encryption

Most tools encrypt data in transit, but that’s not enough. End-to-end encryption ensures that only participants can access the content of your communications — not the provider, third parties, or AI models.

Data minimization

Every tool collects some data to function. The question is how much, and what happens to it. Look for tools that collect only what’s necessary and don’t share or monetize your data.

Open source transparency

If a provider publishes its code as open source, anyone can verify its security claims. Look for independent audits and clear privacy policies that explain exactly how your data is handled.

The 7 best internal communication tools

There’s no one-size-fits-all internal communication tool. The right one depends on your business needs, your existing software, and how you handle sensitive information.

Here are seven of the best options you can find today.

Proton Meet

Best for: Private and secure business meetings

Proton Meet combines the familiarity of video conferencing software with a privacy-first, web-based design. End-to-end encryption is enabled by default, so meetings remain confidential and only accessible to participants, not even Proton can access them.

If your business is concerned about compliance and data exposure, Proton Meet offers additional protection through Swiss privacy laws. There’s no ad-based business model, which means there’s no incentive to collect or monetize user data.

Proton Meet includes all the video conferencing features you’ve come to expect — chat messaging, screen sharing, blurred backgrounds, noise reduction filters, and more. All in a single secure video conferencing tool, a part of a suite that helps you stay GDPR- and HIPAA-compliant.

Strengths:

End-to-end encrypted by default
Zero-knowledge architecture (your data is encrypted so only you can access it, not Proton)
Guests can join calls without a Proton account
Part of Proton’s privacy-first suite

Keep in mind:

Fewer integrations available
Free plan limited to one-hour calls and 50 participants

Proton Mail

Best for: Secure email communication

Proton Mail is how emails should be — private by default. Email remains the backbone of business communication and should be appropriately protected. Unlike other email providers, Proton Mail is end-to-end encrypted by default. Your emails are fully secured whether in transit or at rest; only you and your intended recipient can read them.

End-to-end encryption also ensures your emails can never be scanned, shared with third parties, or used to train AI. This ad-free business model means Proton does not benefit from your data.

Strengths:

End-to-end encrypted by default
Zero-knowledge architecture (your data is encrypted so only you can access it)
Data is protected by Swiss privacy laws
Part of the Proton ecosystem

Keep in mind:

Emails to non-Proton recipients aren’t end-to-end encrypted unless password-protected
Fewer native integrations than Gmail or Outlook

Slack

Best for: Instant messaging and app integration

Slack is the iMessage of the enterprise world. Slack simplifies workplace discussions; instead of drawn-out email threads, conversations happen in organized channels sorted by team, project, or however you choose.

Slack features an extensive integration library that lets you connect to popular enterprise software, such as Jira and Google Calendar. These integrations turn Slack from a chat tool into a central hub for notifications and workflows. Additionally, Slack allows you to hold video and voice calls, making it a versatile communication tool.

Slack has come under scrutiny for privacy concerns — from allowing admins to read employee messages to the sharing of identifiable information with advertisers. Depending on your location, you may not be able to opt out of this data sharing.

Strengths:

Extensive app integration library
Organized channels for teams and projects
Supports chat, voice, and video functionality

Keep in mind:

Admins can read employee messages
Your data is shared with advertisers
Opt-out options vary by jurisdiction

Microsoft Teams

Best for: Microsoft-reliant organizations

Microsoft Teams is the obvious choice for businesses that rely on Microsoft services. Its deep integration with the Microsoft ecosystem enables many quality-of-life conveniences, such as real-time document collaboration within the app and an automatic Outlook sync. It scales well too, Teams can handle everything from small-group chats to company-wide town halls.

However, Microsoft’s privacy practices have long faced criticism. Concerns range from auto-enabling features that collect user data to bossware features such as location tracking and the volume of data they collect.

Strengths:

Part of Microsoft 365
Scales from small teams to large organizations
Seamless integration with Microsoft software

Keep in mind:

Auto-enabled features may collect user data
Includes location tracking capabilities
Significant data collection across Microsoft products

Connecteam

Best for: Deskless teams

Connecteam is designed for teams that don’t work in corporate environments, such as retail and healthcare. The app-based design combines chat, announcements, and employee directory in one place, making it seamless for cross-team communication. It includes operation-centric features such as scheduling, time tracking, and task management to make it easy to manage a distributed, deskless team.

