Unpatched Software Now Causes More Breaches Than Stolen Passwords

Verizon’s 2026 Data Breach Investigations Report analyzed over 31,000 security incidents this year, and the headline finding reshapes how businesses should think about risk. Software vulnerability exploitation now accounts for 31% of all breaches, overtaking stolen credentials as the most common way attackers get in. For business owners who’ve focused security budgets on password policies and phishing training, the data says the threat has shifted.

The full report is dense. This post pulls out the four findings that directly affect SMBs with 50 to 500 employees and translates each into a specific priority you can act on.

Unpatched Software Is Now the #1 Entry Point

For years, stolen credentials were the primary way attackers broke into business networks. The 2026 DBIR marks a turning point: vulnerability exploitation hit 31% of all breaches, pushing credential theft into second place for the first time in the report’s history.

Attackers are scanning for unpatched VPNs, firewalls, and web-facing applications. When they find one running vulnerable software, they exploit it directly without needing a username or password. The PAN-OS zero-day (CVE-2026-0300) from earlier this year is a textbook example. Attackers built automated scanning tools within hours of public disclosure and hit thousands of unpatched firewalls before most IT teams had read the advisory. Our team documented how that response process actually works and what it takes to patch client environments within 12 hours.

The DBIR also found that the window between a vulnerability being disclosed and actively exploited has compressed from months to hours. Monthly patching cycles that were adequate five years ago now leave a gap measured in days where your perimeter is exposed to known exploits. If your IT provider patches on a fixed monthly schedule, the data shows that cadence is no longer fast enough for internet-facing systems.

Your Vendors’ Security Is Now Your Security Problem

Third-party breaches accounted for 48% of all incidents in the 2026 DBIR, up 60% year over year. Nearly half of all security incidents traced back to a vendor, supplier, or software provider that was compromised first.

This confirms what the Black Kite Third-Party Breach Report documented earlier this year: every vendor breach now affects an average of 5.28 downstream companies, and the average disclosure delay is 117 days. Your business can be exposed for months before a vendor tells you something happened.

Most SMBs don’t have a formal vendor security review process. The typical approach is to check for SOC 2 certification during initial onboarding and never revisit it. The DBIR data suggests that approach creates real exposure. Vendors with access to your data, your Microsoft 365 tenant, or your network need ongoing security evaluation, not a one-time checkbox.

At minimum, you should know which vendors have access to sensitive data, whether those vendors have had recent security incidents, and what your contractual rights are if a breach occurs. If you can’t answer those three questions for your top ten vendors, that gap is worth closing this quarter.

Ransomware Still Dominates the SMB Threat Picture

The DBIR confirms what business owners in the 50-to-500-employee range already suspect: ransomware is overwhelmingly an SMB problem. Eighty-eight percent of small business breach incidents involved ransomware, compared to a much smaller share of enterprise attacks. The median recovery cost hit $1.53 million, and 69% of affected businesses did not pay the ransom. That means the cost comes primarily from operational disruption, forensics, legal fees, and rebuilding systems rather than the ransom payment itself.

That $1.53 million figure aligns with what the Fortune/Public Private Strategies Institute survey found earlier this year: 72% of American small businesses were hit by fraud, scams, or ransomware in 2025, collectively imposing $131 billion in costs on Main Street businesses. The DBIR reinforces this with a larger dataset and a clear message. Small businesses are disproportionately targeted because they tend to have weaker controls and fewer resources to recover.

Effective ransomware defense requires layers. Endpoint detection and response (EDR) catches threats that bypass perimeter defenses. Tested backup and recovery processes determine whether you’re rebuilding from scratch or restoring from last night’s backup. Managed security monitoring ensures someone is watching for early indicators of compromise around the clock, not just during business hours.

Shadow AI Is Creating New Data Exposure Risks

The DBIR flagged a finding that didn’t exist in prior years: shadow AI usage among employees tripled to 45%. Nearly half of workers are using unapproved AI tools, often pasting company data into public LLMs, uploading documents to free AI services, or connecting AI plugins to business applications without IT oversight.

Each of those actions potentially sends proprietary or regulated data to a third-party system your security team hasn’t evaluated. For businesses subject to HIPAA, CMMC, or Texas TDPSA requirements, this creates compliance exposure on top of the data security risk.

The fix isn’t banning AI tools. Employees use them because they’re genuinely productive. The better approach is deploying approved AI tools with appropriate data governance, giving employees a sanctioned path so they stop finding unsanctioned ones. We’ve covered the gap between AI agent adoption and security approval in a recent post if you’re evaluating how to approach this.

What to Prioritize Based on the Data

The DBIR gives business owners a data-backed framework for where to invest limited security dollars. Based on this year’s findings, three areas deserve immediate attention.

Tighten your patch management SLA. Internet-facing systems like VPNs, firewalls, and web applications need patches applied within 48 hours of critical advisories, not on the next monthly cycle. Ask your IT provider what their vulnerability response timeline looks like for CVSS 9.0+ vulnerabilities. If they can’t give you a specific number, that’s a problem.

Start a vendor security review. Identify every vendor with access to your data or systems. Document what access they have, review their security certifications, and establish a process for annual reassessment. You don’t need a full third-party risk management platform. A spreadsheet and quarterly reviews are better than nothing.

Deploy endpoint detection with 24/7 monitoring. Antivirus alone doesn’t stop ransomware, and the DBIR data confirms SMBs bear the worst of it. EDR paired with a security operations center watching alerts around the clock is the most direct way to reduce your ransomware exposure based on where attacks actually succeed.

The DBIR is valuable because it’s built on real incident data, not vendor surveys or hypothetical risk models. This year’s report says unpatched software, vendor risk, and ransomware are where the actual damage is landing for SMBs. Prioritize accordingly.