Verizon’s 2026 DBIR — its largest dataset yet, with more than 22,000 confirmed breaches across 145 countries — lands hard on small business. Of ransomware victims whose size was known, 96% were SMBs. Ransomware now appears in 48% of all breaches, up from 44%. There’s a sliver of good news: 69% of victims didn’t pay, and the median ransom fell to about US$140,000.
The “how” matters more than the headline. For SMBs, the top initial-access routes were vulnerability exploitation (26%) and credential abuse (13%) — and across the whole report, exploiting an unpatched vulnerability has overtaken everything else as the number-one breach vector. Third parties were involved in 55% of SMB breaches, which means your suppliers’ security is now part of yours.
Read together, the report writes its own remediation list: patch fast (especially anything internet-facing), kill reused and unprotected credentials with phishing-resistant MFA, and ask your key vendors what their security posture actually is. None of it is exotic. All of it is what the data says is getting people hit.
