Ransomware Is Now a Small-Business Problem: 5 Numbers From Verizon's 2026 Breach Report
Verizon's 2026 breach report found ransomware in 88% of small-business breaches — and unpatched software is now the #1 way attackers get in. Here are the numbers and five moves that change your odds.
Every year, Verizon publishes the Data Breach Investigations Report (DBIR) — one of the most respected studies of real-world breaches. The 2026 edition has a message small and mid-size businesses shouldn't scroll past: ransomware has become overwhelmingly a small-business problem.
The numbers
Ransomware — malicious software that locks up your files until you pay — appeared in 48% of all breaches Verizon analyzed this year, up from 44% last year. But the burden isn't spread evenly:
- Ransomware showed up in 88% of breaches at small and mid-size businesses, versus 39% at large organizations, according to the report.
- The median ransom payment was $139,875 — down from $150,000 the year before, but still a company-ending number for many small firms.
- One encouraging stat: 69% of victims didn't pay, usually because they had working backups.
Why attackers pick on smaller companies
It isn't personal, and it isn't because you have something uniquely valuable. Ransomware crews automate their hunting, and small businesses are simply where the open doors are: unpatched software, reused passwords, no one watching the logs, and limited ability to recover without paying. Large companies have security teams; most small businesses have whoever is least afraid of computers.
Two more findings explain how they're getting in:
- Unpatched software is now the #1 way in. For the first time, exploiting a known software flaw (31% of breaches) edged out stolen passwords as the most common starting point. The fix existed; it just wasn't installed.
- Your vendors are part of your risk. Breaches involving a third party — an IT provider, a software vendor, a payroll service — now feature in 48% of cases, up 60% from last year. And people are still in the loop: the human element played a role in 62% of breaches.
Five moves that change your odds
- Patch on a schedule. Automatic updates on, monthly check that they actually installed. This now addresses the single most common attack path.
- Turn on multi-factor authentication (MFA) everywhere — the extra sign-in prompt on your phone. Especially for email and anything financial.
- Keep one backup that ransomware can't reach — separate from your network, tested by actually restoring a file. Backups are the reason 69% of victims could refuse to pay.
- Make a one-page plan. Who do you call, in what order, if screens lock up on a Tuesday morning? Deciding this calmly beats deciding it at 2 a.m.
- Ask your vendors one question: "What happens to our data and access if you get breached?" Their answer tells you a lot.
The honest takeaway
None of this requires an enterprise budget. The DBIR's data shows attackers succeed through ordinary gaps, which means ordinary discipline closes most of them. If you want to know where your gaps are, Tenant Strike's read-only scan of your Microsoft 365 and Azure setup gives you a prioritized list in plain English — the same unlocked doors these attackers look for, found before they find them.
Sources: Verizon 2026 DBIR, Infosecurity Magazine, Cyber Readiness Institute
AI-researched from public sources, human-reviewed on July 8, 2026. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.