How Small Businesses Can Secure Their Technology in 2025: Practical Tips + Real‑World Examples from the DBIR

Cybersecurity isn’t just a big‑company problem. The 2025 Verizon Data Breach Investigations Report (DBIR) shows attackers increasingly target small‑ and medium‑sized businesses (SMBs)—and they’re succeeding most when we leave obvious doors open: unpatched internet‑facing devices, weak or reused passwords, and vendors without strong security controls.

The upside? A focused set of moves can drastically cut your risk. Below, you’ll find actionable steps—each paired with a DBIR example to make the risks and fixes concrete.

1) Plan for Ransomware—and Practice Recovery

What’s happening: Ransomware showed up in 44% of all breaches last year. It’s disproportionately an SMB problem: 88% of SMB breaches involved ransomware. While ransom demands still happen, 64% of victims now refuse to pay, and the median payment fell to $115,000—suggesting better preparedness is paying off.

What to do (quick wins):

• Back up critical systems and data on a schedule; keep one backup offline/immutable.

• Test your restore procedures quarterly (time to recovery = leverage).

• Segment networks (user VLANs ≠ server/VPN segments; restrict lateral movement).

• Harden admin paths (separate admin accounts; no email or browsing with admin creds).

  
  

From the report: SMBs face the brunt of ransomware (88% of SMB breaches); median ransom paid in 2024 was $115k; 64% didn’t pay ([DBIR 2025 pp. 41–42, 86]).

2) Patch “Edge” Devices and VPNs Faster

What’s happening: Attackers increasingly get in by exploiting vulnerabilities—up 34% year‑over‑year—and they’re going after edge devices and VPNs (firewalls, remote access gateways, consoles). Median time to mass exploitation for KEV‑listed vulns is ~5 days; for the sampled edge devices in 2024, it was effectively 0 days (added to CISA KEV the same day the CVE was published).

What to do (quick wins):

• Prioritize patching internet‑facing systems (firewalls, VPNs, WAFs, RMM, hypervisors).

• If patching lags, restrict exposure: allow‑list admin IPs, require MFA + device checks.

• Monitor vendor advisories and subscribe to CISA KEV updates; track remediation to closure.

  
  

From the report: Edge/VPN exploitation surged (22% of exploitation vector cases); median time to full remediation for edge vulns was 32 days, but 30% remained unremediated; KEV exploitation typically within 5 days, edge subset 0 days ([pp. 21, 29–32]).

3) Stop Credential Abuse at the Source

What’s happening: Stolen or abused credentials remain the most common initial access path. Infostealer malware is pumping huge volumes of passwords and session cookies into criminal markets. DBIR analysis found ~30% of compromised systems were enterprise‑licensed devices, yet 46% of devices with corporate logins in the logs were unmanaged (BYOD or out‑of‑policy use).

What to do (quick wins):

• Enforce MFA for all external access and critical SaaS (make it non‑optional).

• Prefer phishing‑resistant factors (authenticator apps, FIDO2 keys) over SMS codes.

• Block legacy auth, implement conditional access (device posture, geo, risk).

• Hunt for leaked creds (domain/email monitors); invalidate stolen session tokens (short lifetimes).

• Harden internal credential hygiene (unique admin creds, no password reuse, LSASS protection; secure DCs).

  
  

From the report:

• Snowflake campaign: Threat actors used stolen credentials at scale; MFA not enforced by many tenants; ~165 orgs affected; ~80% of accounts had prior credential exposure (logs/repos) ([p. 16]).

• Infostealers: 30% enterprise OS; 46% of devices with corporate logins were non‑managed; 54% of ransomware‑posted victims had their domain in credential dumps; 40% had corporate emails in compromised creds ([pp. 12, 56–57]).

  
  

4) Train for Social Engineering—and Tune MFA for Fatigue

What’s happening: The human element was present in ~60% of breaches. Attackers pair better‑written phishing with MFA prompt‑bombing and token theft. Training doesn’t eliminate clicks, but recent training quadruples employee reporting of phish (from ~5% to ~21%), which speeds containment.

What to do (quick wins):

• Quarterly micro‑training + simulations focused on reporting, not shaming.

• Rate‑limit MFA prompts; require user‑initiated approvals or number matching.

