The next breach that hits your business may not start with you at all. It starts with a company you trust and pay every month: your payroll provider, your CRM, your booking software, your IT vendor. When they get breached, your data goes with them.
That's not a hunch. The 2026 Verizon Data Breach Investigations Report, the closest thing the industry has to an annual benchmark, just put hard numbers on a shift small businesses can't afford to ignore.
What the report found
Two findings stand out. First, breaches involving a third party jumped 60% in a single year and now feature in 48% of all breaches, nearly half. The attacker doesn't break into you; they break into a supplier and ride that access in. Second, for the first time in 19 years, exploiting an unpatched vulnerability (31% of breaches) overtook stolen passwords as the most common way in.
Ransomware showed up in 48% of breaches and the report singles out small and mid-sized businesses as the ones least able to absorb the operational hit. The one bright spot: 69% of ransomware victims refused to pay.
Why this is a small-business story, not a big-company one
It's tempting to file "supply chain" under enterprise problems. But think about how a small business actually runs today: payroll, accounting, CRM, email, scheduling, marketing, and often IT itself are all outsourced to SaaS vendors and providers. You have effectively handed your most sensitive data to a dozen companies you'll never audit, and any one of them is now a path to you.
- Break one, hit many. When attackers compromise a provider that serves lots of small businesses (a managed IT tool, a popular SaaS app), every downstream client is exposed at once. Small businesses are the volume target.
- You inherit their security, good or bad. You can outsource the work, but not the risk or the liability; a breach at your vendor is still your customers' data and your reputation.
- You have the least cushion. A large company has an incident team; a 12-person shop has whoever picks up the phone.
What a small business should actually do
You can't audit a giant SaaS vendor, and you don't need to. Vendor risk at your size is a few practical habits:
- Know who holds your data. Make a simple list of the vendors and apps that touch customer, financial, or employee data. You can't manage a risk you can't see.
- Vet before you sign. Ask a new vendor the basics, do they use MFA, encrypt data, hold SOC 2 or ISO 27001; it's the same questionnaire your bigger clients send you, pointed the other way.
- Give the least access that works. Don't hand a tool broad admin rights or standing access it doesn't need, and switch off integrations you've stopped using.
- Patch your own front door fast. With vulnerability exploitation now the top entry point, the internet-facing software you run (and your vendors run) has to be kept current.
- Have a "what if they're breached" plan. Know who you'd call, how you'd rotate credentials and revoke access, and lean on tested backups so a vendor's bad day doesn't become your closure.