TL;DR: Verizon's 2025 Data Breach Investigations Report analyzed more than 22,000 incidents and found that stolen credentials remain the top initial access vector at 22% of breaches, while third-party origin breaches doubled from 15% to 30% in a single year. With infostealer logs finding company credentials on 30% of corporate devices and 46% of unmanaged devices, the era of "password plus MFA" as a credible defense is ending. North Carolina small businesses need an identity-first security posture.
Key takeaway: Identity is now the dominant attack surface. The cheapest way to break into a 2026 small business is not to hack the network or the application, it is to buy a credential. Building defenses that assume credentials will be stolen is the new minimum bar.
How exposed is your business identity perimeter? Preferred Data Corporation provides identity security assessments and managed identity services for NC small businesses. BBB A+ rated since 1987. Call (336) 886-3282 or request an identity security review.
What the 2025 DBIR actually says about small businesses
The 2025 Verizon DBIR is the most-cited primary source in cybersecurity reporting, and its 2025 edition tells a striking story:
| Metric | 2024 DBIR | 2025 DBIR | Direction |
|---|---|---|---|
| Stolen credential initial access | 24% | 22% | Stable, still #1 |
| Vulnerability exploit initial access | 14% | 20% | Up sharply |
| Third-party origin breaches | 15% | 30% | Doubled |
| Devices with credentials in infostealer logs (corporate) | - | 30% | New visibility |
| Devices with credentials in infostealer logs (unmanaged) | - | 46% | New visibility |
| Malware containing credentials from password stores | - | 25% | New visibility |
| Median time to click on phishing link | <60 seconds | <60 seconds | Stable |
| Median ransomware payment | $12,738 (2024) | $59,556 (2025) | Up 368% per Chainalysis |
Combined with SpyCloud's 2026 research and Verizon's 2025 credential-stuffing analysis, the story is consistent: attackers prefer to log in, not break in.
Why "MFA on" is no longer enough
For years, the small business security advice was: "Turn on MFA. Block 99% of attacks." That advice was correct in 2020 and remains directionally right today. But the threat actors have adapted in five specific ways:
1. Infostealer malware harvests session cookies
Modern infostealers like RedLine, Vidar, and StealC harvest browser session cookies that already represent a fully authenticated, MFA-completed session. An attacker with the cookie does not need the password or the MFA prompt. Verizon's research found credentials on nearly half of unmanaged endpoints.
2. Adversary-in-the-middle (AiTM) phishing
Phishing kits like Tycoon, EvilProxy, and Mamba 2FA proxy the legitimate login flow, harvesting both credentials and the post-MFA session token. SMS and push-based MFA do nothing here. Only phishing-resistant MFA (FIDO2, certificate-based, Windows Hello for Business) breaks the attack.
3. OAuth abuse
As detailed in our SaaS breach lessons post, attackers increasingly target OAuth tokens because they grant persistent, MFA-bypassing access.
4. Helpdesk social engineering
Threat groups like Scattered Spider have made a specialty of impersonating employees on the phone to convince helpdesk staff to reset MFA. The control bypass happens before the login.
5. AI-generated phishing at scale
AI-driven phishing campaigns generate convincing messages at industrial scale, and credential abuse remains the top initial access vector in part because the cost to attempt has collapsed.
Key takeaway: Turn on MFA, yes. Then move past it. The defenses that matter in 2026 assume the credential is already stolen.
The identity-first defense playbook for NC small businesses
1. Replace shared, password-only, and weak-MFA accounts
Inventory every account in the business, including admin, service, and break-glass accounts, and document the authentication method. Replace the weakest first:
- Shared accounts: convert to individual identities with named ownership
- Password-only accounts: enforce MFA
- SMS or app-prompt MFA: upgrade to phishing-resistant where the platform supports it
Passwordless authentication for business security walks through the rollout pattern.
2. Deploy phishing-resistant MFA where it matters most
Not every account needs FIDO2 immediately. Prioritize:
- Identity provider admins (Microsoft Entra, Google Workspace admin, Okta)
- Domain admins, server admins, hypervisor admins
- Finance staff with payment authority
- Email accounts with regulated data
- Remote access users
Roll out broadly afterwards as devices and platforms allow. Microsoft 365 security settings for business covers conditional access policy design.
3. Implement conditional access
Authentication should be context-aware:
- Compliant device required for sensitive applications
- Block sign-ins from non-corporate countries unless an exception is registered
- Require MFA every time for risky sessions, not just first login
- Block legacy authentication protocols entirely
4. Monitor for infostealer exposure
Infostealer logs are bought and sold in dark-web marketplaces. Services that ingest those logs and alert when your domain's credentials appear are now affordable for SMBs and a routine inclusion in a managed identity package.
5. Audit OAuth and integration consent
The same OAuth governance that protects against SaaS supply-chain breaches protects against identity attacks. Quarterly review of granted scopes, revocation of unused apps, and admin-only consent for high-scope integrations.
6. Build a helpdesk verification protocol
Specifically train and document the procedure when staff call asking for an MFA reset. Multiple identity proofs, no exceptions, no urgency-driven bypasses. This single control would have blocked several of the highest-impact 2025 breaches.
7. Enable identity threat detection and response (ITDR)
ITDR platforms identify suspicious identity activity that signature-based tools miss: impossible travel, token replay, mass mailbox rule creation, anomalous OAuth consent. For NC small businesses, ITDR is usually delivered as part of a managed SIEM/SOC engagement.
