Over the years in my career, I’ve heard assumptions made by leaders that because they are a smaller institution:
- Hackers aren’t interested in our systems/data,
- Our employees wouldn’t do that; they’re trustworthy,
- We’d identify strange activity sooner than a bigger institution
While that was found to be the case in reports prior to 2013, it may no longer be true according to Verizon’s 2025 Data Breach Investigations Report (DBIR). Small and medium-sized businesses (SMBs) face a threat landscape that is converging with that of large organizations—similar motives, similar attack patterns, and high incident frequency—despite significant differences in security budget and staffing. So, they may be, in fact, more likely to be targeted and impacted by an incident.
|
Organization Type
|
Employee Count
|
Revenue
|
Security Incidents
|
Confirmed Breaches
|
|
SMBs
|
fewer than 1,000
|
Less than $1B
|
3,049
|
2,842
|
|
Large organizations
|
1,000+
|
$1B+
|
982
|
751
|
For smaller institutions, the key takeaway is straightforward: we should assume that attackers will use the same playbook they use against large institutions—credential abuse, phishing/pretexting, and vulnerability exploitation—while expecting our constraints to make rapid detection and recovery more challenging.
Key Similarities
- Primary motive is financial for both SMBs and large organizations. The DBIR reports financial motive in 99% of SMB breaches and 95% of large-organization breaches.
- Attack patterns are largely the same. For SMBs, System Intrusion, Social Engineering, and Basic Web Application Attacks represent 96% of breaches. For large organizations, System Intrusion and Basic Web Application Attacks remain prominent, with Miscellaneous Errors appearing more often in the large-org mix.
- Common paths remain consistent. Credential-based intrusion is a shared theme: the DBIR notes that use of stolen credentials occurs at similar levels (~35% in large organizations and ~33% in SMBs) within the organization-size comparison section.
- Human-targeted methods remain central. Social Engineering continues to be led by Phishing and Pretexting, and the broader DBIR notes that the human element is involved in ~60% of breaches overall.
Why smaller organizations can be impacted more severely
- Ransomware shows up disproportionately in SMB breaches. In the DBIR organization-size comparison, ransomware is a component of 39% of large-organization breaches, while SMBs experienced ransomware-related breaches at 88%.
- Large organizations show more internally driven breaches. The DBIR reports that large-organization breaches include a higher share of Internal actors (25%) compared with SMBs (2%), and large organizations show more Miscellaneous Errors in the top pattern mix.
- Nation-state targeting is less common for SMBs. The DBIR notes that nation-state actors are rarely targeting SMBs compared to larger organizations; SMBs are more dominated by organized crime actors aligned to financial outcomes.
Implications for Smaller Institutions
Smaller institutions should assume they are operating in an environment where attackers can achieve “enterprise-level” outcomes with “SMB-level” effort: acquire credentials (often from reuse or infostealer ecosystems), phish or pretext employees and vendors, and exploit externally exposed systems (especially perimeter devices and remote access services). The DBIR’s SMB findings reinforce that size is not a meaningful shield; rather, it influences how attackers price extortion and how quickly a victim can detect, contain, and recover. This makes resiliency (including ransomware recovery) and identity controls (including MFA and conditional access) critical management priorities.
Recommended Focus Areas
- Reduce credential-driven risk (shared top entry path across all org sizes). Enforce phishing-resistant MFA for privileged and remote access, eliminate shared accounts, strengthen monitoring for unusual login behavior, and reduce password reuse through single sign-on (SSO)/password managers where feasible.
- Harden and rapidly patch externally exposed systems. Prioritize perimeter devices, VPN/remote access, and internet-facing management interfaces for accelerated patching, compensating controls, and continuous scanning.
- Ransomware readiness as a business continuity requirement. Validate offline/immutable backups, test restoration, confirm segregation of backup credentials, and ensure incident response and communications playbooks are current.
- Strengthen phishing and pretexting resilience. Maintain ongoing training and simulations, but pair them with technical controls (email authentication, filtering, URL protection) and “out-of-band” verification processes for payments and sensitive requests.
- Improve third-party risk governance. Because third-party involvement in breaches is rising in the DBIR overall, include security outcome requirements in vendor selection, validate vendor access controls, and ensure rapid offboarding/credential rotation when vendor relationships change.
Conclusion
The 2025 DBIR SMB analysis supports a clear message: small institutions face the same attacker motives and common attack methods as large enterprises, and security strategies should assume that equivalence. The most effective risk reduction comes from concentrating on the recurring entry paths (credentials, phishing/pretexting, and vulnerability exploitation) and from ensuring operations can continue even during disruptive events such as ransomware.
If you need help with any or all of these areas, we specialize in supporting small and medium-sized institutions in affordable programs that work for them. Please use our Contact Us form to get more information.
Sources:
Source: Verizon 2025 Data Breach Investigations Report, “Small- and medium-sized businesses” focused analysis section (and related organization-size comparison tables/figures). Figures quoted above are taken directly from the report’s SMB comparison content.