Pelican3’s Perspective on the 2025 Verizon Data Breach Investigations Report (DBIR): What Small and Midsize Businesses Need to Know
- Rob Blanchard
- 20 hours ago
- 4 min read
The 2025 Verizon Data Breach Investigations Report (DBIR) offers one of the industry’s most comprehensive views of today’s cyber threat landscape. While the report provides valuable data across all sectors and company sizes, small and midsize businesses (SMBs) often face unique challenges that require tailored interpretation and strategy.
For context, SMBs are generally defined as organizations with fewer than 1,000 employees and annual revenues under $1 billion—though many fall well below that threshold, especially in local and regional markets. These businesses often operate without dedicated cybersecurity teams, making them particularly attractive targets for opportunistic threat actors.
At Pelican3, we go beyond summarizing the DBIR. Our analysis integrates insights from complementary research sources such as the FBI’s IC3 Report, CrowdStrike’s Global Threat Report, and Chainalysis’ Crypto Crime Report—to deliver a complete, SMB-relevant perspective.
Here’s what we believe SMBs need to know—and act on—in the wake of this year’s findings.
Ransomware Is Spreading—Especially Across SMBs
Ransomware featured in 44% of all breaches in 2024, and it was present in 88% of SMB breaches. That’s a significant year-over-year increase and a reminder that attackers see smaller organizations as easier targets.
The good news? Chainalysis reports a 35% drop in total ransomware payments in 2024, driven by improved incident response and growing refusal to pay. Still, the volume of attacks is rising, and the financial and operational impact on SMBs remains severe.
Pelican3 Recommendation: Invest in immutable backups and incident response plans. Practice recovery scenarios to minimize downtime if ransomware strikes.
Vulnerability Exploits Rival Credential Theft
In a notable shift, the report finds that exploitation of vulnerabilities—especially in public-facing systems like VPNs and firewalls—nearly matches stolen credentials as a leading breach vector. For SMBs, this reflects a clear risk: patching and asset inventory are often reactive or inconsistent.
Pelican3’s Take: SMBs should adopt lightweight vulnerability scanning and patch prioritization routines. When internal bandwidth is tight, working with a managed security partner ensures timely patching of exposed systems—especially critical edge infrastructure.
Third-Party Risk Isn’t Just for Enterprises
30% of breaches involved third-party relationships, such as vendors or partners—double the percentage from the previous year. SMBs, which frequently outsource IT and rely heavily on SaaS providers, are deeply intertwined with these risks.
Pelican3’s Take: Small organizations need right-sized vendor risk management. At a minimum: limit vendor access, use contracts to mandate security controls, and monitor your software supply chain for vulnerabilities.
The Human Factor Still Drives the Majority of Breaches
Human error and social engineering (phishing, BEC, misdelivery) were present in more than 60% of breaches. According to the FBI's IC3 Report, Business Email Compromise alone accounted for $2.7B in reported losses—often without any malware involved.
Pelican3’s Take: User behavior is still your frontline risk. SMBs should deliver practical, scenario-based training that reflects real threats like invoice fraud and impersonation. Where feasible, adopt phishing-resistant MFA and ensure finance workflows include out-of-band verification.
Faster, Stealthier Attacks Demand Faster Detection
CrowdStrike reports attacker lateral movement happens in just 62 minutes, on average. Meanwhile, Mandiant observed median dwell time drop to just 10 days—with ransomware crews often acting within five.
Pelican3’s Take: Speed is survival. SMBs should ensure basic telemetry (e.g., endpoint logging, user activity monitoring) is turned on and reviewed. If in-house coverage isn’t possible, consider 24/7 monitoring through an MSSP to reduce response times.
Cloud and Identity Risks Are Intertwined
Credentials are still the most commonly stolen data type, and 46% of stolen credentials came from unmanaged or personal devices. Many SMBs now live in the cloud—making identity the new perimeter—but aren’t enforcing strong credential hygiene or visibility into where and how accounts are being used.
Pelican3’s Take: Enforce modern authentication protocols, monitor for credential leaks, and separate personal from corporate device use. Identity protection is no longer optional for cloud-forward SMBs—it’s foundational.
Generative AI Is Creating New Exposure Pathways
The DBIR notes that 15% of employees are using GenAI tools (ChatGPT, Grok, CoPilot, etc.) from corporate devices—often under personal accounts. While AI-driven attacks remain limited for now, employee data leakage through unmonitored AI tools is a growing concern.
Pelican3’s Take: SMBs should establish GenAI acceptable use policies and consider enterprise-grade AI tools with logging. The convenience of AI cannot come at the cost of control over proprietary or regulated data.
Final Thoughts: Strategic Security for Growing Businesses
The 2025 DBIR underscores a critical truth: cybersecurity isn’t just an enterprise issue. Attackers are opportunistic, often targeting SMBs due to several compounding factors:
Limited IT Resources: Many SMBs operate without dedicated cybersecurity staff or advanced tools, making them more susceptible to attacks.
Valuable Data: Despite their size, SMBs handle sensitive information—customer data, payment details, and proprietary business information—that is lucrative for cybercriminals.
Supply Chain Vulnerabilities: SMBs often serve as entry points to larger networks, making them attractive targets for attackers aiming to exploit interconnected systems.
Assumption of Safety: A common misconception among SMBs is that they are too small to be targeted, leading to relaxed security practices and increased vulnerability.
At Pelican3, we help SMBs design security programs that are right-sized, practical, and outcome-driven. We don’t just help you check the boxes—we help you protect what you’ve built.
If you’re ready to assess your current risks and prioritize your next steps, let’s start the conversation.