Some features of Connecteam can raise privacy concerns for your team. The app collects extensive data, including location data, that is shared with employers and may also be used for targeted ads. However, Connecteam assures that it handles data in compliance with regulations such as GDPR and HIPAA. It is also ISO 27001 and SOC 2 certified.

Strengths:

Mobile-first design for field teams
Includes scheduling and time tracking
Bridges communication between corporate and frontline workers

Keep in mind:

Collects extensive data, including location data
Data shared with employers and potentially advertisers
May raise privacy concerns for your team

Haiilo

Best for: Employee engagement

Haiilo is an internal communication tool focused on employee engagement. It functions like a private social network for your organization. It is built to foster company culture and streamline communication, and allows your employees to share content on their personal social networks. As an internal communications tool, it is more specialized than the other options on the list.

Haiilo is geared towards large enterprises with large workforces. It may be more than you need for smaller organizations. The platform collects data on behalf of employers, who control how it is used. This means you are responsible for how employee data is handled, and employees may not have opt-out rights.

Strengths:

Designed specifically for employee engagement
Centralized hub for company updates
Encourages employee advocacy

Keep in mind:

Better suited for large enterprises
You control employee data
Employees may have limited opt-out rights depending on your setup

Proton Workspace

Proton Workspace Best for: Organizations that need a secure, compliant alternative to Google Workspace or Microsoft 365

Proton Workspace is a fully encrypted productivity suite that replaces the tools your team already uses — email, calendar, file storage, documents, spreadsheets, and video meetings — without the data exposure that comes with mainstream platforms. End-to-end encryption is built into every product, meaning your data is protected in transit, at rest, and from the platform itself.

For compliance-driven organizations, Proton Workspace offers a defensible answer to auditors: zero-knowledge architecture means no one — including Proton — can access your data. Swiss jurisdiction puts it beyond the reach of FISA court orders and the CLOUD Act. Workspace Premium includes Lumo, a privacy-first AI assistant that doesn’t use your data for model training.

Migration from Google Workspace, Outlook, or other providers is handled through Easy Switch, with no engineering resources required.

Strengths:

End-to-end encrypted across every product
Zero-knowledge architecture — your data is inaccessible even to Proton
Swiss jurisdiction, outside US legal reach
ISO 27001 and SOC 2 certified; GDPR and HIPAA compliant
Open-source code, independently audited
Lumo AI assistant included in Premium (data never used for training)

Keep in mind:

Fewer third-party integrations than Google Workspace or Microsoft 365
Lumo is available on Workspace Premium only
Teams migrating complex workflows may need adjustment time

Keep your business communications private

The right internal communication tool depends on how your team works, but privacy shouldn’t be a tradeoff. Look for team collaboration tools that offer end-to-end encryption by default.

Frequently asked questions

How do I choose the best internal communication tool for my business?

Consider your business’s needs, such as your team’s distribution and the type of communication they rely on most.

Next, evaluate how the choices integrate with your existing software, or if they’re part of a suite that is easy to migrate to.

Lastly, consider the platform’s security. Business communications are highly sensitive, and you should choose a tool with robust privacy protections.

Is internal communication software secure?

Not all of them are. Many platforms collect user data and use basic encryption that keeps the providers in control of your data.

Third-party integration (such as with AI assistants and note-takers) also creates additional security concerns as each app operates under its own privacy policy.

Security should be a priority when choosing business communication software. Choose tools like Proton Meet and Proton Mail that protect your data with end-to-end encryption by default, ensuring your communications and data are accessible only to intended recipients.

Can internal communication tools replace email?

Not entirely. Email itself is an internal communication tool. Other tools, such as instant messaging and video conferencing software, complement email communication, enabling quick collaboration and coordination among teams. However, email is still essential for external correspondence and formal communications.

Introducing Proton Drive CLI: Use Drive from your terminal

Michal Hořejšek — Tue, 09 Jun 2026 11:53:13 GMT

Last week, we finished launching the Proton Drive SDK, a shared engine designed to harmonize Proton Drive across all platforms and to bring you the features you need faster. Today, we’re taking the next step: Proton Drive CLI is here, available for Windows, macOS, and Linux.

