What 22,000 Breaches Reveal About Incident Preparedness
The 2026 Verizon Data Breach Investigations Report provides critical insight into incident preparedness. Analysing over 22,000 breaches, the report finds that exploitation of vulnerabilities is now the primary access vector. This focus keyword, incident preparedness, remains essential as organisations face increasingly sophisticated cyber threats that demand more robust and realistic response planning.
Despite years of investment in security tools and processes, the report highlights that even top-performing organisations struggle to patch critical vulnerabilities quickly enough. The median time to remediate a critical flaw now stands at 43 days, while the volume of critical vulnerabilities has increased by 50 percent. This means organisations cannot rely on patching alone to prevent every incident.
Ransomware’s Growing Impact and Why Your Response Matters
Ransomware continues to be a dominant threat, appearing in 48 percent of all confirmed breaches. Small and medium-sized businesses (SMBs) are especially vulnerable, making up 96 percent of known victims. The decision of whether to pay a ransom is often viewed as the central dilemma in a ransomware incident, but the reality is far more complex.
The Realities of Ransomware Attacks
- Ransomware is present in nearly half of all breaches.
- The majority of victims are SMBs.
- Most organisations now refuse to pay, with 69 percent declining ransom demands.
- Ransomware gangs maximise disruption to force quick decisions, affecting operations, supply chains, and even national economies.
Recent high-profile attacks, such as the 2025 incident affecting Marks & Spencer and the Jaguar Land Rover breach, show that ransomware can cripple operations for weeks, causing hundreds of millions in losses. These cases highlight the importance of incident preparedness that goes beyond the pay-or-not decision.
Key Considerations for Ransomware Response
- How will your organisation continue operating without key systems?
- Are legal, communications, and IT teams aligned for a coordinated response?
- What regulatory obligations exist around notification and disclosure?
- Has your team rehearsed the full spectrum of decisions beyond ransom payment?
Organisations that limit their incident exercises to the ransom question are not truly prepared. Regularly rehearsing all aspects of a ransomware scenario, from maintaining business continuity to managing communications, is essential for effective incident preparedness.
Third-Party Breaches: The Expanding Attack Surface
Another significant finding from the Verizon report is the 60 percent rise in third-party breaches. Nearly half of all incidents now involve a vendor, supplier, or service provider. This trend is accelerating, doubling in previous years, and reshaping how organisations must approach incident preparedness.
Understanding Third-Party Breach Scenarios
- A vulnerability in a vendor’s product provides attackers with access to your environment.
- A vendor that holds your data is directly compromised.
- An attacker breaches a vendor and moves laterally into your network.
Often, these archetypes overlap, making incident response more complicated. Unfortunately, many organisations focus their incident exercises solely on internal breaches, neglecting to prepare for scenarios involving third-party partners. This leaves response teams unprepared when external breaches occur.
Enhancing Incident Preparedness for Supply Chain Risks
- Include third-party breach scenarios in incident exercises.
- Map out communication protocols with key vendors during a crisis.
- Review contracts to ensure timely notification and cooperation from suppliers.
- Assess the security posture of critical vendors and service providers regularly.
Practising these scenarios helps teams build the unique skills needed to manage breaches that originate outside their own organisation. Clear communication and coordination with vendors are vital for effective incident preparedness in today’s interconnected landscape.
Why Incident Preparedness Must Evolve
The key message from the analysis of 22,000 breaches is clear: incident preparedness is not just about having technical controls in place. It is about developing an organisational culture of readiness, where realistic exercises and cross-functional rehearsals enable swift and effective responses to a wide range of scenarios.
Practical Steps for Organisations
- Regularly review and update incident response plans to cover new risks and attack vectors.
- Conduct comprehensive tabletop exercises that include ransomware, third-party, and supply chain breaches.
- Ensure all stakeholders (IT, legal, communications, executive leadership) participate in incident rehearsals.
- Monitor industry reports and adapt practices based on emerging threat trends.
- Invest in staff training to foster a culture of cyber awareness and readiness.
Effective incident preparedness is an ongoing process. By learning from the experiences of thousands of breached organisations, businesses can better position themselves to withstand and recover from the inevitable cyber incidents they will face.
Originally reported by csoonline.com.
