Top 10 Causes of Cyber Breaches for Small Business

-

If you run a small business, cybersecurity can feel like a long list of tools, threats, acronyms, and worst-case scenarios. But when you strip away the noise, the biggest question is simple:

What actually causes most cyber breaches for small businesses?

The answer is not “everything.” In fact, the latest confirmed data points to a fairly consistent set of causes. Some are technical. Some are human. Most are a combination of both.

No single report publishes a neat official top-10 list for small-business breaches. But when you combine the latest confirmed SMB breach data, cyber claims data, and fraud reporting, a clear ranking emerges.

Here is the practical top 10 small-business breach breakdown.

1. Stolen credentials and weak authentication

This remains one of the biggest and most consistent causes of small-business breaches.

If attackers can get valid usernames and passwords, they often do not need to “hack” their way in dramatically. They can log in through email, cloud apps, admin portals, finance systems, remote access tools, and shared business platforms as if they belong there.

This is why weak passwords, reused passwords, shared credentials, and missing multifactor authentication remain so dangerous. In Verizon’s SMB data, credential abuse is still the most common initial access vector overall. Verizon also reports that about 88% of breaches in the Basic Web Application Attacks pattern involved stolen credentials.

2. System intrusion and ransomware-driven compromise

Verizon’s SMB snapshot shows System Intrusion as the largest SMB breach pattern at 53%.

These are the more complex attacks where threat actors use malware, hacking, or both to get in and achieve their objectives. In the SMB context, this often includes ransomware, malware deployment, lateral movement, and deeper compromise of systems that keep the business running.

This category matters because it often turns into the most disruptive type of breach: locked systems, inaccessible files, operational shutdown, and expensive recovery.

3. Social engineering, phishing, and spoofing

Social Engineering is still a top SMB breach pattern, accounting for 17% of breaches in Verizon’s SMB snapshot.

This is the category that includes phishing emails, impersonation messages, spoofed instructions, fake vendor communications, urgent executive-style requests, and other attacks designed to manipulate trust rather than break technology directly.

It remains one of the most effective causes of breach because it targets how small businesses actually operate: fast decisions, lean teams, and routine trust in normal business communication.

4. Exploited vulnerabilities and slow patching

Verizon reports that exploitation of vulnerabilities reached 20% as an initial access vector and increased 34% year over year.

This means attackers are increasingly getting into businesses through unpatched systems, exposed services, edge devices, and VPN weaknesses. Verizon also found that edge devices and VPNs accounted for 22% of the exploitation-of-vulnerabilities action, and that only about 54% of those issues were fully remediated during the year, with a median remediation time of 32 days.

For a small business, that patch window can be all an attacker needs.

5. Business email compromise and funds transfer fraud

Coalition’s Cyber Claims Report shows that business email compromise (BEC) and funds transfer fraud (FTF) accounted for 58% of all claims.

This is a crucial reminder that many cyber breaches do not begin with ransomware or malware. They begin with trust abuse: a spoofed email, a hijacked inbox, a fraudulent invoice, a fake payment change, or an executive-style message that feels legitimate enough to act on.

Coalition also reports that 52% of FTF claims originated as a BEC with an average loss of $112,000, and that 71% of all FTF claims were a direct result of social engineering.

6. Basic web application attacks

Basic Web Application Attacks accounted for 12% of SMB breaches in Verizon’s snapshot.

These are the “get in, get the data and get out” attacks aimed at websites, portals, web apps, and exposed online services. For many SMBs, this can include customer portals, admin logins, outdated websites, forgotten subdomains, and thinly protected web infrastructure.

The danger here is that these attacks often target systems the business assumes are routine or stable, even when no one has reviewed them in a long time.

7. Third-party and vendor access exposure

Vendor and third-party access is becoming a bigger part of the breach story.

Verizon notes that third-party involvement in breaches has been an ever-present theme, and small businesses are especially exposed because they rely heavily on outside providers, IT support firms, cloud platforms, payroll vendors, accountants, consultants, and connected business software.

