TL;DR: Verizon's 2026 Data Breach Investigations Report, covering incidents from November 2024 through October 2025, confirms what small business owners feel every day: 88% of SMB breaches involve ransomware or extortion, compared with just 39% at large enterprises. Stolen credentials remain the top initial access vector at 22% of breaches, and third-party involvement doubled to 30% of breaches. For North Carolina SMBs, the report is a clear roadmap of where defenses must improve.
Critical takeaway: The Verizon DBIR is the most cited annual breach study in the industry, used by CISA, insurers, and Boards of Directors. When it says SMBs are taking ransomware at 2.3x the rate of enterprises, that gap is the entire defensive playbook.
Want a defensive plan tailored to your business? Contact Preferred Data Corporation at (336) 886-3282. Serving High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, and the Piedmont Triad since 1987.
What Did the Verizon 2026 DBIR Find About Small Businesses?
The 2026 Verizon Data Breach Investigations Report analyzed thousands of confirmed breaches from November 1, 2024 through October 31, 2025 and produced one of the starkest small business findings in the report's history. Ransomware or extortion appeared in 88% of breaches at SMBs, compared to 39% at large enterprises. That 2.3x gap is a direct measure of where attacker focus and defender weakness intersect.
Other headline findings most relevant to NC SMBs:
| DBIR Finding | 2026 Report | What It Means for NC SMBs |
|---|---|---|
| SMB breaches involving ransomware/extortion | 88% | Attackers see SMBs as the highest-yield target class |
| Large enterprise breaches involving ransomware | 39% | Layered controls work; SMBs need the same controls |
| Stolen credentials as initial access | 22% of breaches | MFA + password manager are non-negotiable |
| Third-party involvement in breaches | 30% (up from ~15%) | Vendor risk programs are now table stakes |
| Vulnerability exploitation in attacks | 32% | Edge devices and unpatched software are top targets |
| Human element in breaches (phishing, errors, misuse) | Majority of breaches | Training and verification controls matter |
These numbers align with the FBI IC3 2025 data showing $20.9B in total cybercrime losses and the ransomware payment trends from Chainalysis we covered separately.
Why Are Small Businesses Targeted at 2.3x the Rate of Enterprises?
Small businesses get hit harder because the economic incentives for attackers are clearest at the SMB scale. Ransomware-as-a-service (RaaS) operators pick targets where ransom payment likelihood is high, defensive sophistication is low, and operational pain ramps fast. SMBs check all three boxes:
- Limited security operations. Few SMBs have a 24/7 SOC, full EDR coverage, or hardened backups. Verizon's data shows that controls that are common at enterprises, MFA, EDR, segmentation, are still inconsistent across SMBs
- Compressed operations. A 4-day production halt at a 50-person Piedmont Triad manufacturer can cost more proportionally than a similar halt at a multinational. Attackers know this
- Concentrated decision-making. A single owner, controller, or office manager often has the access to authorize a wire, restore a backup, or pay a ransom. That concentration is efficient for legitimate operations and equally efficient for attackers
- Vendor and supply chain reach. SMBs often hold sensitive data for larger customers; a breach at a small contractor is a doorway into a larger enterprise
The Mastercard 2025 SMB study reinforces the point: almost 1 in 5 SMBs that experienced a cyberattack went bankrupt or out of business.
How Did Stolen Credentials Become the Top Initial Access Vector?
Stolen credentials accounted for 22% of all breaches in the 2026 DBIR, making them the single most common way attackers got in. The reasons are mundane and entirely fixable:
- Password reuse across personal and business accounts, plus public credential dumps from unrelated breaches
- No MFA on email, VPN, or admin portals (Microsoft research: MFA blocks 99.9% of automated credential attacks)
- Phishing kits that capture both passwords and MFA tokens via reverse-proxy attacks
- Infostealer malware harvesting browser-saved credentials from infected workstations
- Initial access brokers selling pre-validated business credentials to ransomware affiliates
For NC business owners, the practical fix is a stack: MFA on every account that matters, a password manager that prevents reuse, EDR to catch infostealers, dark web monitoring to detect leaked credentials, and conditional access policies that block logins from impossible-travel locations.
Why Did Third-Party Breach Involvement Double in the 2026 DBIR?
Third-party involvement appeared in 30% of breaches in the 2026 DBIR, doubling from approximately 15% in the prior year. The drivers:
- SaaS sprawl. SMBs now run dozens of cloud applications, each with its own credentials, integrations, and attack surface
- Embedded AI inside SaaS. Many SaaS platforms added AI features that ingest customer data; a breach at the SaaS provider exposes downstream customer data
- Managed providers and integrators. Compromised MSPs, IT contractors, or marketing platforms become single points of failure for many customers at once
- Supplier ecosystems. A breach at a vendor that holds your design files, financials, or customer list is your breach in practice
NC manufacturers, defense subcontractors, and construction firms are particularly exposed because their supply chains involve dozens of small partners that share data freely under tight schedules. We cover vendor risk management and third-party risk programs for manufacturers in dedicated guides.
What Concrete DBIR-Aligned Controls Should Every NC SMB Implement?
