2025 Verizon DBIR by the Numbers: How Small Businesses Actually Get Compromised

The 2025 Verizon DBIR — the annual Data Breach Investigations Report — is one of the most cited documents in cybersecurity and one of the least read by the people who need it most. Business owners hear that “breaches are up” or that “ransomware is everywhere,” but the actual numbers tell a far more specific and actionable story. This post cuts the vendor spin and translates the most decision-relevant statistics directly for the person running a small or mid-sized business. If you want to know where your real exposure is and which controls the data actually supports, start here.

The Threat Landscape: What the Annual Report Actually Measured

Verizon’s Data Breach Investigations Report is built on real incident data — not surveys, not vendor telemetry with a commercial interest attached. The 2025 edition analyzed over 22,000 security incidents, of which more than 12,000 were confirmed data breaches. Contributors include law enforcement agencies, national computer emergency response teams, and dozens of private-sector security firms across 139 countries. That scope makes it the closest thing the industry has to a ground-truth census of how organizations actually get compromised.

The report segments data by organization size, industry, and region. For small and mid-sized businesses specifically, the picture is both clarifying and sobering. The attack patterns targeting smaller organizations are not the same as those hitting large enterprises. The tools are simpler. The entry points are more predictable. And the defenses that work are not as complicated or as expensive as most vendors would have you believe.

Three numbers from this year’s edition frame everything else in this analysis: 68% of breaches involved a non-malicious human element — errors, misuse, or social engineering — credentials remain the most stolen data type year over year, and the median time to detect a breach inside a small organization is measured in weeks, not hours. Each of those numbers points to a specific control gap. We work through each one below.

The Attack Vectors Dominating SMB Breaches

Credential Theft: The Undisputed Leader

Stolen or weak credentials are involved in the majority of confirmed breaches across every organization size — but the problem is proportionally worse at smaller businesses. The annual report continues a multi-year trend: stolen credentials are the single most common initial access method. When an attacker wants into your environment, the fastest route is almost always a valid username and password — not an exotic exploit.

Where do those credentials come from? The report identifies three primary sources: phishing emails that harvest login details directly, credential-stuffing attacks that recycle username-and-password combinations leaked in prior breaches at other companies, and infostealer malware that silently copies saved passwords from browsers and applications. All three paths are well-documented, well-understood, and — critically — well-defended by controls available to businesses of any size.

Phishing and Social Engineering

This year’s Verizon DBIR reports that phishing remains the most common form of social engineering and a leading initial access vector. More significant is the velocity: the report documents a near-tripling of phishing rates compared to prior periods, which researchers partially attribute to AI-generated phishing content that is grammatically clean and contextually convincing.

For smaller businesses, the practical implication is direct: “train employees to spot bad grammar” is no longer a reliable strategy. Modern phishing emails can be indistinguishable from legitimate communications at a glance. The defense has to shift from human detection to technical controls that make credential theft harder to exploit even after a successful phish — specifically, multi-factor authentication and application-aware email filtering.

Ransomware: Pervasive But Patterned

Ransomware appeared in a significant share of small business breach incidents covered by the report. Median ransom demands tracked in external reporting have crossed into six-figure territory even for small organizations. But the more useful data point for business owners is this: ransomware is almost never the initial attack. It is the payload delivered after a credential theft or phishing attack succeeds. Stop the entry point, and you dramatically reduce ransomware exposure — without needing to understand anything about how ransomware itself works.

The findings also note that ransomware actors increasingly exfiltrate data before encrypting it, creating a second form of leverage. This means organizations with solid backup practices are still exposed if the underlying access control gaps remain open. The conversation has to include both backup and breach prevention — not one or the other.

Third-Party and Supply Chain Exposure

One of the more striking findings in this edition is the growth of third-party-involved breaches. The report documents a significant year-over-year increase, with third-party involvement now appearing in a meaningful percentage of confirmed breach cases. For small businesses, this translates directly to vendor risk — the software tools you use, the subcontractors with access to your systems, and the cloud platforms that hold your data are all potential entry points outside your direct control.

This finding aligns with CISA’s guidance on supply chain risk management, which emphasizes that organizations of all sizes need visibility into who has access to their environment — not just which employees do. For small businesses without a formal vendor review program, the minimum viable posture is a documented inventory of third-party tools with network or data access, combined with a policy for revoking that access promptly when a relationship ends.

Who Gets Hit: The SMB Reality

A persistent myth in small business cybersecurity is that attackers are only interested in large targets. The breach data does not support that belief. Smaller organizations are targeted at rates comparable to larger enterprises, with one important difference: they are less likely to have the detection capabilities that would tell them a breach occurred. That visibility gap means small businesses are both hit frequently and often unaware of it.

The industries that appear most frequently in small business breach data are professional services, healthcare-adjacent organizations, and financial services — not because attackers have specific grudges against those sectors, but because those industries handle data with clear black-market value: personal information, financial credentials, and protected health information. If your business handles any of these data types, the report’s frequency data applies directly to you.

Financial motivation continues to drive the overwhelming majority of attacks — over 90% of confirmed cases. This matters for defense planning because financially motivated attackers are rational actors. They follow the path of least resistance. The most cost-effective defense strategy is raising your cost-of-attack relative to your neighbors, not trying to build an impenetrable fortress.

Real-World Patterns the Data Describes

The annual Verizon report does not name individual victims, but the incident patterns it describes map clearly onto scenarios any small business could face. A useful way to read it is to match its statistical patterns to situations your own organization might encounter.

