“Being a small organization, you may mistakenly think that your threat profile and who would be interested in compromising you are significantly different from everyone else. That is, until you find yourself on the wrong side of a ransomware attack. Overall, SMBs face similar types of threats as everyone else, including the same breach patterns that show across many different industries, and this has been the case for many years now.
…for many of these attacks, they’re opportunistic in nature, and it’s not so much about industry or the revenue of the victims but the fact that the victims had credentials that were compromised (38%) or unpatched vulnerabilities in edge devices (29%) that resulted in them being victimized.”
— 2026 Verizon Data Breach Investigations Report (DBIR)
The 2026 Verizon Data Breach Investigations Report (DBIR) underscores a critical shift: cybercriminals are increasingly using artificial intelligence (AI) to automate operations and target vulnerable organizations at scale.
For the first time, exploitation of software vulnerabilities surpassed stolen credentials as the leading point of initial access, turning outdated or unpatched systems into primary liabilities. At the same time, supply chain and third party-related breaches rose by 60% year over year and now account for 48% of total breaches, up from 30% the previous year. Weak access controls or the absence of multi-factor authentication (MFA) in third-party applications can provide attackers with direct access to small business environments.
Ransomware remains the dominant threat, with small organizations accounting for 96% of victims. Encouragingly, 69% of SMBs refused to pay ransom demands because they maintained reliable data backups. The report also highlights a clear attack progression: among the 73% of ransomware victims who experienced an infostealer or credential compromise, 50% had credentials stolen within 95 days prior to the ransomware incident. In practice, this means that a seemingly minor event, such as an employee using an infected personal device, can lead to a full network compromise months later.
Human behavior continues to play a central role, contributing to 62% of breaches. Notably, phishing via text messages and phone calls achieved a 40% higher success rate in simulations compared to email, signaling a shift toward more direct and convincing social engineering tactics. Meanwhile, employee use of AI tools has surged, tripling to 45%. Alarmingly, 67% of users are accessing AI services through non-corporate accounts on work devices, exposing sensitive business data, customer information, and intellectual property to public platforms.
The DBIR findings are clear and echo much of what the Cyber Readiness Institute has been advocating: cyber risk for SMBs is no longer hypothetical; it is systemic, scalable, and accelerating. Leaders must move beyond awareness to disciplined, practical action.
SMBs should start by eliminating easy entry points through consistent patching of internet-facing systems and enforcing multifactor authentication across critical applications, especially email, VPNs, and third-party platforms. At the same time, organizations must treat identity as the new security perimeter by strengthening password practices, monitoring for compromised credentials, and limiting user access through least-privilege principles. Building ransomware resilience is equally critical; this includes maintaining and regularly testing secure backups, developing an incident response plan, and segmenting networks to contain potential breaches.
Organizations must also strengthen the human layer by training employees to recognize evolving phishing tactics, including SMS and voice-based attacks, and by reinforcing clear processes for reporting suspicious activity. As AI adoption accelerates, SMBs need to establish governance policies that define approved tools, restrict sensitive data exposure, and educate employees on the risks of using non-corporate AI platforms.
Finally, reducing third-party risk exposure is essential. Businesses should require vendors to implement strong security controls, limit access to only what is necessary, and continuously monitor vendor risk rather than treating it as a one-time assessment.
Attackers are not targeting size; they are targeting opportunity. SMBs that focus on closing common gaps (unpatched systems, weak identity controls, and unmanaged third-party access) can dramatically reduce their risk profile.
Cyber readiness is no longer a technical issue; it is a leadership priority. The organizations that act now will be the ones that remain operational, trusted, and competitive.