• Detect token theft: short session lifetimes; re‑challenge on risk (device/geo/behavior)

  
  

From the report: Prompt‑bombing shows up in this year’s data; Microsoft 365 telemetry in the study: suspicious logins ~40%; token theft a leading MFA bypass; recent training raises report rates 4× ([pp. 47–49]).

5) Manage Third‑Party and Supply‑Chain Risk

What’s happening: 30% of breaches involved a third party. Attacks on industry‑specific SaaS providers caused downtime ripple effects beyond data exposure (business interruption).

What to do (quick wins):

• Score vendors on security outcomes (MFA by default, secure SDLC, incident comms).

• Limit vendor access (least privilege, time‑bound, monitored), segment their connectivity.

• Create a plan B: know how you’ll operate or switch if a critical provider goes down.

  
  

From the report:

• Change Healthcare, CDK Global, Blue Yonder incidents caused widespread operational disruption—showing the overlap of cybersecurity risk and operational risk in SaaS dependencies ([p. 18]).

• CrowdStrike Falcon update outage was an availability‑only incident at massive scale—reminding us that non‑malicious events in the supply chain can still take you offline ([p. 18]).

  
  

6) Set (and Enforce) Rules for BYOD and GenAI

What’s happening: Personal devices and unsanctioned AI use are quietly leaking business data. The DBIR found 15% of employees routinely accessed GenAI services from corporate devices; 72% used non‑corporate emails and 17% used corporate emails without SSO, increasing leakage risk.

What to do (quick wins):

• Block unmanaged devices from sensitive apps (MDM/endpoint compliance).

• Publish an AI use policy: what can/can’t be pasted or uploaded; require approved accounts with SSO.

• Control browser risk (DNS filtering, extension policies, download controls).

  
  

From the report: GenAI access patterns and account types; BYOD exposure tied directly to infostealer logs and ransomware victims (credential reuse) ([pp. 13, 25, 56–57]).

7) Protect Financial Workflows from BEC

What’s happening: Business Email Compromise (BEC) remains lucrative: $6.3B in 2024 losses reported to the FBI IC3, median loss ≈ $50k; wires make up ~88% of proceeds.

What to do (quick wins):

• Out‑of‑band verification for any payment/banking changes (call a known number).

• Dual approval and just‑in‑time vendor changes with a cooldown period.

• Mailbox rules audits and impossible travel detection; alert on risky OAuth grants.

  
  

From the report: BEC scale and median amounts; shift toward wire transfer fraud patterns ([p. 48]).

8) Don’t Forget Mobile & Carrier Controls (SIM‑Swap Defense)

What’s happening: Attackers increasingly bypass MFA via SIM‑swapping and carrier fraud on business accounts.

What to do (quick wins):

• Enable SIM/port‑out locks with your carrier; monitor changes via available APIs.

• Prefer TOTP/FIDO2 MFA, not SMS, for critical systems.

• Restrict who can administer your corporate wireless; audit frequently.

  
  

From the report: Concrete consumer/business defenses against SIM‑swapping and guidance on using carrier APIs to add friction after recent SIM changes ([p. 50]).

9) Reality Check: “Small” Does Not Mean “Small Impact”

What’s happening: Even tiny firms can cause outsized harm if they aggregate valuable data.

From the report: The National Public Data breach (2024) exposed 2.9 billion records from a very small team—proof that scale of damage isn’t tied to headcount ([p. 87]; also noted in the annual wrap‑up on [p. 103]).

Sources (with page references)

• Verizon, 2025 Data Breach Investigations Report: ransomware prevalence, SMB impact, ransom outcomes ([pp. 10–12, 41–42, 86]); edge device exploitation and remediation timelines ([pp. 21, 29–32]); Snowflake stolen‑credential campaign ([p. 16]); infostealer/BYOD data and linkage to ransomware victims ([pp. 12, 56–57]); human element & MFA bypass trends ([pp. 19–20, 47–49]); third‑party/SaaS operational disruptions and CrowdStrike outage ([p. 18]); BEC losses ([p. 48]); GenAI usage/leakage patterns ([pp. 13, 25]); National Public Data breach impact ([p. 87, wrap‑up p. 103]).

The full report can be downloaded here.