The Verizon DBIR is consistent year after year about which controls move the needle. The 2026 edition reinforces the same priorities:
- MFA everywhere it matters. Email, VPN, admin portals, financial systems, customer portals
- EDR or MDR on every endpoint. Behavior-based detection that catches credential theft and lateral movement
- Immutable backups, tested restores. Air-gapped or object-locked backups that ransomware cannot encrypt or delete
- Patch SLAs for edge devices. Same-week for firewalls, VPN concentrators, RDP gateways, and remote management tools
- Phishing-resistant authentication for high-risk roles. FIDO2 keys for executives, finance, and IT admins
- Email authentication enforced. SPF, DKIM, DMARC at policy
reject - Vendor and SaaS inventory. Know who has access to what, and review at least annually
- Written incident response plan. Including legal, insurance, comms, and a 72-hour clock for fund recovery
- 24/7 monitoring through a SOC. Most attacks unfold during nights and weekends
- Annual security awareness training with deepfake voice/video examples, not just typo phishing
These controls map directly to widely adopted frameworks like the NIST Cybersecurity Framework and CIS Controls v8.
Where do you stand? Take our free cybersecurity assessment or call (336) 886-3282.
How Does This Compare to NC-Specific Risk?
North Carolina's economy is dominated by industries the DBIR repeatedly flags as high-target: manufacturing, construction, professional services, and healthcare. Layer in NC's defense supplier base, the Piedmont Triad's furniture and industrial manufacturing concentration, and the Triangle's research and life sciences cluster, and the SMB target profile is dense.
NC-specific compliance pressures compound the cost of a breach:
- NC G.S. 75-65 breach notification requirements
- CMMC 2.0 for any DoD subcontractor
- HIPAA for healthcare practices
- GLBA for financial services and accounting firms
- PCI DSS for any business taking card payments
- State and local government supplier requirements
A single breach often triggers multiple regulatory clocks at once. The Verizon DBIR controls are not just security best practices; they are increasingly the floor that auditors, insurers, and customers expect.
How Is Preferred Data Helping NC SMBs Close the DBIR Gap?
Preferred Data Corporation has been protecting NC small and mid-sized businesses since 1987. Our managed cybersecurity services bundle the controls the DBIR repeatedly identifies as most effective: EDR/MDR, MFA enforcement, dark web monitoring, email security, and 24/7 SOC monitoring. Our managed IT services handle the patching, monitoring, and configuration discipline that prevent stolen credentials and exploitation from becoming full breaches. Our backup and disaster recovery practice delivers immutable backups with quarterly restore testing.
For manufacturers and construction firms across High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, and the Piedmont Triad, we bring OT-aware monitoring, jobsite security, vendor risk programs, and a 200-mile on-site response radius from High Point. With BBB A+ accreditation and an average client tenure of 20+ years, we have the track record SMB owners trust when the stakes are real.
Ready to close the SMB risk gap? Contact Preferred Data at (336) 886-3282 or visit our contact page to schedule a security review.
Frequently Asked Questions
What is the Verizon DBIR?
The Verizon Data Breach Investigations Report (DBIR) is an annual industry-standard analysis of confirmed breaches across thousands of organizations, used by CISA, insurers, and security teams worldwide. The 2026 edition covered breaches from November 2024 through October 2025 and is freely available at verizon.com/business/resources/reports/dbir.
Why are 88% of SMB breaches ransomware?
Because attackers prioritize targets with the highest expected payout per hour of effort. SMBs combine valuable data, time-sensitive operations, limited defensive maturity, and concentrated decision-making, which is the ideal profile for ransomware-as-a-service operators.
How much does an SMB ransomware incident typically cost?
Industry data places the range at $120,000 to $1.24 million for SMBs, with average downtime of 24 days. Indirect costs (lost customers, regulatory fines, insurance premium hikes, and recovery labor) often exceed the direct ransom or restoration cost.
Is paying the ransom a viable option?
Most experts and law enforcement strongly discourage payment. The Chainalysis 2026 report shows the payment rate dropped to 28% in 2025 because more victims are recovering through immutable backups and tested incident response. Paying does not guarantee a working decryptor, can violate sanctions, and signals to attackers that the victim is willing to pay again.
What is the single highest-impact control to deploy first?
If you can only do one thing this week, deploy MFA on every email account, VPN, and admin portal. Microsoft research shows MFA blocks 99.9% of automated attacks, and stolen credentials are the most common initial access vector in the DBIR.
How does third-party risk affect a small business?
Third-party involvement appeared in 30% of breaches in the 2026 DBIR, doubling from the prior year. SMBs are exposed when a SaaS vendor, MSP, marketing tool, or integration partner is breached. A vendor inventory and minimum-security baseline for vendors handling sensitive data is the starting point.
Where can I read the full DBIR?
The full report is available at verizon.com/business/resources/reports/dbir. Verizon also publishes an SMB-specific snapshot summarizing the small business findings.
Does Preferred Data offer DBIR-aligned managed security?
Yes. Our managed cybersecurity services align directly with the controls the DBIR repeatedly identifies as effective: MFA, EDR/MDR, immutable backups, vendor risk reviews, 24/7 monitoring, and incident response. Call (336) 886-3282 for a tailored assessment.