Verizon’s 2026 DBIR — its largest dataset yet, with more than 22,000 confirmed breaches across 145 countries — lands hard on small business. Of ransomware victims whose size was known, 96% were SMBs. Ransomware now appears in 48% of all breaches, up from 44%. There’s a sliver of good news: 69% of victims didn’t pay, and the median ransom fell to about US$140,000.

The “how” matters more than the headline. For SMBs, the top initial-access routes were vulnerability exploitation (26%) and credential abuse (13%) — and across the whole report, exploiting an unpatched vulnerability has overtaken everything else as the number-one breach vector. Third parties were involved in 55% of SMB breaches, which means your suppliers’ security is now part of yours.

Read together, the report writes its own remediation list: patch fast (especially anything internet-facing), kill reused and unprotected credentials with phishing-resistant MFA, and ask your key vendors what their security posture actually is. None of it is exotic. All of it is what the data says is getting people hit.

What it means for your businessThe 2026 DBIR says SMBs are the target and unpatched vulnerabilities are the top way in. Prioritise fast patching, phishing-resistant MFA on every identity, and real scrutiny of third-party suppliers.
Source & referenceVerizon — 2026 Data Breach Investigations Report ↑Help Net Security — Lessons from the Verizon 2026 DBIR ↑