SIEM and SOC for small business describes the operational model.
Identity defense maturity model for SMBs
| Level | Controls | Typical SMB state |
|---|---|---|
| 0 | Passwords, no MFA | Catastrophic exposure |
| 1 | MFA on email and VPN | Common |
| 2 | MFA everywhere, conditional access basics | Best practice baseline |
| 3 | Phishing-resistant MFA on admin accounts, ITDR | Emerging best practice |
| 4 | Passwordless across the org, continuous risk-based auth, infostealer monitoring | Leadership tier |
| 5 | Identity-first SOC, just-in-time admin, zero standing privilege | Enterprise-grade |
Most NC small businesses sit between Level 1 and Level 2 in 2026. Moving to Level 3 typically requires 60 to 120 days, costs a few hundred to a few thousand dollars per month for the right tools, and meaningfully changes the breach probability curve.
Want to assess your current level and the most cost-effective next step? Call Preferred Data Corporation at (336) 886-3282 or request an identity security review.
What an identity-first program looks like in practice
For a 60-person NC professional services firm currently at Level 2:
Days 1 to 30: Discovery and quick wins
- Identity inventory, including shared, service, and admin accounts
- Audit MFA enrollment by user and method
- Enable conditional access baseline (legacy auth block, country block, compliant device required for admins)
- Onboard infostealer monitoring service
Days 31 to 60: Phishing-resistant MFA
- Issue FIDO2 keys or enable Windows Hello for Business for admins and finance
- Deploy phishing-resistant MFA for high-risk groups
- Document helpdesk verification procedure and run a tabletop test
Days 61 to 90: ITDR and OAuth governance
- Connect identity provider to managed SIEM/SOC
- Configure ITDR alerts (token theft, impossible travel, suspicious OAuth grants)
- Run quarterly OAuth consent audit and remove unused apps
- Begin user training on AiTM-resistant patterns
Ongoing:
- Quarterly access reviews
- Quarterly OAuth reviews
- Monthly infostealer exposure review
- Annual passwordless expansion
Why this matters specifically for North Carolina industries
- Manufacturers in High Point, Hickory, and Winston-Salem holding CMMC-relevant or proprietary data face identity-driven attacks that pivot quickly to OT.
- Healthcare in the Triangle handles PHI subject to HIPAA breach notification, with identity compromise being the most common path to data loss.
- Professional services in Charlotte, Raleigh, and Greensboro hold client financials and IP that make a single executive account compromise enormously damaging.
- Construction businesses statewide increasingly run on cloud project management and bid systems where identity is the perimeter.
Key takeaway: Identity is the new perimeter, and the 2025 DBIR proves credentials are the most reliable way in. The businesses that survive 2026 share one thing: they stopped trusting passwords as a control.
About Preferred Data Corporation
Preferred Data Corporation (PDC) is a managed IT and cybersecurity services provider headquartered in High Point, North Carolina, serving small and mid-sized businesses across the Piedmont Triad and Research Triangle. PDC's identity security services include Microsoft Entra and Google Workspace hardening, conditional access design, phishing-resistant MFA rollouts, ITDR integration with managed SIEM/SOC, and ongoing identity governance. Since 1987, PDC has helped NC businesses build defenses that match the actual threat landscape, not the marketing one.
Talk to an identity security specialist:
- Call (336) 886-3282
- Visit preferreddata.com/contact
- Email [email protected]
Frequently Asked Questions
We turned on MFA two years ago. Are we covered?
Probably not at the level the 2025 DBIR implies. SMS and push-based MFA still block opportunistic attacks but are bypassed by AiTM phishing kits and token theft. The current bar is phishing-resistant MFA for admin and high-risk accounts and conditional access policies that account for device, location, and risk.
What is the most cost-effective first move for a 25-person NC business?
Enable conditional access for legacy authentication blocking and a compliant-device requirement for admins, then issue FIDO2 keys (or enroll Windows Hello / passkeys) for the half-dozen highest-risk accounts. That combination usually costs less than $1,000 in hardware plus IT time and eliminates the cheapest attack paths.
How do infostealers actually get on devices?
The most common path in 2026 is users downloading cracked software, fake browser extensions, or trojanized installers from search-engine ads. Personal devices and BYOD scenarios are the most exposed, which is why Verizon found 46% of unmanaged devices carrying company credentials. Strong endpoint controls and limiting corporate credentials to managed devices is the structural fix.
What is identity threat detection and response (ITDR)?
ITDR is the identity-focused equivalent of EDR. It watches the identity provider for suspicious behavior, including token theft signatures, mass permission grants, anomalous OAuth consent, impossible travel, and legacy auth attempts. Managed SIEM/SOC providers increasingly include ITDR in their service.
Does any of this apply if we are on Google Workspace, not Microsoft 365?
Yes. Google Workspace exposes equivalent capabilities (Context-Aware Access, advanced protection, hardware keys, security center). The principles are identical: replace passwords for high-risk users, enforce conditional policies, monitor for identity attacks, and govern OAuth integrations.
Related Resources
- Cybersecurity Services for NC Businesses
- Managed IT Services
- Passwordless Authentication for Business Security
- Microsoft 365 Security Settings for Business
- SIEM and SOC for Small Business
- Zero Trust Security for SMBs
- AI Credential Attacks Threaten Business Accounts
- SaaS Third-Party Breach Lessons
- IT Services in High Point
- IT Services in Greensboro
- IT Services in Raleigh