As a founder or technical leader, you’re building fast, hiring faster, and likely duct-taping security onto infrastructure that’s evolving weekly. Here’s the hard truth from the 2025 Verizon Data Breach Investigations Report (DBIR):
“Most breaches aren’t novel. They’re just unaddressed. Over and over again.”
And it’s not just the big guys getting hit. In fact, startups and growth-stage companies are now prime targets because they often have just enough data to be valuable, but not enough defenses to stop seasoned attackers.
The MOVEit Breach: A Warning for Every Tech-Enabled Business
Let’s rewind to one of the biggest supply chain breaches in recent history: the MOVEit Transfer vulnerability.
This wasn’t a zero-day targeting billion-dollar banks. It was a third-party file transfer tool, widely used across industries. When the vulnerability was exposed, attackers were able to exploit hundreds of organizations downstream, including law firms, universities, and insurance platforms.
The kicker? Many breached orgs never even knew they used MOVEit, it was buried in a vendor’s stack.
Ask yourself:
- Do you know every service your SaaS providers rely on?
- Do you monitor them for new vulnerabilities?
- Can you isolate third-party blast radius?
If not, you’re at risk.
DBIR 2025 Unmasks 7 Silent Threat Vectors
The report lays bare what’s actually happening in the field. Here’s a preview of seven breach vectors startups ignore, until they can’t:
1. Credential Abuse (22% of breaches)
→ 46% of compromised accounts were on unmanaged devices
→ 54% of affected orgs had credentials exposed in public dumps
Credentials are being stolen from unmanaged laptops, synced browsers, and unsecured personal devices. DBIR notes that 46% of affected accounts were on unmanaged endpoints and 54% of breached orgs had their domains show up in credential dumps.
You can’t enforce MFA on what you don’t manage. BYOD? Great. Shadow IT? Game over. You’re letting engineers authenticate with Google or GitHub from devices you don’t control, that’s a ticking time bomb.
2. Vulnerability Exploits (20%)
→ 200+ known vulnerabilities exploited in the wild
→ Only 54% of critical patches actually applied
Most exploits still come from known vulnerabilities not zero-days and yet only 54% of critical patches are applied at all. That’s a huge gap. Early-stage teams don’t track patching especially in cloud-native builds, no one owns it. That means stale images, outdated dependencies, and forgotten staging servers all create open doors.
3. Business Email Compromise (BEC)
→ $6.3B+ in losses in 2024 alone
→ Most attacks started with pretexting + urgency
BEC scams now account for $6.3B in losses, mostly from pretexting (e.g., “This is your CEO. Transfer funds now.”) Often enabled by weak verification flows and social engineering. Startups trust Slack, email, and speed. But no financial ops team should ever move funds without a callback or second channel confirmation. Deepfake audio impersonating your CEO to your CFO? That’s not science fiction anymore, It’s yesterday’s news.
4. Third-Party Risk (30% of breaches)
→ Doubled in just one year
→ MOVEit breach: prime example
30% of breaches now come through third-party vendors, MOVEit was just the start. Vendors are onboarding APIs, sync tools, and data integrations without anyone asking if they’re secure. You’re working with 30+ SaaS vendors. Most of them don’t give you breach reports and If they leak your data, you own the liability. If your security only covers your code, you’re covering 30% of your exposure.
5. Ransomware (44% overall; 88% in SMBs)
→ Median ransom: $115K
→ Targeted backups + exfiltration for extortion
Ransomware is evolving: no longer just encryption, it’s extortion + leak. The median payout is $115K, which for most startups is make-or-break. You may not even know what your backup plan is, If your production database were wiped today could you restore?
6. Data Leakage to Generative AI
→ 12% of data compromise now from GenAI
→ 200% YoY increase
Employees are pasting client data, code, and internal docs into ChatGPT and other GenAI tools. DBIR shows a 200% rise in related incidents, now responsible for 12% of reported data leaks. AI adoption is exploding. But nobody’s asking: What’s being shared? Where is it stored? Who owns the prompt data? Your team is pasting customer PII into ChatGPT right now, they don’t know it’s a risk and that’s on you.
7. Human Error & Misconfigurations
→ 60% of breaches involve a human
→ Cloud misconfigs still dominate breach reports
Misconfigurations, accidental exposures, or employees falling for phishing still account for the majority of breaches. You may trust your team’s good intent but good people make bad mistakes under pressure, in fast-paced environments.Your cloud is as secure as your last deployment script, Who’s checking it?
Our Recommendation: Stop Reacting. Start Operationalizing.
Security for startups doesn’t mean buying more tools. It means:
- Knowing where your actual risk surface is
- Prioritizing what to secure now vs. what can wait 3 months
- Setting cultural defaults (e.g., “we MFA everything” or “no unknown AI tools”)
- Rehearsing failure so you’re not learning during the real thing
Download the DBIR 2025 Enterprise Risk Brief for Founders
We’ve distilled the most critical data from the DBIR 2025 into a founder-focused security brief, plus a maturity self-assessment tool designed for startups and mid-market orgs.
Inside, we break down:
- The top 7 breach vectors in simple, actionable terms
- What controls to prioritize at different growth stages
- How to benchmark your security maturity against industry averages
[Download the DBIR 2025 Risk Brief for Founders]
