.webp)
The 2026 DBIR Is Out - Here's What the Data Actually Says
Every spring, Verizon publishes its Data Breach Investigations Report, and every spring, security teams across the country dig into it looking for the same thing: how are attackers actually getting in? The 2026 DBIR dropped this week, covering incidents from November 2024 through October 2025, and the picture it paints is familiar in some ways - and genuinely surprising in others.
This year's report analyzed 22,052 security incidents and confirmed 12,195 actual data breaches. That's a massive dataset, and it's what makes the DBIR worth paying attention to. These aren't hypothetical attack scenarios or vendor projections - they're documented real-world cases. When the data says something, it's worth listening.
If you run a business with anywhere from 10 to 200 employees, here's what you need to know.
Stolen Credentials Are Still the #1 Way Attackers Get In
Credential abuse - meaning someone used a stolen or compromised username and password to log in - accounts for 22% of initial access in confirmed breaches, according to the 2026 DBIR. Vulnerability exploitation came in second at 20%. Together, those two methods account for more than 40% of how attackers are opening the front door.
That tells you a lot about where to focus your defenses. Attackers aren't primarily writing sophisticated custom malware to break into your systems. They're buying a list of compromised passwords from a dark web forum, trying those credentials against your Microsoft 365 login, and walking right in. It's less "heist movie" and more "guy with a copy of your house key."
The fix for credential abuse is well understood: multi-factor authentication. According to identity telemetry cited in security research cross-referencing the DBIR data, more than 97% of identity-based attacks rely on password spray or brute force - methods that MFA stops dead. Properly implemented MFA blocks over 99% of automated credential attacks.
If you haven't enforced MFA across your Microsoft 365, Google Workspace, VPN, and any other remote access tools, that's the single highest-ROI security change you can make right now. It's not complicated to set up, and it eliminates the most common attack vector in the report.
Our team handles MFA deployment as part of our managed cybersecurity services, including making sure conditional access policies are configured correctly - not just enabled in name only.
Ransomware Is Present in Nearly Half of All Breaches
One of the more striking findings in this year's report: ransomware and extortion were present in 44% of confirmed breaches - up significantly from 32% in the prior year's data. That's a 37% jump in a single reporting period.
What's changed isn't just the volume. It's the speed. Attackers have compressed their timelines dramatically. Where it once took days or weeks to go from initial access to ransomware deployment, many groups now operate in hours. The window you have to detect and respond is getting shorter.
On the cost side, the median ransomware payment reported was $115,000. But that figure is misleading on its own. Ransom payments are only part of the picture - downtime, recovery, forensics, legal costs, and reputational damage often dwarf the payment itself. The IBM Cost of a Data Breach Report puts the US average total breach cost at $10.22 million, an all-time high. That number is skewed by large enterprise breaches, but even at a fraction of that cost, a breach is a significant event for a small business.
The good news: 64% of ransomware victims in the dataset did not pay the ransom. That figure has improved over time, and it's largely because organizations with solid backup and recovery plans have a path out that doesn't involve negotiating with criminals. If you haven't tested your backups recently - actually tested them, as in restored files from them - that's worth doing this week. Our backup and disaster recovery practice focuses specifically on making that recovery process fast and predictable when it matters.
Third-Party Risk Has Doubled - And Most Businesses Aren't Ready For It
One of the findings that should get more attention than it has: third-party involvement in breaches has roughly doubled year-over-year, now accounting for approximately 30% of confirmed incidents. Your vendors, software providers, and IT contractors are increasingly becoming the path attackers use to reach you.
This isn't a new concept - most people remember the SolarWinds attack from a few years back - but it's accelerating. The logic is simple: if an attacker can compromise one software vendor that serves 500 companies, they get 500 potential victims from one intrusion. Small businesses are often caught in the blast radius of these supply chain attacks despite doing nothing wrong themselves.
Practically speaking, this means your security posture isn't just about your own network anymore. You need to think about:
- What access do your vendors and contractors have to your systems?
- Do any of them have admin rights they don't actually need day-to-day?
- How are their credentials managed when they access your environment?
- What happens if one of your software tools gets compromised at the vendor level?
This is one of the areas where ongoing vulnerability management and regular network audits pay dividends. You can't vet your vendors' internal security practices directly, but you can limit what they can access, monitor for unusual activity, and ensure third-party access is scoped as narrowly as possible.
68% of Breaches Still Involve a Human Element
The DBIR has been tracking the "human element" - meaning breaches that involved errors, social engineering, or misuse by people - for years. This year, that number remains stubbornly high at around 68%. Despite years of security awareness training and improved technical controls, people remain the most targeted link in the chain.
That's not a criticism of your employees. It's a reflection of how much effort attackers put into the social engineering side. Phishing emails have gotten harder to spot. Business email compromise attacks are more convincing than ever - attackers now have AI tools that let them craft personalized, fluent messages at scale. Pretexting (creating a believable fake scenario to trick someone) now accounts for more than 50% of social engineering incidents.
A few things that actually move the needle here:
Regular, Realistic Security Training
The keyword is "realistic." One-time annual training where employees watch a video and click through slides doesn't change behavior. Simulated phishing campaigns - where your team gets fake phishing emails and learns from getting caught - are significantly more effective. Security awareness training that's ongoing, specific, and tied to current attack patterns is what builds genuine phishing resistance over time.
