Looking Beyond Initial Access
For years, the Verizon Data Breach Investigations Report (DBIR) has helped organizations understand how cyberattacks happen. Each year, security teams look to the report for insight into attack trends, threat actor behavior, and the tactics used to gain access to systems and accounts.
This year, Verizon expanded that conversation with its inaugural Breach Impact Study, analyzing nearly 70,000 cyber insurance claims and over 38,000 claims with recorded losses paid to policyholders, from incidents occurring between January 1, 2019, and October 31, 2025, to better understand the financial consequences of cyber incidents.
As a contributor to the 2026 DBIR, Enzoic was particularly interested in viewing these reports together. The DBIR helps organizations understand how breaches happen, while the Breach Impact Study helps quantify the financial impact recorded in cyber claims. Viewed together, they provide a more complete picture of modern cyber risk.
Understanding how attackers gain access is important. Understanding the business impact that follows may be even more important. To see the full picture, it’s helpful to look at both sides of the equation.
The 2026 DBIR reinforced several trends that security teams have been watching closely.
Vulnerability exploitation continued to grow as a major attack vector, while credential abuse, account compromise, and identity-based attacks remained central to many successful breaches. Attackers increasingly rely on legitimate access rather than traditional malware, allowing them to blend in with normal user activity and evade detection. Beyond serving as an initial access vector, compromised credentials can also play a substantial role after an attacker gains entry.
While headlines often focus on the latest vulnerabilities or ransomware groups, the underlying reality remains unchanged: attackers need access.
Whether that access comes through a compromised password, credential stuffing attack, phishing campaign, infostealer malware, or exploitation of a vulnerability that ultimately leads to credential theft, identities continue to play a critical role throughout the attack lifecycle.
As discussed in Enzoic’s analysis of the 2026 DBIR, compromised credentials remain a persistent security challenge even as attack techniques continue to evolve. This focus on initial access is important because it helps organizations understand the common pathways to compromise. However, it only tells part of the story.
“The next question is equally important: What happens after attackers gain access?”
The Verizon Breach Impact Study expands the conversation from how breaches occur to what they ultimately cost organizations.
One of the clearest trends is that the financial impact of cyber incidents continues to rise significantly. According to the study, the median breach impact increased approximately 80% between 2019 and 2024. During the same period, inflation increased only about 23%, suggesting that breach costs are growing much faster than broader economic conditions alone would explain.
Cyber incidents are not simply becoming more common. They are becoming more expensive.
The impact can be especially significant for smaller organizations. While large enterprises often experience larger dollar losses, the Breach Impact Study found that in the most severe SMB incidents, losses exceeded 7% of annual revenue.
These findings highlight the growing financial consequences of cyber incidents. Half of all reviewed claims exceeded approximately $83,000 in financial impact, while the most severe incidents generated losses exceeding millions of dollars.
These findings reinforce an important reality: cyber risk is increasingly a business risk issue, not just a technology issue. For many organizations, a cyber incident is no longer measured solely by what attackers steal, but by the operational disruption and financial consequences that follow.
When many organizations think about breach costs, they immediately think of ransomware payments, fraudulent wire transfers, regulatory penalties, or legal settlements.
The data suggests something different.
Across the dataset, business interruption had the highest median loss across the four loss categories.
Business interruption losses increased from 21% of known losses in 2023 to 32% in 2024, representing a 51% increase in just one year. This trend suggests that operational disruption is becoming an increasingly important contributor to breach impact.
This shift highlights how the true cost of many cyber incidents extends far beyond money paid directly to threat actors.
Business interruption can include:
The 2026 DBIR reports that 69% of ransomware victims in its dataset did not pay. Even when no ransom is paid, organizations can still incur significant costs while critical systems, processes, or services remain unavailable.
The lesson is clear: preventing financial loss is no longer just about preventing theft. It is also about maintaining operational resilience.
Direct financial losses have not disappeared, however. Business Email Compromise (BEC) incidents continue to generate significant costs, with the median economic impact remaining around the mid-$50,000 range and some incidents resulting in multimillion-dollar losses. BEC can involve compromised email accounts or stolen email threads that allow attackers to impersonate a vendor or partner, sometimes without malware or a malicious link.
When cyberattacks disrupt business-critical systems, downtime itself becomes a major source of breach impact.
Another important trend is the outsized impact of third-party and software supply chain incidents.
While these incidents represented a relatively small percentage of overall claims, their financial consequences were substantial. Software supply chain incidents had a median impact of approximately $252,000—more than double the overall dataset—and some extreme cases exceeded $100 million in losses. Some losses exhausted policy limits, meaning the recorded amounts may understate the incidents’ actual economic impact. Organizations should consider how dependent modern operations have become on external providers and software ecosystems.
Modern organizations depend on an increasingly complex network of software providers, cloud platforms, vendors, contractors, and business partners.
As a result, organizations often inherit risk from entities they do not directly control.
A vulnerability in a software dependency, an outage at a critical service provider, or a compromise at a trusted partner can create significant downstream consequences.
Third-party relationships create opportunities for attackers to exploit trusted access paths, shared credentials, and interconnected systems. As these dependencies continue to grow, organizations must expand how they think about exposure and risk. While organizations may have limited control over third-party security practices, they can monitor whether credentials associated with partners, contractors, and other external entities with access to their environment have been compromised.
“Whether the source is a compromised employee account, a vendor relationship, or a software dependency, many modern attacks ultimately depend on trusted access. That reality creates a natural connection between the findings in both Verizon reports and another area organizations often struggle to measure: identity exposure.”
Viewed together, the DBIR and Breach Impact Study tell a compelling story.
The DBIR helps explain how attackers gain access.
The Breach Impact Study helps quantify the consequences.
Between those two points sits a critical—but often overlooked—factor influencing modern breach impact: identity exposure.
Identity exposure exists long before breach impact is ever calculated.
It includes:
These conditions can persist for months or years before they are abused by attackers.
Credential abuse accounted for 13% of known initial access in the 2026 dataset, but the DBIR also characterizes it as pervasive across multiple attack paths and an important mitigation target. Reducing identity exposure can therefore address a recurring access mechanism and manage risk across attack vectors.
Yet identity exposure often represents one of the earliest indicators of potential future risk.
The connection becomes especially important when considering the findings from both Verizon reports.
If attackers continue to rely on identities and credentials as part of their access strategies, and if breach impact continues to increase because of business interruption and operational disruption, then reducing identity exposure becomes increasingly valuable.
Organizations cannot eliminate every cyber threat. However, they can reduce opportunities for attackers to leverage exposed identities and compromised credentials to establish access in the first place.
Modern cyber risk extends well beyond the moment attackers gain access. While understanding how attackers gain access remains essential, the financial and operational consequences that follow often determine the true impact of a breach.
The latest Verizon research shows that the median estimated impact in the claims dataset rose substantially between 2019 and 2024, business interruption became a larger driver of losses, and third-party incidents can create outsized consequences for affected organizations.
At the same time, the DBIR continues to demonstrate the importance of understanding how attackers gain access and how identities remain central to many modern attacks. Compromised credentials remain one of the leading risks because credential abuse is pervasive across multiple attack paths and can support both initial access and further compromise.
Looking beyond initial access provides a more complete understanding of cyber risk. Organizations that understand both the causes of compromise and the factors that influence breach impact will be better positioned to reduce risk, improve resilience, and make more.