The CLI brings the power of our cloud storage and end-to-end encryption to scripts, backups, and deployment pipelines without the hassle of writing code. It’s built on the same Proton Drive SDK that powers our official Proton Drive client applications, and is fully interoperable with them.

For our developer community: While we are developing our fully-featured Linux app, the CLI already allows you to script a lot of Proton Drive’s key features from your favorite scripting environments (or even schedule jobs with cron). The CLI is intended to complement the Proton Drive application. It’s not a full replacement — for example, only the applications include a full synchronization engine that runs in the background — but rather a way to achieve many goals from a lightweight scripting environment.

What is the CLI?

A command-line interface (CLI) is a program you run from a shell, such as Terminal, PowerShell, or SSH. You pass a command and arguments, it does the job, and exits. Like other Unix command-line tools, you can pipe and script the Proton Drive CLI together with other tools into larger workflows.

The Proton Drive CLI is a single binary you can drop into that world. It supports common Drive operations such as listing folders, uploading and downloading files, trash, sharing, or invitations. Results are displayed in plain, readable text by default — and if you’re building automation on top, you can switch to a machine-friendly format using the --json (or -j) parameter.

How does Proton Drive CLI help?

Until now, using Proton Drive as part of an automated workflow — alongside tools like deployment scripts, backup jobs, cron, or internal runbooks — meant either doing it manually (like opening the app or dragging files) or reverse-engineering Drive’s internals to write custom scripts that were brittle and hard to maintain. The CLI changes that by allowing you to run Proton Drive operations directly from the terminal. It can, for example, upload files after a build finishes, back up a folder on a schedule, invite a reviewer, or check what’s been shared.

This is especially useful when you need a specific action to happen at a specific time, rather than keeping folders continuously in sync, such as publishing files after a release, taking a snapshot of a shared folder before an audit, or revoking access when someone offboards. The CLI runs the operation, tells you if it worked, and exits.

It’s a natural fit for anyone who already works in the terminal and for teams who want their Drive workflows written down as repeatable commands rather than a series of clicks to remember.

Get started with Proton Drive CLI

At launch, the CLI covers the essentials: sign in and out, browse and manage files and folders (including trash), and handle sharing and invitations.

A few typical flows:

proton-drive auth login

# Upload files from local directory to folder in My files
proton-drive filesystem upload ./reports/* /my-files/Reports --conflict-strategy skip

# See who has access, then invite a colleague
proton-drive sharing status /my-files/Reports
proton-drive sharing invite --user example@pm.me --role editor --message "Please review reports" /my-files/Reports

# Download to a local backup directory
proton-drive filesystem download /my-files/Reports ./backups

For the full command set and flags, run proton-drive help or proton-drive <command> --help. For example, proton-drive filesystem upload --help.

Find out more about using the Proton Drive CLI.

What comes next

Upcoming additions to the Proton Drive CLI include support for:

Photos and albums
Files and folders shared using a secure, public link
Multi-account support for larger teams and managed service providers

Our long-term goal is to bring everything you can do in the Proton Drive app to the command line.

Download Proton Drive CLI

The fastest way to get started is to download the pre-built binaries for your platform:

Download Proton Drive CLI

On macOS and Linux, you’ll need to make the file executable after downloading (chmod +x proton-drive). Once that’s done, run proton-drive version to confirm the build.

Sign-in happens through your browser — no password on the command line. Your sessions are stored securely by your operating system (Windows Credential Manager, macOS Keychain, or libsecret on Linux).

Build from source

Prefer to build from source? The CLI is implemented in TypeScript, packaged with Bun, and available for download in the Drive SDK repository. After cloning it, you can install the dependencies and build the CLI from the main directory:

cd js/cli
bun install
bun run build
./release/proton-drive auth login
./release/proton-drive filesystem list /my-files

See the CLI README in the repository for more details.

Fair use and rate limits

Proton Drive CLI follows the same fair use policies as all Proton Drive clients. To stay within limits, only upload or download what has actually changed — don’t reupload the same files repeatedly or rewrite entire folders when only a few files are new. Accounts that generate unusually high traffic are temporarily throttled to protect the service for everyone.

Now in your terminal, with the same level of privacy

Proton Drive CLI is available today, and more features will soon follow. Everything you do through the terminal is protected by the same end-to-end encryption as the rest of Proton Drive. Download it, try it, and let us know what you build. And if you’re on Linux: a full-featured desktop client with sync is on its way.

