A bit of security reports. Verizon’s 2025 Data Breach Investigations Report reveals a significant surge in ransomware attacks and exploited vulnerabilities, with ransomware detected in 44% of over 12,000 data breaches examined, a 37% increase from the previous year. While the number of organizations paying ransoms has decreased—64% did not pay, compared to 50% two years prior—the prevalence of ransomware continues to rise, particularly among small to medium-sized businesses, which experienced ransomware in 88% of breaches.
According to the Federal Bureau of Investigation’s annual report from the Internet Crime Complaint Center, complaints related to ransomware increased by 9% last year, marking it as the top threat to critical infrastructure. Overall, online crime losses surged by 33%, totaling $16 billion in 2024, with investment fraud linked to cryptocurrency accounting for the most significant financial losses at over $6.5 billion.
A recent report from Keep Aware highlights significant security risks associated with employee use of web browsers in the workplace, noting that over 70% of modern malware attacks originate through these unmonitored endpoints. The report identifies that traditional security tools are ineffective at detecting threats within browsers, leading to increased vulnerabilities as employees frequently access sensitive information and applications. Key findings reveal that 70% of phishing campaigns impersonate trusted platforms like Microsoft and OneDrive, while over 150 popular services are being exploited to host phishing attacks. Additionally, 34% of file uploads from company devices are directed to personal accounts, often without detection.
Why do we care? It’s tempting to treat every new report as proof that clients need the full stack of AI-enhanced XDR, SOC-as-a-service, browser isolation, and insider threat analytics. But the reality for most SMBs is that basic hygiene still isn’t in place. MFA gaps, unpatched systems, and lack of asset visibility remain persistent failures. Before layering more tech, providers should assess if their clients have covered the fundamentals—because advanced tools don’t fix unmanaged risk. Be really great at the basics.