The issue is not only whether a vendor is “good” or “bad.” The issue is whether outside access, integrations, and trust relationships are broader, older, or less reviewed than the business realizes.

8. Miscellaneous errors and misconfigurations

Verizon’s SMB snapshot shows Miscellaneous Errors at 12% of breaches.

These are the kinds of problems businesses rarely think of as “breach causes” until after the fact: sending data to the wrong place, exposing information accidentally, misconfiguring cloud services, leaving sensitive information too accessible, or making routine operational mistakes that open the door to compromise.

This category matters because it shows that some breaches are not caused by sophisticated attackers first. They are caused by ordinary errors that make exploitation easier.

9. Privilege misuse and excessive internal access

Privilege Misuse accounted for 6% of SMB breaches in Verizon’s data.

This does not always mean malicious insiders in the dramatic sense. It can also mean that too many people have too much access, that admin permissions are too broad, or that sensitive capabilities are not segmented tightly enough.

In small businesses, where people often wear multiple hats, excessive privilege can accumulate quietly and create risk long before anyone notices.

10. Data exfiltration as a hidden breach multiplier

One of the most important shifts in the latest claims data is not just how attackers get in, but what they do after access.

Coalition’s claims findings show that 70% of ransomware events involved both encryption and data exfiltration, and those dual-extortion incidents were 2x more expensive than incidents involving encryption alone, reaching an average cost of $302,000.

That matters because some SMB breaches are not immediately obvious. Attackers may quietly steal data, monitor communications, or collect credentials before the business realizes anything is wrong. By the time the breach is discovered, the business may be facing legal, notification, forensic, and trust costs on top of the original intrusion.

What the rankings really show

The top 10 causes above are not isolated from each other. They overlap.

A phishing message may lead to stolen credentials. Stolen credentials may lead to email compromise. Email compromise may lead to funds transfer fraud. An unpatched VPN may lead to ransomware. A quiet vendor-access issue may become a data-exfiltration event.

That is exactly why cybersecurity feels so messy to small businesses. The causes are interconnected, but the weak points are surprisingly consistent.

The short version for SMB owners

If you want the plain-English summary, here it is:

  • too much trust in email and routine communication
  • too little protection around credentials and access
  • too much delay in patching exposed systems
  • too little visibility into web apps, vendors, and connected tools
  • too much business speed without enough verification

That is the pattern. And that is why the same types of breaches keep showing up again and again.

What small businesses should do now

The good news is that this ranking also tells you where to focus first:

  • Use MFA everywhere that matters, especially email, finance, admin, and remote access
  • Review password hygiene, shared credentials, and stale accounts
  • Patch internet-facing systems and edge devices faster
  • Tighten payment and account-change verification
  • Review website, portal, and web app exposure
  • Audit vendor and third-party access regularly
  • Reduce unnecessary privileges and admin access
  • Improve visibility into what is exposed, connected, and weakly controlled

Small businesses do not need to solve everything at once. But they do need to start with the causes that show up most often, not just the ones that sound most dramatic.

Final thought

Most small-business cyber breaches are still being caused by a familiar set of problems: stolen credentials, ransomware-driven intrusion, phishing, unpatched systems, email compromise, weak web security, vendor exposure, human error, excess access, and quiet data theft.

That should be sobering. But it should also be encouraging.

Because if the causes are consistent, the path to lowering risk can be more consistent too. The businesses that reduce exposure earliest are usually the ones that avoid learning these rankings the hard way.

How Veriti Spottr Helps

Veriti Spottr helps small businesses better understand cyber risk by improving visibility into exposure, highlighting where risk may be building across connected systems, vendors, identities, and workflows, and helping teams prioritize what to fix first.

Instead of adding more security noise, Veriti Spottr focuses on practical visibility, clearer prioritization, and turning findings into action.

Learn more and stay connected

Visit Veriti Spottr and follow us for SMB cybersecurity insights, threat updates, and new blog posts.

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more