3 Key Takeaways from the 2025 Verizon DBIR: How to Protect Your Organization

Verizon recently released its 2025 Data Breach Investigations Report (DBIR), an annual report first published in 2008 that examines trends in data breaches and cyberattacks around the world. 

To compile this year’s report, Verizon’s team analyzed more than 22,000 real-world security incidents, including more than 12,000 confirmed data breaches affecting organizations of all sizes and across all industries. The result is an in-depth, 117-page analysis that reveals how cybercriminals are evolving their tactics to carry out increasingly targeted attacks and offers insight into how organizations can protect themselves in 2025 and beyond.

Here are some of the biggest takeaways for security teams aiming to stay one step ahead of cybercriminals:

Managing Vendor Risk in the Age of AI

According to Verizon, 30% of the breaches examined for the 2025 DBIR “were linked to third-party involvement, twice as much as last year.” The report pointed to software vendors as a longstanding culprit:

“While, to some extent, software vendors have long played a part in unintentionally increasing the attack surface for those who use their products and services, over the last two to three years, it has moved from the occasional (and typically minor to moderate) mishap to a much more widespread and insidious problem that can (and sometimes does) have a devastating effect on enterprises.”

The problem is exacerbated by the rise in popularity of artificial intelligence (AI) tools. “AI can be a useful tool, but business leaders who want to harness the power of AI must take active steps to adequately assess their risk,” said Kyle Helles, CPA signer and partner at BARR Advisory.

“To ensure lasting cyber resilience, appropriate due diligence should be done with vendors that provide AI-powered tools or use AI to provide a service to your organization,” Helles said. This means completing a thorough vendor risk assessment prior to onboarding that considers questions such as:

• What is the vendor’s governance structure over the safety—and ethical use—of AI?
• Is the vendor following any specific security or privacy frameworks, such as NIST, SOC 2, ISO 27001, or ISO 27701?
• Does the vendor have a security committee or someone charged with keeping their product and your data secure, private, and safe?
• How do they assess their vendors that may also use AI?

Even vendors that are not leveraging AI can pose a risk to your business. This is why transparency and open communication are critical components of a successful vendor risk management strategy, according to Brett Davis, a senior consultant on BARR’s cybersecurity consulting team.

“At the core of a successful vendor risk management strategy is building a genuine relationship with your vendors,” Davis wrote in a recent blog post. “When you have a genuine relationship with a vendor, you can rely on them to keep you up-to-date on any potential risks or incidents, ensuring prompt communication and proactive resolution. This not only mitigates risk, but also fosters a culture of accountability and mutual support.”

According to Davis, “it all comes down to trust.”

“Openly addressing issues and providing timely updates not only instills confidence but also encourages meaningful dialogue,” he wrote. “By being forthcoming about challenges, organizations create opportunities for constructive engagement, ultimately strengthening trust and resilience.” 

Vulnerability Management is More Important Than Ever

Later in its report, Verizon noted a “34% increase in attackers exploiting vulnerabilities to gain initial access and cause security breaches compared to last year’s report.” What’s more, “54% of perimeter-device vulnerabilities were fully remediated by organizations in the past year, while almost half remained unresolved,” according to Verizon.

For security leaders mapping out their plans for the year ahead, these statistics offer valuable insight into where to focus time and energy.

“Every year, the DBIR provides companies with essentially free threat intelligence,” Steve Ryan, senior manager and head of healthcare services at BARR, said. “By understanding the current trends and methods employed by bad actors, you can use this information to identify critical points to include in your risk-based security program.”

With hackers increasingly exploiting vulnerabilities to wreak havoc on businesses across industries, it’s more important than ever for security teams to take a proactive approach to vulnerability management.

For many organizations, identifying and remediating gaps in your security posture begins with an automated vulnerability scan, a cost-effective way to get a glimpse at existing vulnerabilities in your environment. However, these scans only tell part of the story. 

In order to get a full picture of an organization’s security posture, a formal penetration test should be conducted. By identifying, quantifying, and prioritizing vulnerabilities in an organization’s systems, networks, and applications, a penetration test helps your team understand how real-world attackers could exploit your systems, giving you the chance to fix issues before they lead to a breach.

Ransomware on the Rise

The latest edition of Verizon’s DBIR also notes that ransomware remains one of the most persistent and costly cyber threats facing organizations today. Nearly half (44%) of all breaches analyzed by Verizon for its 2025 DBIR involved ransomware, “marking a notable rise from last year’s report,” according to Verizon. The median amount paid out by victim organizations to ransomware groups was $115,000, a small decrease compared to the year prior. Most organizations (64%) did not pay the ransoms, according to the DBIR, which Verizon suggested could be helping to disincentivize future ransomware attacks.

Still, the 2025 DBIR reveals that among small- to medium-sized businesses, ransomware was involved in as much as 88% of the data breaches studied by Verizon.

“While large companies tend to make the headlines, smaller companies are usually more susceptible to attacks,” Brad Thies, founder and CEO of BARR Advisory, said. For business leaders aiming to mitigate the risk of ransomware attacks, Thies recommends prioritizing and allocating resources to cybersecurity, just like you would for accounting or sales. “If you’re not considering cybersecurity as a critical part of your business, it’s not a matter of if you get hacked, but when.”

Thies also recommends that business leaders leverage their professional networks ahead of an attack to help streamline incident response and minimize the operational and reputational damage often caused by ransomware attacks.

“It’s important to establish a relationship with the FBI, local law enforcement agencies, and outside counsel before you experience a cyberattack. If you’re a victim of a ransomware attack, you will not have the time to make these connections in the moment,” Thies said. “Assume you will get breached and establish these relationships in advance in order to prepare for a potential cyberattack. This process could also include discussing your cyber breach liability with your insurance company. When you have these connections in place, you’ll be able to make decisions in a timely fashion if and when a breach occurs.”

The Bottom Line

The 2025 DBIR makes clear that cyberattacks are becoming more targeted, more sophisticated, and more costly for organizations across all industries. In order to stay ahead of cybercriminals, businesses must be proactive about building strong security programs and continuously improving their controls in response to new threats. 

Whether it’s managing third-party risk in an AI-powered world, closing critical security gaps through vulnerability management, or preparing for the very real possibility of a ransomware attack, the organizations that fare best will be those that invest in long-term resilience, not just short-term fixes.

Ready to turn these insights into action? Contact us today for a free consultation.