What to look for in an AI assistant

Alanna Alexander — Mon, 08 Jun 2026 18:37:16 GMT

AI assistants have promised what most businesses lack: Efficiency without any additional cost.

They can summarize your emails, respond on your behalf, decide which messages need decisions, automate calendar events, extract information from your documents, and even organize them.

For a founder or executive at a small or medium-sized business, where needs outpace resources, it can feel like a wish granted just in time. All it asks of you is absolutely everything — access to your inbox, calendar, files, and even confidential business information.

As much as 69% of firms are already using AI assistants like ChatGPT, Claude, and Grammarly — but 30% are unsure or don’t trust AI companies to safeguard their proprietary business data.

The trade off isn’t obvious at first. But what SMBs get in efficiency, they pay for in security.

The price of efficiency

When you connect your Gmail, Google Drive, or calendar to a tool such as Perplexity’s Comet, you’re granting it OAuth permissions — often beyond ‘view’ access. Depending on the scopes requested, the tool may be able to download contacts, control your entire calendar, and even write emails on your behalf.

These permissions are technically disclosed during the authorization flow, but most users don’t fully evaluate what they mean in practice. Once granted, the tool can access and process sensitive company data at scale.

The same pattern applies to other AI assistance workflows. Indexing internal knowledge bases, summarizing proprietary documents, or contextualizing company data, they all expand your exposure.

When you don’t know what access you’ve granted, you can’t accurately assess the risk you’ve introduced.

How much AI assistants and browsers can see

You know AI browsers like Perplexity’s Comet or ChatGPT’s Atlas can read the page you’re on, summarize it, and rewrite text. But did you know it can act on your behalf?

Because the efficiency depends on deep integration, the assistant needs visibility into your browsing activity and may request access to connected accounts. In some cases, it can trigger actions rather than simply generate text.

This is the architecture of AI agents more broadly. They’re designed to act across connected systems. A single compromised or manipulated agent can move through your email, calendar, files, and credentials in sequence.

That’s a consequence of how these tools are built. It creates a surface that researchers are already finding ways to exploit.

Security researchers have already demonstrated how hidden instructions embedded in web content can manipulate these systems in unintended ways.

One recent exploit, “CometJacking,” demonstrated how instructions embedded in URLs could manipulate the AI into accessing personal or company data or executing harmful actions without the user’s knowledge.

Vendors respond quickly with patches and safeguards. In this case, Perplexity responded with a four-layer safeguarding approach. But the pattern highlights something more fundamental: These tools are designed to interpret and act.

Even Perplexity states in their Privacy Policy: “No security measures are impenetrable, and we cannot guarantee ‘perfect security’”. The question isn’t whether a tool is secure now. It’s whether you’re comfortable with how much access it requires.

Where the burden of privacy lies

AI vendors emphasize privacy controls and opt-outs. Perplexity’s Comet Assistant, for instance, assures users that “Comet Assistant puts you in control”.

But those controls assume something incorrectly: that users understand how their data is processed, actively configure the relevant settings, and monitor how policies evolve over time.

In practice, most don’t. According to Proton’s 2026 SMB Cybersecurity Report, 43% of SMBs say they can’t independently verify provider privacy, and 35% don’t understand how providers handle their data at all.

Some information may be excluded from model training. Other data may be retained to improve personalization. Policies can differ across features and change as products develop. Turning off certain functions may limit the very capabilities that make the tool attractive in the first place.

In that environment, privacy is no longer a static product promise. It becomes an ongoing operational responsibility.

The burden shifts to you, the user. You must decide what data can be shared, to monitor policy updates, to configure settings appropriately, and to reassess risk as the product evolves.

This page collects practical guides and explainers on AI privacy and security, so you know exactly what you’re working with.

Features of a private AI assistant or AI-powered browser

Your team should be able to use an AI assistant without concern that every interaction is being stored, profiled, or used to train the next version of the model.