• A professional services firm with ten employees uses the same password for their cloud file storage and their email platform. A credential-stuffing tool tries that combination automatically after it surfaces in a leaked database from an unrelated breach at a retail site. The attacker is inside within minutes and has access to client contracts and financial records.
• A non-profit’s executive director receives an email that appears to come from their payroll platform, requesting re-authentication due to a “suspicious login.” The page looks identical to the real login page. The director enters credentials. The attacker redirects the next payroll run to a different account.
• A small company’s IT management is handled by a third-party vendor. That vendor’s own systems are compromised. Because the vendor has persistent administrative access to multiple client environments, all of those clients are exposed simultaneously — without any of them making an error themselves.
• An employee downloads a free utility from a search result. The utility installs silently alongside a credential-harvesting application that copies every saved browser password within the hour and transmits them to an external server. The employee sees no sign anything happened.

None of these scenarios require a sophisticated attacker. All of them are consistent with the attack patterns that dominate the current breach landscape. All of them are also preventable with controls that have existed for years.

Defense Posture: What the Data Supports Most Strongly

The value of reading the report carefully is that it points to a short list of controls that appear repeatedly as the gaps present when breaches occurred. That is a different question from “what would a complete security program include?” — it is asking: if you had to prioritize three or four controls, which ones does the breach data actually support?

Multi-Factor Authentication Is Not Optional

The data is unambiguous on this point. Multi-factor authentication — requiring a second form of verification beyond a password — dramatically reduces the usefulness of stolen credentials. An attacker who successfully phishes a username and password still cannot log in if they cannot produce the second factor. Credential theft findings carry a consistent subtext: multi-factor authentication was absent or bypassed in the majority of cases where stolen credentials led to a confirmed breach. This is the highest-return single control for any small business operating today.

Email Filtering That Goes Beyond Spam

Basic spam filtering was never designed to catch sophisticated phishing. The findings on AI-assisted phishing reinforce the need for email security tools that analyze link behavior, sender reputation, and message content — not just whether a message looks like an obvious advertisement. This category of control is available to small businesses through their email platform or as an add-on layer, and the cost is low relative to the risk it addresses.

Endpoint Monitoring That Creates Visibility

The median dwell time — the period between initial compromise and detection — is measured in weeks for small businesses. That gap exists because most smaller organizations have no visibility into what is happening on their devices between IT check-ins. Continuous endpoint monitoring addresses this directly by generating alerts when unusual behavior occurs: credential access, bulk file movement, unusual outbound connections. This is the control that transforms a potential breach from a weeks-long undetected event into an hours-long contained one.

Backup That Is Actually Tested

Ransomware data — combined with the finding that attackers increasingly exfiltrate before encrypting — argues for a backup posture that includes offsite, isolated copies that cannot be reached by an attacker who has already accessed your primary environment. More important than the backup technology itself is the test: most small businesses discover their backup doesn’t work at the worst possible moment. Regular restoration tests are the only way to know your backup posture is real and not theoretical.

Patching at a Cadence That Matches Actual Exploit Timelines

The report documents that the window between public vulnerability disclosure and active exploitation in the wild continues to shrink. Patches that could wait 30 days in prior years are now being weaponized within days of disclosure in some cases. A small business patching on a monthly schedule — or worse, a quarterly one — is carrying exposure windows the current threat environment does not allow. The data argues for a patching program that addresses critical vulnerabilities within days, not cycles.

For a broader framework on implementing these controls, NIST’s Cybersecurity Framework provides vendor-neutral guidance that maps directly to the gaps identified most consistently in breach data.

What to Ask Your IT Firm Right Now

This year’s findings give business owners a practical framework for evaluating the quality of their current IT and security support — not by demanding technical explanations, but by asking outcome-oriented questions that any competent firm should answer clearly and specifically.

• Is multi-factor authentication enforced on every application that holds sensitive data or provides administrative access to our environment? Not “recommended” — enforced.
• How would we know if a device on our network was communicating with an external server it shouldn’t be? What is the detection mechanism and who reviews those alerts?
• When was the last time we ran a full restoration test from backup? Can you show me the results?
• How long does it typically take for a critical patch to be applied across our environment after it is released? What is the documented process?
• Which third-party vendors or tools currently have access to our systems? When did you last audit that list?
• If one of our employees’ credentials were stolen today, what controls would prevent an attacker from using those credentials to access our data?

These are not trick questions. A firm that is genuinely protecting your environment should answer all six without hesitation and without jargon. Vague answers, conditional responses, or anything framed as something they “can look into” tells you something real about the state of your current coverage.

The security team at Xact IT Solutions works through questions exactly like these with every client — and revisits them regularly, because the threat landscape is not static. The organizations that stay out of breach reports are not the ones with the most sophisticated tools. They are the ones with the most consistently applied fundamentals, reviewed by people who read the actual data. Learn more about our managed IT services and how we translate annual DBIR findings into hands-on protection for small and mid-sized businesses. Or Book a Free Cybersecurity Strategy Call and see exactly where your environment stands.

The Bottom Line From the Data

The annual Verizon Data Breach Investigations Report does not say small businesses are impossible to protect. It says — repeatedly, across thousands of incidents — that the same controllable gaps show up at the scene of the crime: weak or stolen credentials, absent multi-factor authentication, unmonitored endpoints, untested backups, and unaudited third-party access. These are not exotic problems. They are known, named, and solvable with controls that exist today and are accessible to any small business willing to prioritize them.

The report also says something important about what attackers are not doing: in the majority of cases, they are not breaking through hardened defenses with zero-day exploits and nation-state tools. They are walking through doors that were left unlocked. The most useful thing a business owner can take from this research is not anxiety about sophisticated edge cases — it is the resolve to make sure the locks on the common doors are actually engaged.

Want to see how your current environment stacks up against the patterns described in the 2025 Verizon DBIR? Schedule a free strategy call with our team today.