2025 Verizon DBIR: What Small- and Medium-Sized Businesses Need to Know
Share
The 2025 Verizon DBIR (Data Breach Investigations Report) highlights a growing truth: cybercriminals don’t care about company size. Whether it’s a global enterprise or a local retailer, attackers are using the same techniques—ransomware, stolen credentials, phishing—across the board. For small- and medium-sized businesses (SMBs), the consequences are often worse because defenses are weaker, budgets are smaller, and recovery options are limited.
TL;DR
The 2025 DBIR shows SMBs experienced 3,049 security incidents and 2,842 confirmed data breaches, nearly four times more than large enterprises. Ransomware in small businesses accounts for 88% of breaches, proving attackers scale demands to fit the victim. According to the Verizon Data Breach Investigations Report, credential theft, phishing, and unpatched vulnerabilities remain the main entry points, with organized crime driving nearly all SMB data breaches.
SMB vs Large Business: At a Glance
One of the most common questions is whether smaller businesses face the same cyber risks as large enterprises. The DBIR compares both groups side by side, showing where the attack methods overlap and where they differ. The data makes it clear: SMBs are hit more often and harder by ransomware, while large organizations face more issues with internal errors and accidental data loss.
| Metric | SMBs (<1,000 employees) | Large Enterprises (>1,000 employees) |
| Incidents | 3,049 | 982 |
| Confirmed breaches | 2,842 | 751 |
| Top attack patterns | System Intrusion, Social Engineering, Basic Web App Attacks (96%) | System Intrusion, Basic Web App Attacks, Misc. Errors (79%) |
| Actors | External (98%), Internal (2%), Partner (1%) | External (75%), Internal (25%), Partner (1%), Multiple (1%) |
| Motives | Financial (99%) | Financial (95%), Espionage (3%), Ideology (1%) |
| Data compromised | Internal (83%), Credentials (34%), Personal (4%), Other (6%) | Personal (50%), Internal (29%), Credentials (29%), Other (36%) |
What the Table Tells Us
The first big difference is volume: SMBs faced nearly four times as many incidents as large enterprises. The attack patterns also vary—SMBs deal with more ransomware and credential theft, while large organizations face more insider-driven errors. Both groups share the same external threats, but the outcomes are harsher for SMBs because they don’t have the same safety nets like backup systems or compliance-driven security teams.
Ransomware Dominates SMB Breaches
- 88% of SMB breaches involve ransomware, compared to 39% in large organizations. This makes ransomware the single biggest threat to SMBs.
- Criminal groups adjust ransom demands to the victim’s size. Even if smaller firms don’t face multimillion-dollar demands, downtime and data loss can be crippling.
- SMBs are more likely to pay because they lack reliable offsite backups and recovery solutions, giving attackers more leverage.
How Attackers Break In
Attackers aren’t picky about methods—they use whatever works best. For SMBs, three techniques dominate: stolen credentials, malware, and social engineering. Each represents a gap in defenses that criminals exploit repeatedly.
1. Stolen Credentials
- 33% of SMB breaches start with stolen usernames and passwords, almost identical to large enterprises.
- Weak or reused passwords, limited use of multifactor authentication (MFA), and poor identity management practices make SMBs easy targets. Once attackers get inside, they move laterally and prepare systems for ransomware deployment.
2. Malware & Ransomware
- SMBs are disproportionately hit by malware, especially ransomware.
- By contrast, large organizations report more accidental “Errors” (18% of breaches) compared to SMBs (1%). This isn’t because SMBs don’t make mistakes, but because deliberate malware attacks swamp the statistics.
3. Social Engineering
- 18% of SMB breaches are linked to phishing or pretexting attacks.
- Smaller teams often lack structured awareness training, making it easier for attackers to trick employees into clicking a malicious link or sharing credentials.
Third-Party Risks and Patching Delays
The 2025 DBIR highlights two major weak spots that put SMBs at even greater risk: supply chain dependencies and slow patching cycles.
- Third-party involvement doubled: Nearly 30% of SMB breaches now involve a partner or vendor, up from 15% in previous years. For small businesses that outsource IT, payments, or HR functions, a weak link in a supplier’s system can quickly become their breach. Attackers exploit these trusted relationships to bypass defenses.
- Patching delays open doors: Vulnerability exploitation rose by 34%, often targeting unpatched VPNs, firewalls, and web apps. The report found a median patch time of 32 days, and only 54% of vulnerabilities were fully remediated. For SMBs without dedicated IT teams, this delay creates a long window of exposure where attackers can strike before fixes are applied.
Together, these findings show why SMBs can’t just focus inward. Their security depends on how quickly they patch systems and how well they manage third-party risks.
Who’s Behind the Attacks?
| Actor Type | SMBs | Large Enterprises |
| Organized crime (financial) | Nearly all attacks | Majority of attacks |
| Internal (errors/misuse) | Very rare (2%) | Present in 25% of breaches |
| Nation-state actors | Rare | Present but limited |
For SMBs, the story is simple: almost every breach is the work of organized cybercrime groups motivated by profit. Nation-state espionage and insider misuse are rare compared to large organizations.
When Small Businesses Cause Big Damage
It’s a mistake to assume that small businesses only create small risks. The National Public Data breach of 2024 proved otherwise. Despite having just 1–20 employees, the company managed vast amounts of sensitive information. Attackers exploited weaknesses and exposed 2.9 billion records, including Social Security numbers, dates of birth, and addresses from the U.S., Canada, and the U.K.
This case underscores two key points:
- SMBs can hold massive datasets without enterprise-grade security. Even small operations often handle customer PII, financial records, or healthcare data.
- The ripple effects of an SMB breach can be global. A single compromised firm can leak data that affects governments, multinational companies, and millions of citizens.
In short, SMB breaches are not just “small business problems.” They can create systemic risks across entire ecosystems.
Key Takeaways
- SMBs suffer four times more breaches than large firms, making them prime targets.
- Ransomware dominates small business breaches (88%), showing how attackers scale extortion.
- Stolen credentials are the most common entry point, made worse by weak password practices and poor MFA adoption.
- Errors plague large enterprises, but SMBs are overwhelmed by malware, which accounts for most attacks against them.
- Third-party risks and patching delays magnify vulnerabilities, doubling supply chain breaches and leaving systems exposed for over a month.
- Organized crime drives nearly all SMB breaches, while nation-state activity is minimal.
- Even small firms can cause global fallout, as shown by the 2024 National Public Data breach.
Quick FAQs
Q1: Do SMBs face more breaches than big companies?
Yes. SMBs had 2,842 confirmed breaches in 2025, nearly four times more than large enterprises.
Q2: Is ransomware just a big-company threat?
No. Ransomware was present in 88% of SMB breaches, compared to 39% in large firms.
Q3: What data do attackers usually steal from SMBs?
Mostly internal business data and credentials, with some personal information also exposed.
Q4: Who attacks SMBs the most?
Almost all breaches are linked to organized crime groups motivated by financial gain.
Q5: What can SMBs do to protect themselves?
Patch quickly, enforce MFA, provide phishing awareness training, and keep secure backups to recover from ransomware. Also, vet third-party vendors and demand stronger security from suppliers.
