Verizon’s Data Breach Investigations Report (DBIR) is always one of the more useful snapshots of where the threat landscape is headed (and entertaining if you read the footnotes). This year’s report strongly reinforces a lot of what we see in the day-to-day: the growing impact of third-party risk, the evolution of ransomware beyond just data theft, and the early but meaningful security implications of generative AI use.  

Key Insights 

The data reveal a threat landscape marked by increasingly aggressive adversaries, growing automation, and persistent human-driven vulnerabilities.  

  • Credential theft and exploitation of unpatched systems are nearly equal as top entry points, fueled by widespread edge device (i.e., personal devices) exposures and third-party software vulnerabilities. 
  • Ransomware now appears in nearly half of all breaches, with operational disruption often outweighing data loss.  
  • Financial services, healthcare, education, and retail remain highly targeted, and third-party involvement has doubled year-over-year.  

While perfect protection is unattainable, layered defenses—spanning identity, patching, segmentation, and user vigilance—remain the most effective approach. 

#1: Employee Passwords Become Attacker Passkeys 

Stolen credentials were used in 22% of breaches, while vulnerability exploitation reached 20%—a 34% increase from last year. VPNs and edge devices were key targets, with that vector growing nearly 8x year-over-year. Many exploited vulnerabilities took over a month to fully remediate, highlighting the need for robust patch management and asset visibility. 

#2: Ransomware Has Higher Frequency But Lower Demands 

Ransomware appeared in 44% of breaches—a 37% increase—with the median amount paid dropping from $150,000 last year to $115,000 this year. Despite this, 64% of victim organizations refused to pay. SMBs were hit particularly hard, with ransomware present in 88% of breaches, compared to 39% in larger firms.  

#3: User Convenience Becomes Security Compromise 

Human actions contributed to 60% of breaches. Social engineering and credential misuse are commonly linked, particularly in phishing scenarios. Continued investment in training, monitoring, and access oversight is essential.  

#4: Third-Party Software Is a First-Priority Risk 

Breaches involving partners, vendors, or their software surged to 30%, up from 15% the prior year. Notable incidents involved misconfigured platforms, leaked secrets, and lack of MFA enforcement in third-party systems. These findings underscore the importance of vendor risk management and secure integration practices. 

#5: Your AI Adoption May Be AI Exploitation 

While AI had not yet significantly transformed the threat landscape at the time Verizon collected data for this report, the 2025 DBIR highlights measurable risk indicators. Threat actors are beginning to use generative AI to craft more realistic phishing emails and influence operations.  

See also  AI Voice Cloning Exposes Critical Security Vulnerabilities

At the same time, corporate exposure is rising through employee use of GenAI tools. Many users access these platforms with personal accounts or unvetted credentials, often uploading sensitive data without oversight. BYOD environments are particularly vulnerable, and there’s early evidence of credential leakage and shadow AI use contributing to compromise.  

Agio Portal Now

Mitigations & Recommendations 

The findings in this year’s DBIR make it clear that cybersecurity programs need to refocus on the fundamentals—while also anticipating new threats introduced by interconnected systems, third-party dependencies, and emerging technologies. No single control will prevent a breach, but a layered approach that balances technical, procedural, and human defenses remains the most effective strategy. 

Identity Protection Prevents Credential Exploitation 

Organizations should continue investing in strong identity controls, particularly phishing-resistant multifactor authentication across critical services. Credential abuse remains a top attack vector, often enabled by reused or exposed credentials, especially in environments where federated access and API-based integrations are common. Maintaining control over who can access your systems—and ensuring those identities are monitored and protected—is more essential than ever. 

Timely Patches Prevent Extensive Breaches 

Equally important is timely and prioritized patching of internet-facing assets, especially VPNs and edge devices, which were heavily targeted through zero-day and N-day exploits. Many of these systems took weeks to remediate, leaving organizations exposed long after initial advisories. Security teams should review asset inventories, automate vulnerability scanning and patch deployment where possible, and closely track remediation timelines for high-risk services. 

Network Segmentation Limits Breach Expansion 

Segmentation and least-privilege access can contain the blast radius when compromise does occur and should be used to isolate high-value assets from public-facing or third-party integrated systems. In many of the most impactful breaches, lateral movement and lack of visibility were more damaging than initial access. 

Security Training Evolves Beyond Awareness 

Security awareness training remains important—but it must evolve. Organizations should move beyond general reminders and toward hands-on, behaviorally driven training that reflects today’s phishing and social engineering tactics. Technical controls like email filtering and credential monitoring should be layered atop this, but training can still reduce risk when done well. 

See also  Ransomware vs. Databases: Protecting Your Critical Business Assets

AI Governance Controls Technology Risks 

Organizations should monitor AI platform access and restrict usage through corporate identity systems (e.g., SSO with conditional access). Develop acceptable use policies for GenAI and educate employees about data handling risks. Where GenAI is used for business purposes, ensure vendor security evaluations include retention policies and data segregation controls. 

Incident Response Prepares for Inevitable Failures 

Finally, organizations must assume that some controls will fail. Having an Incident Response Plan that’s been exercised—and that includes playbooks for third-party vendor compromises—is critical. Regular testing of backup and recovery capabilities should be integrated into this, especially as ransomware continues to drive not just data theft, but sustained business interruption. 

AgioNow Is Your Control Center for DBIR Risk Mitigation 

The 2025 DBIR findings emphasize that financial institutions need comprehensive visibility and streamlined security management to address evolving threats. This is where AgioNow becomes your essential ally. Our client portal delivers consolidated risk management in a single, intuitive interface—providing real-time visibility into vulnerabilities, patch status, and third-party software implementations that might otherwise become security blind spots. 

By centralizing your security operations, AgioNow directly addresses key DBIR concerns while eliminating scattered communications and simplifying your IT management. Whether you’re tracking credential vulnerabilities, monitoring patch implementation timelines, or overseeing vendor access controls, AgioNow gives you the transparency and efficiency needed to transform security from reactive to proactive—all while providing the documentation and reporting capabilities your stakeholders expect. 

Visit AgioNow Tour Center

Wrapping Up 

Financial institutions continue to be high-value targets across multiple vectors. Social engineering and credential misuse were the top breach patterns, often resulting in fraud or unauthorized access to sensitive systems. External actors dominated, but internal misuse also contributed to breaches. Ransomware and data exfiltration remain significant threats, especially in customer-facing environments and third-party integrations.  

Organizations should focus on credential hygiene (MFA, password rotation, and detection of reused credentials), vendor access control reviews, and real-time monitoring of abnormal data access in both customer and internal systems.  

Contact us today for a deeper conversation around cybersecurity.