Clear Processes for Verifying Unusual Requests
Many business email compromise attacks succeed because there's no established process for verifying requests that involve money or credential changes. If your accounts payable team gets an email from "the CEO" asking for a wire transfer, what's the process? If someone calls IT claiming to be an employee who needs their password reset, how is that verified? Written procedures for handling these scenarios - and practicing them - make a real difference.
Endpoint Detection, Not Just Antivirus
When someone does click the wrong thing, you want visibility into what happened and the ability to respond quickly. Traditional antivirus is signature-based - it can only catch threats it already knows about. Endpoint detection and response (EDR) tools use behavioral analysis to catch novel attacks and give security teams the visibility to investigate and contain incidents before they spread.
What the DBIR's Timelines Mean for Small Businesses
The IBM breach cost data adds important context to the DBIR findings: the average organization takes 241 days to fully identify and contain a breach - 181 days to detect it, and another 60 days to contain it. That's eight months where an attacker may be in your systems before you know it.
For small businesses without dedicated security staff, that detection timeline can be even longer. You're not watching logs, you may not have a SIEM, and unless something obvious happens - like files getting encrypted - the intrusion might go unnoticed for a long time.
This is where having eyes on your environment matters. A managed SOC (Security Operations Center) provides 24/7 monitoring without requiring you to hire a team of security analysts. Alerts get investigated, suspicious activity gets flagged, and threats get contained before they turn into full breaches.
IBM's data shows that organizations using security AI and automation saved an average of $1.9 million per breach compared to those that didn't - largely because of faster detection and response. The gap between "caught it quickly" and "didn't catch it for six months" is enormous in terms of damage and recovery cost.
Practical Steps to Take Based on This Year's Data
Reading the DBIR is useful. Acting on it is what matters. Based on the patterns this year's data shows, here's a prioritized list of things to work through:
1. Enforce MFA on Everything That Matters
Microsoft 365, Google Workspace, VPN, remote desktop, any cloud services. If it's accessible from outside your network and doesn't have MFA, it's a target. This should be done before anything else on this list.
2. Run a Patch Audit
Vulnerability exploitation is the second most common initial access vector. Unpatched systems - especially internet-facing ones - are low-hanging fruit. Do you know which systems in your environment are behind on patches? If not, a network security audit is a good starting point.
3. Review Third-Party Access
List every vendor, contractor, or software tool that has credentials into your systems. For each one: do they actually need that level of access? Is access time-limited or persistent? Are you notified when they log in? Trim what you can and add monitoring to what remains.
4. Test Your Backups
Backups you haven't tested are not backups - they're hopes. Schedule a restoration drill this month. Make sure you can actually recover your critical systems and data from backup, and know how long that takes. The 64% of ransomware victims who didn't pay had this piece in place.
5. Run a Simulated Phishing Test
Before spending on additional technical controls, find out where your human vulnerability actually is. A phishing simulation tells you what percentage of your team clicks suspicious links, what types of lures work, and where to focus training efforts.
The Bigger Picture
The 2026 DBIR doesn't reveal a radical new threat landscape. What it confirms is that attackers continue to take the path of least resistance - and credentials, unpatched software, and people remain that path. The organizations that fare best are the ones that close those basic gaps consistently, not the ones chasing the newest security product.
If you want to work through any of this for your own business - whether that's MFA setup, a security audit, or figuring out what monitoring you actually have in place - we're happy to take a look. No pressure, just an honest assessment of where you stand.
Frequently Asked Questions
What is the Verizon DBIR and why does it matter?
The Verizon Data Breach Investigations Report is an annual analysis of real-world security incidents and confirmed data breaches contributed by law enforcement, forensic firms, insurers, and Verizon's own threat research team. The 2026 edition analyzed 22,052 incidents and 12,195 confirmed breaches from November 2024 through October 2025. It's widely considered the most authoritative data source on how attacks actually happen, which makes it useful for prioritizing security investments based on real patterns rather than theoretical risks.
What does "human element" mean in the DBIR context?
When the DBIR says that 68% of breaches involve a "human element," it means a person played a role in enabling the breach - either by falling for a phishing attack, making a configuration mistake, or misusing access they had. It's important to understand this isn't about blaming employees. Attackers specifically target people because it's often more effective than trying to break technical controls. The takeaway is that security training and clear processes matter alongside technical defenses.
How can a small business protect against credential theft?
Multi-factor authentication is the most impactful step. Beyond that: use a password manager so employees aren't reusing passwords across services, monitor for credential exposure (there are services that alert you when your business email addresses show up in breach datasets), and review which accounts have admin privileges - most users don't need them for day-to-day work. Limiting blast radius means that if one credential is compromised, the attacker can't immediately access everything.
What should I do if a vendor or software tool we use gets breached?
First, change any credentials that vendor had access to - immediately. Second, review your logs for unusual activity from around the time of the vendor's breach. Third, check whether the vendor had any stored data about your business (customer records, financial data) and whether that data was exposed. Your IT team or MSP can help you scope the impact and determine whether you have notification obligations. The key is acting quickly - the faster you respond, the smaller the window for further damage.
Is the $10.22 million average breach cost relevant to small businesses?
That US average from IBM's report is skewed by large enterprise breaches and shouldn't be taken as a prediction for what a small business would experience. However, even at a fraction of that figure, a breach is a serious financial event - typically involving forensics, recovery costs, potential customer notification, legal fees, and downtime. For a 20-person business, a few weeks of disruption and $50,000-$100,000 in unplanned costs can be genuinely damaging. The scale differs, but the impact on operations is proportional.
