Every year, Verizon publishes the most comprehensive data breach report in the industry. This year’s edition analyzed over 31,000 security incidents and 22,000 confirmed breaches across 145 countries. It dropped today, and the numbers are worth paying attention to.
Here is what changed in this year’s DBIR and what it means for your business.
The Biggest Shift in 19 Years
For the first time since Verizon started publishing this report, stolen credentials are no longer the number one way attackers get in. Software vulnerabilities just took the top spot.
31% of all breaches now start with an unpatched vulnerability. That number keeps climbing as AI shrinks the window between disclosure and exploitation from months down to hours (we covered this in our patch window post last week). The DBIR just put 22,000 confirmed breaches behind that argument.
The Stats That Should Stop You in Your Tracks
- 96% of ransomware victims were SMBs. Not because large enterprises have solved ransomware, but because SMBs present unpatched devices, compromised credentials, and limited recovery capabilities. Attackers are opportunistic, and small businesses are abundant targets.
- Ransomware was involved in 48% of all confirmed breaches, up from 44% last year. The good news is that median ransom payments dropped below $140,000, and only 31% of victims paid. The bad news is that 48% is still 48% (math has not changed in our favor).
- Third-party breaches jumped 60% and now account for nearly half of all incidents. Your vendor’s security problem is your security problem (as Frost Bank, Citizens Financial, and Vercel all found out in April).
- Shadow AI tripled. Employee use of unapproved AI tools went from 15% to 45% in a single year, opening a fresh channel for company data to leave the building quietly and without anyone noticing.
- Mobile phishing success rates are 40% higher than email. Attackers are moving to phones because employees have gotten better at spotting suspicious emails and considerably worse at spotting suspicious texts (progress, sort of).
What the Report Says to Do About It
The DBIR’s overarching theme this year is “keeping a strong foundation in the face of change.” Which is a diplomatic way of saying the fundamentals are still what most businesses are missing.
- Patch critical vulnerabilities fast, prioritized by what is actually reachable in your environment
- Enforce MFA everywhere, especially on edge devices and remote access tools
- Know what AI tools your team is using and govern them before a breach reveals the answer
- Audit your vendor access and third-party connections at least once a year
- Test your backups and have a recovery plan that has been practiced, not just documented
None of these are new. The DBIR has been saying versions of this for 19 years. The difference in 2026 is that the cost of skipping them has never been higher.
The Bottom Line
The numbers tell a consistent story: 22,000 confirmed breaches, 96% of ransomware victims being SMBs, third-party incidents up 60%, and a patch window that has shrunk to hours.
Staying out of next year’s report does not require perfection, just consistency on the basics. At GiaSpace, we handle the fundamentals that keep businesses out of reports like this one, from patch management and MFA to vendor access reviews and shadow AI governance.
If any of the stats in this report made you wonder where your business stands, a free security assessment with Rob is the fastest way to find out.
→ Schedule Your Free Security Assessment with Rob
→ Learn More About Our Managed Security Services
Published: May 21, 2026
Need IT Support for Your Florida Business?
GiaSpace provides proactive managed IT services, cybersecurity, and local tech support across Florida — with teams in Gainesville, Fort Lauderdale, Jacksonville, and Ocala.
Managed IT Services FloridaCybersecurity Services FLGainesville IT ServicesFort Lauderdale IT Services