No data logging. By default. Your team should be able to use an AI assistant or agent without concern that every interaction is being stored, profiled, or monetized. If a tool builds “memories” or “preferences,” you should ask: Who controls this data? Is it truly off by default, or is it buried in settings? And if I turn it off, what product capabilities do I lose?
No model training on your business information. Business documents, partners’ information, reports, or plans should never be used for AI model training. This is not only a fairness concern but also a security matter, as the data can resurface in incidents you cannot control.
Real transparency. Transparency builds trust, but only if it’s real. This means that you should be able to understand, at every step, how your data is handled and what principles guide the product. If you need to spend two hours parsing Terms & Conditions that contradict your actual experience with the tool, that’s not transparency. It’s just a tagline.
Zero-access encryption. With zero-access encryption, your data is protected by keys that only you control—not even the provider can read it. This removes the need to trust policies or promises because the architecture makes misuse technically impossible.

Most AI tools extract value from the businesses that use them. Your conversations, documents, and files feed model training, audience profiling, and in some cases government data requests — typically without meaningful disclosure or consent. Not Lumo.

Lumo is the AI assistant built for businesses that refuse afford to hand over their data for convenience. Zero-access encryption, no data logging, no model training on your business information.

Try Lumo for free

Why business data security is a growth issue, not just a tech problem

Alanna Alexander — Mon, 08 Jun 2026 12:27:32 GMT

No business owner wants their company to become the cautionary tale LinkedIn influencers post about.

But anyone with entrepreneurship experience will know that every part of your business demands attention in the first 100 days. Everything from product development, marketing, fundraising, to hiring is a fire to put out.

That’s why business data security becomes an afterthought, only getting attention when something goes so wrong you can’t ignore it.

That could be a breach that exposes sensitive client data, a ransomware attack that stops every area of operations, or a compliance failure that only comes to light during a pre-investment security audit.

Those events aren’t tech problems. They’re growth problems that affect whether customers trust you, whether deals close, and whether you can scale without rebuilding everything from scratch. And it all comes down to business data security.

What is business data security?

Business data security is how your company controls what data it holds, where it lives, who can access it, and what happens if something goes wrong.

In practice, that means choosing the right tools to store and share your business data, deciding policies to govern who has access to what, and setting defaults for how every team handles sensitive data.

Keep reading to learn why building security into the foundations of your business helps it grow faster.

Should business data security be a part of your growth infrastructure? Key factors to consider

The way you handle data early determines your ability to grow later.

It affects three concrete things — whether customers trust you, whether you can win and close enterprise deals, and whether you can scale without stopping to untangle early mistakes.

Trust

Security is now a selling point. Whether you’re selling to enterprises or consumers, trust is what wins and keeps customers.

Businesses want clear answers about how you handle data before they sign anything. That transparency builds confidence and assures potential clients their data will remain safe in your hands.

Consumers want to know their personal data isn’t being mishandled. A public breach tells them otherwise.

Compliance

SOC 2, GDPR, and HIPAA are often prerequisites for enterprise and government contracts. Those certifications determine who you can sell to and how quickly deals close.

When your security posture is documented and auditable, you spend less time answering due diligence questionnaires and more time closing.

Momentum

Early security shortcuts are just points of friction that you’ve deferred. When enterprise or government contracts ask about data access levels during due diligence, those shortcuts surface as a tangled web of unclear permissions that slow everything down at exactly the wrong moment.

The risk of patchwork security

Four in five small businesses have suffered a recent data breach, and a single incident can cost over $1 million.

These cybersecurity threats are common and expensive. Yet, many startups rely on default security settings from a patchwork of solutions.

A default browser password vault in place of a dedicated password manager, a free-tier cloud storage account cobbled together with a second when the first runs out of space, and a consumer messaging app the team already has on their phones. Each tool is technically in place, but none are configured to meet your business’s actual security needs.

That fragmentation has real consequences. You might see it in the onboarding/offboarding process, when access has to be granted or revoked manually across every tool, leaving dozens of former employee with an active login to your cloud storage.

Patchwork security also means no one has a complete picture of who has access to what. Gaps don’t announce themselves. They hide in the spaces between tools until something goes wrong.

Establishing secure defaults reveal security gaps. When there’s a standard for how data is stored, shared, and accessed, anything outside that standard stands out, like unusual access requests or unexpected 2FA requests. Without defaults, nothing looks unusual, so security gaps hide in plain sight.

Where do you start with business data security?

It’s impossible to solve every security problem on day one. Instead, build a strong foundation that covers how data moves, where it lives, and who can access it.

Secure your business email

Businesses live on email, so make sure you choose an encrypted email solution. End-to-end encryption protects your emails from unauthorized access, rendering their content unreadable to snoops. This is important protection, as unsecured email leaves sensitive communication exposed.

Store data in encrypted cloud storage

Your intellectual property, customer data, and financial documents all need secure storage. Choose encrypted cloud storage with built-in granular access controls to ensure only the right people can access sensitive data.

Control identity and access

Ensure that every team member has individual credentials, not shared accounts, and that they use a password manager. This way, you can control access levels to match their roles, so you don’t have to default to admin permissions for everyone. Equally important, ensure access is completely revoked when an employee leaves.

Make business data security your growth advantage

Proton for Business is the simple way to build a strong security foundation for your business.

With encrypted email, cloud storage, VPN, and a password manager in one secure, compliance-ready suite. It’s how over 50,000 businesses have built their security baseline without adding complexity. Get started for free.

Does sharenting put kids at risk?

Kate Menzies — Fri, 05 Jun 2026 15:42:07 GMT

Children face all kinds of threats online, from harassment or blackmail on social media to education tools that surveil them. These harms are caused by bullies, criminals, and Big Tech companies, but one of the biggest threats comes from the unlikeliest source: their parents.

“Sharenting” describes the intersection of our digital and family lives. It’s natural to want to celebrate your children and share updates about them, but once you share a photo, you lose control of who can access it and what they can do with it — especially if you share it on social media.

The potential ramifications of sharenting have grown increasingly dire thanks to advancements in AI and photo generation. Previously, the worst outcomes of sharenting could be strangers seeing your photos or Big Tech using them to target you with ads. But today the risks are much higher: It only takes a few images to create believable deepfakes that could be used for identity theft or worse.

What is sharenting?

Sharenting is a portmanteau of “sharing” and “parenting”. It refers to sharing pictures or videos of your child or other personal information online. When you post a photo or share an update on social media, you’re doing it because you’re proud of them and you want to involve your friends and family in your life. But you’re building a digital footprint for your child before they can consent, which can have real consequences. Sharenting could look like:

Posting pictures of your child and other children at a school event on your Instagram or Snapchat.
Sharing a picture of your child on your personal website or blog.
Writing a blog post about your child’s important milestones, such as moving schools, joining a new club, or becoming a teenager.

These are good intentions, but sharing online comes with inherent risks. When you make these decisions for yourself, you take on the risk. But when you share your children’s data, whether it’s their face or personal stories, you’re making decisions for them that they might not have chosen for themselves and can lead to serious consequences. To understand how sharenting can affect children, we need to understand the risks it poses.

Threats to children online are increasing

Unfortunately, the internet is becoming more hostile to children as unregulated services give bad actors access to powerful AI tools. X’s chatbot Grok has come under fire for allowing users to generate pornographic deepfake images of women and children. A paywall was put in place after image generation spiked, suggesting that X was more interested in monetizing the problem than fixing it.

Backlash surged globally: Malaysia and Indonesia temporarily blocked access to the platform. In the UK, the privacy watchdog Ofcom opened an inquiry into X over the deepfakes. The cybercrime unit in Paris raided X’s French office, summoning Elon Musk for questioning.

Since this backlash began, a class action lawsuit has been launched by four anonymous women against X who allegedly had deepfake nudes generated of them using Grok. xAI has insisted that the plaintiffs be stripped of their anonymity as there is a “public interest in their identities”, despite the very real risks of doxing and harassment. Instead of being protected, the victims of these deepfakes are put on trial.

What can we do about these hostile platforms? Removing children’s access to social media is being touted as a popular solution for combating online exploitation. Australia has already banned children under the age of 16 from accessing social media apps, and the UK is looking to do the same. This may feel like a solution that protects children, but ultimately children are incredibly adept when it comes to illicitly gaining access to websites and apps. It also doesn’t prevent bad actors from seeking out contact with children.

Now that it’s so easy to misuse pictures and personal data, are we taking the risks of sharenting seriously enough?

What are the risks of sharenting?

