Technology Advisor Blog

Every year, Verizon publishes its Data Breach Investigations Report (DBIR), one of the most respected cybersecurity reports in the industry. The 2026 report analyzed more than 22,000 confirmed data breaches across 145 countries, making it one of the largest collections of real-world cybersecurity data available.

At Ekaru, we pay close attention to reports like this because they help us separate trends from headlines. Instead of relying on assumptions, we can see exactly how attackers are succeeding, where businesses are struggling, and what organizations can do to better protect themselves.

Before we dive into the findings, it's helpful to understand two terms you'll see throughout cybersecurity reports:

Incident: A security event that disrupts business operations, compromises systems, or creates a security risk.

Breach: A type of incident where sensitive information is actually accessed, stolen, or exposed to someone who shouldn't have it.

In other words, every breach is an incident, but not every incident becomes a breach. For example, a ransomware attack or website outage may be considered a security incident even if no customer or company data is stolen.

The biggest takeaway from this year's report is surprisingly simple:

Cybersecurity fundamentals matter more than ever.

While artificial intelligence, ransomware, and sophisticated cybercriminal groups continue to dominate the news, most successful breaches still come down to a handful of preventable issues. Here are the lessons small businesses should take away from Verizon's findings.

1. Unpatched Systems Have Become the #1 Way Attackers Get In

For years, stolen passwords were the most common way attackers gained access to business systems. That's no longer the case.

According to the Verizon DBIR, exploiting software vulnerabilities is now the leading method attackers use to gain initial access to organizations (and AI makes that easier and faster!).

In plain English, this means cybercriminals are actively scanning the internet looking for outdated software, unpatched firewalls, vulnerable VPNs, and exposed systems. Once they find one, they can often gain access without ever needing a password.  They use automated tools and scan - have you ever looked at your firewall logs or Microsoft 365 logs to see who's trying to get in?

For small businesses, this highlights the importance of:

• Regular software updates
• Security patch management
• Vulnerability assessments
• Continuous monitoring

Many organizations don't get breached because they lack expensive security tools. They get breached because a known vulnerability remained unpatched for too long.  Those boring and annoying updates?  Don't delay!

2. Ransomware Isn't Going Away

Ransomware continues to be one of the most significant cybersecurity threats facing businesses today.

Nearly half of all breaches analyzed in the report involved ransomware or extortion-related activity.

The impact goes far beyond encrypted files. Modern ransomware attacks often involve data theft, operational disruption, reputational damage, and regulatory concerns.  What would you do if confidential client information was published on the Dark Web?

The good news is that businesses are becoming more resilient. Verizon found that a growing number of organizations are refusing to pay ransoms and instead relying on recovery plans and backups.

That's exactly why we continue to emphasize:

• Tested backups
• Endpoint protection
• Email security
• Incident response planning
• Business continuity strategies

The best ransomware response is preparation long before an attack occurs.

3. Your Security Is Only As Strong As Your Vendors

One of the most eye-opening findings from this year's report was the dramatic increase in breaches involving third parties.

Think about all the external services your business relies on every day:

• Microsoft 365
• Payroll providers
• Accounting software
• Cloud storage platforms
• CRM systems
• IT service providers (And this is the big reason we completed the GTIA Cybersecurity Trustmark this year!)

Businesses today are more connected than ever. While those connections improve productivity, they also increase risk.

A security issue at a vendor can quickly become a security issue for your organization.

This doesn't mean avoiding cloud services or modern business applications. It means understanding who has access to your data, enabling security controls like multifactor authentication, and periodically reviewing your vendor relationships.

4. People Are Still a Major Target

Technology wasn't the only focus of this year's report.

Verizon found that the human element was involved in nearly two-thirds of breaches.

What's changing is how attackers are targeting people.

Traditional phishing emails remain common, but attackers are increasingly using phone calls, text messages, and impersonation tactics to trick employees into providing access or sensitive information.  With AI, its so easy to clone someone's voice, or create a video with their image.  These day's seeing is NOT believing!

Many of these attacks don't look suspicious at first glance. They often appear urgent, helpful, or completely routine.  Often the emails contain things like QR Codes or other "security" tools that make it look like the sender is being more secure.  

This is why cybersecurity isn't just an IT issue.

Every employee plays a role in protecting the organization.

Regular security awareness training, clear verification procedures, and a culture where employees feel comfortable asking questions can dramatically reduce risk.  Talk to your team regularly about cybersecurity.  We recently had a great training session over cake  at one of our local client sites - just get people talking!

5. Artificial Intelligence Is Helping Attackers, Too

Artificial intelligence is transforming business operations, but it is also becoming a tool for cybercriminals.

The report found growing evidence that attackers are using AI to help write phishing messages, research targets, develop malicious code, and automate parts of their attack process.

This doesn't mean AI is creating entirely new categories of threats.

Instead, it's making existing attacks faster, cheaper, and easier to scale.  It's so easy to automatically harvest information from social media, websites, former breaches to make emails look VERY convincing.  Gone are they days where you could just tell your team to not click on a "suspicious" email.

The result is that businesses may face a greater volume of convincing phishing attempts and social engineering attacks than ever before.

The answer isn't fear.

The answer is strengthening the fundamentals that have always worked: security awareness, strong authentication, patch management, monitoring, and layered defenses.

What This Means for Small Businesses

When reading cybersecurity headlines, it's easy to assume the biggest risks involve sophisticated nation-state hackers or highly technical attacks.

The Verizon DBIR tells a different story.

Many successful breaches still start with:

• An unpatched system
• Weak authentication
• A trusted vendor being compromised
• An employee being deceived
• A missing security control

These aren't new problems. They're foundational security challenges that every organization can address.

That's encouraging because it means small businesses are not powerless.

With the right strategy, consistent processes, and ongoing attention to cybersecurity fundamentals, organizations can significantly reduce their risk.  There are so many smart and affordable things local businesses can do to help stay safe online.  Start small and build a successful program one step at a time.  We're currently working with several local businesses getting ready for CMMC compliance - while this seams overwhelming at first, making weekly progress gets the job done.

Final Thoughts

One reason we closely follow research like Verizon's annual DBIR is that it helps us make better recommendations for our clients.

The threat landscape continues to evolve, but the core principles of cybersecurity remain remarkably consistent. Organizations that know what assets they have, keep systems updated, secure accounts with multifactor authentication, train employees, and prepare for incidents are far better positioned to withstand today's threats.

Cybersecurity is not about eliminating risk entirely. It's about making informed decisions that reduce risk and improve resilience.

The businesses that focus on the fundamentals today will be the ones best prepared for whatever comes next.

Interested in continuing the conversation?

About the author: