Verizon DBIR 2026: Three Numbers Every SME Should Know

Verizon has been publishing the Data Breach Investigations Report for 19 years. This year’s edition draws on more than 31,000 security incidents and over 22,000 confirmed breaches from 145 countries, and it’s widely regarded as one of the most-cited annual reports on the current threat landscape. For SMEs, three trends from this year’s report deserve a closer look, because they’ve only hardened in 2026.

Third parties are an SME problem

The share of breaches involving third parties has risen sharply over the past three years. In 2024, it accounted for 15% of all analysed cases; in 2025 it was already 30%. The 2026 report puts the figure at 48% globally and 54% in the EMEA region. The share has more than tripled within two years.

This can be especially challenging for SMEs. They often use the same cloud tools, identity providers, and accounting platforms as a large enterprise. If an accountant, hosting provider, or payroll service is compromised, the risk of a breach is much greater for SMEs than for bigger companies. SMEs are less likely to run third-party risk management that continuously assesses these dependencies. They also have fewer financial and human resources to defend against attacks. The damage can quickly become existential.

Ransomware almost exclusively hits SMEs

The distribution of ransomware victims in the DBIR data is unambiguous: around 96% of victims are SMEs. Ransomware gangs go for volume rather than targeting the largest organisations. They compromise thousands of businesses through well-known attack vectors and extract ransom wherever backups are missing.

Verizon identifies two recurring entry points among SMEs: compromised credentials in 38% of cases and unpatched vulnerabilities in edge devices in 29%. In practice, this means basic security measures matter more than ever. A password manager plus 2FA on all important accounts, and patch management with a clear SLA for edge devices (firewalls, VPN gateways, NAS), are the two most effective levers.

Shadow AI is the trend of the year

The most striking change in the DBIR 2026 concerns AI use at work. 45% of employees now regularly use generative AI on their corporate devices, up from 15% in last year’s report. 67% of that access happens through personal, non-corporate accounts. Shadow AI became the third most common non-malicious insider action in 2025, four times the 2024 figure. The data type most often ending up in external AI tools is source code, followed by images and structured data.

IBM’s Cost of a Data Breach Report 2025 provides the cost side and reinforces the DBIR finding: 20% of the breaches studied traced back to a Shadow AI incident. Organisations with high Shadow AI usage saw on average USD 670,000 in higher breach costs than companies with little or no Shadow AI use, and 63% of breached organisations either had no AI governance policy or were still developing one.

What the DBIR numbers mean for SMEs

The threat landscape for SMEs has worsened further: supply chains are becoming the main attack vector, ransomware gangs go for the easier targets, and AI tools make it harder to control data flows in the business. The effective measures haven’t changed: basics like protecting accounts with 2FA, a supplier list that is kept current, and clear rules for AI use in the company. The full report is available directly from Verizon.

Sources

• Verizon, 2026 Data Breach Investigations Report
• IBM Security, Cost of a Data Breach Report 2025