You can’t control where pictures and information end up after you post them on social media, a blog, or a website. Once you put the data on a third-party platform, a number of bad things can happen:

Data brokers and Big Tech surveillance

The classic risk of online sharing is that anyone can find your data. This is bad enough for adults; it’s worse for children. Because they’re still learning how to make the kind of complex judgments that adults can about technology, children are vulnerable to online exploitation. Making accounts online to talk to their friends or research their interests are innocent actions that can lead to data leaks and targeted ads that follow children around the internet. This can even apply to the ed tech they’re encouraged to use at school.

Things as commonplace as privacy policies and cookies aren’t things that children intuitively understand. They may click ‘agree’ or ‘share’ without understanding the consequences. Just one click can grant hundreds of third parties legitimate interest in their online activity and their data.

Child identity theft

Child identity theft has risen as well-meaning parents, relatives, and friends share information about children online. Even details that feel insignificant can be used over time to build a profile of a child and create accounts in their names, phish for further information, or cyberbully them.

A stranger operating a social media account in your child’s name can be disturbing, but there are more insidious risks when it comes to personal data. If your child’s home address or SSN is compromised, criminals could apply for loans, open bank accounts, and even max out credit cards in their name. Giving your child a good start in life means protecting their personal data until they’re old enough to protect it themselves. As a parent, this means protecting their face, name, address, school, medical information, and any other personal information.

Cyberattacks

Just like adults, children can be targeted by phishing scams, affected by data breaches, and vulnerable to social engineering without the right education. Taking the time to explain what personal data is and who you should share it with is essential when children begin to use the internet.

Deepfakes and CSAM

It only takes a few shared birthday photos to create convincing deepfakes. Deepfakes are manipulated images and videos in which a person’s likeness is used to make it look like they’re saying or doing things that never happened. Once created, deepfakes can be circulated on the internet without your or your child’s consent.The risks of deepfakes range from spreading misinformation to cyberbullying to creating sexually explicit content.

The Internet Watch Foundation has released several reports identifying the rise of AI-generated child sexual abuse material. Creating this material is possible using image generation tools as well as “nudify” apps. These apps take existing pictures of adults or children and use them to digitally create nude images. The legality of nudify apps is questionable, as many countries have intimate abuse image laws in place, but they remain largely accessible online. Many countries and companies are beginning to combat them, with Australia aiming to ban them entirely, and Meta filing a lawsuit against the entity behind a popular nudify app.

As AI models and generative AI tools become more powerful, it’s going to become easier to create even more convincing images and videos of children. According to research from McAfee, 19% of targeted children have faced deepfake and nudify app misuse, with 38% of girls aged 13-15 affected.

Sextortion and blackmail

A knock-on effect of the easy creation of deepfake nudes is the potential for sextortion. As the initial deepfakes have already been generated, children may be scared that their parents will punish the. Children can be blackmailed or extorted using deepfakes, and exploited to engage in further acts or conversations.

It isn’t just children who can be targeted. The Internet Watch Foundation has warned that cybercriminals are contacting schools with deepfaked CSAM of pupils, demanding money to prevent them from being leaked. Schools in the UK have been recommended to blur the faces of pupils wherever possible for safeguarding purposes.

Cyberbullying

Bullying is a phenomena that has evolved significantly as technology has advanced. As children begin to learn about social and physical power, shaped by the people and media around them, they may use technology to target other children. Deepfakes can be used as a form of online harassment amongst students: This particularly affects young girls, but all young children can be targeted and a sense of stigma may prevent them from telling an adult.

Not only can this cause significant distress to young children, it can impact their future lives negatively. If those deepfakes are uploaded to the internet, they may remain attached to that person’s digital identity indefinitely. Nudify apps effectively endorse this behavior, making it seem like a fun trick or a prank for children to play on each other.

How to have a conversation about sharenting

You are the best advocate for your child’s safety, and you are best placed to give your child a healthy relationship with the internet and online sharing. By talking with your children and your friends and/or family, you can help ensure your child avoids having their identity stolen or abused.

Older children can also be their own advocates. They should talk to their parents if they think too much of their information is being shared.

With your kids

The easiest way to respect your children’s wishes is to simply ask them what they’re comfortable with. Until your children are old enough to consent, it’s best to only share photos using encrypted communications services or encrypted drives.

Letting your children know they have agency and autonomy helps them create healthy boundaries in both real life and online. It lets them decide what they’re comfortable letting other people knowing about them — the foundation of privacy. Given that you’ll likely be the one to introduce your child to the internet, it’s up to you to show them exactly how much control they have and what the potential risks are.

The National Crime Agency’s CEOP Education website has activity worksheets aimed to help you start conversations about topics including sharing photos, social media, live streaming, and cybersecurity. The topics they recommend discussing with your children about sharing photos are:

What does your child share online, and what is OK and isn’t OK to share
Who your child shares with, and whether their online accounts public or private
Understanding privacy settings and exploring the privacy settings for their favorite apps together
Helping them understand that if they regret sharing an image, they can get help removing it from services such as Report Remove in the UK or Take It Down (which is available globally). They can also request that the image be removed from platforms such as Google, Facebook, Instagram, or Snapchat.

To help your children learn, you can also play a digital interactive story about online sharing with your child, where you’ll read scenarios and decide which actions the character should take together. When it comes to educating your children as they create their own online accounts, Internet Matters provides extensive parental controls and privacy settings guides for social media accounts. Proton’s YouTube, Tiktok and Instagram channels also post short educational videos about internet privacy, news stories, and more.

With friends and family

Having a conversation about sharing images or information about your children can be complicated. Not all parents feel the same way about their children’s digital lives, and they may be unaware of the risks. If you’ve decided you’d like to ask a friend or a family member not to share information about your child online, you can send a request via text message or email, or you could have a one-on-one conversation with them. Consider using one of the following points as a jumping-off point for your own conversations:

We’ve decided not to upload any pictures showing our child’s face to protect their privacy. We’ll be using emojis to obscure their face until they’re old enough to decide if they’d like to show their face on social media, and we’re asking our friends and family to do the same.
Our child has requested that we ask them before anyone posts a picture of them online. We will be respecting their boundaries and ask that you do the same in the future.
We’re concerned about some of the risks of posting information about our child online, and we think it would be helpful to have a conversation about it so that you can make that decision for your child too.

With your parents

If you’re a child and you’re upset by what your parents post about you online, you have a right to ask them to stop. Whether it’s a picture you don’t like or information you’d prefer remain private, your face and your identity belong solely to you. Your parents are your caretakers, and they may think they’re making harmless decisions.

This is a very common experience for children in today’s online world. Apple Martin, 14-year-old daughter of Gwyneth Paltrow, criticized her mother for not respecting her boundaries after Paltrow posted a photo of them skiing together on her Instagram. Martin replied on the post, “Mom we have discussed this. You may not post anything without my consent.” Any child should have the right to decide how and if they appear on the internet. The UN Convention on the Rights of the Child even specifies children’s right to express themselves, with their views “being given due weight in accordance with the age and maturity of the child”.

If you don’t like the way your parents are sharing information about or pictures of you, you can explain this to them using some of the following points:

I’m worried about the digital footprint you’re creating for me. When I’m an adult, the things you post about me will follow me, and I want to have a choice about what the internet knows about me.
I don’t like that you share information about me without asking me first. Can we have a conversation about what is and isn’t OK to tell people about me?
I find the things you share about me embarrassing, and you need to respect my privacy. My life belongs to me, and I want to decide who knows what about me.

How to share responsibly

Fortunately, there are steps you can take to keep friends and family members updated about your family without putting your kids’ privacy at risk. Here’s a quick recap of how you can protect your child’s privacy and share updates with friends and family.

Ask first. If your child can consent, let them.
Limit public sharing. Use encrypted services over public platforms.
Talk to your circle. Set boundaries with friends and family about what’s OK to post.
Identify the risks. Explain that theft and deepfake exploitation are real threats.
Educate early. Teach kids what personal data is — and how to protect it.

Share safely

Instead of relying on social media to share updates about your children, consider moving to an encrypted drive shared with friends and family whom you trust. You can talk with your children about what you share, and effectively create a secure, digital photo album that your child is happy to be a part of. That way, when it comes time for your child to become an online citizen, they’re starting with the privacy and the education they need to make the most of their digital world. Proton Drive can help you create that secure place for your precious memories without compromising your child’s online safety or their future digital footprint.

As Stacey B. Steinberg, a prominent online voice about the legal and ethical concerns surrounding sharenting, puts it in her article: “By approaching a child’s right to online privacy in a child-centered manner, future generations will be able to enter adulthood unburdened by others’ decisions and free to define themselves on their own terms.” Privacy is for everyone, and that must include children.