The 2025 Verizon Data Breach Investigations Report: What It Means for Product and Supply Chain Security

Every year, Verizon's Data Breach Investigations Report (DBIR) offers a critical snapshot of the evolving cybersecurity threat landscape. The 2025 edition is no exception, and this year's findings should serve as a call to action for manufacturers, software producers, and supply chain stakeholders worldwide.

Below, we’re sharing our take on some of the most important trends in this year’s report.

Third-Party Risk is No Longer a "Side Issue"

The DBIR revealed that third-party involvement in breaches has doubled year-over-year, now accounting for 30% of all breaches. In today's interconnected ecosystem, your security posture is only as strong as the weakest link in your supply chain.

Finite State has long advocated for greater transparency and accountability in software supply chains. As the complexity of these ecosystems grows, managing the risks hidden within connected products, firmware, and third-party code becomes non-negotiable. Organizations must move beyond vendor questionnaires and implement deep technical validation, including SBOM management and vulnerability lifecycle tracking.

Vulnerability Exploitation Surges: The Case for Proactive Asset Management

The report highlights that exploitation of vulnerabilities grew sharply, now rivaling credential abuse as a primary access vector. Particularly concerning is the rise of attacks targeting edge devices and VPNs — systems that many organizations often struggle to patch quickly.

This aligns with what we see every day: Many connected devices and embedded systems are deployed with long lifespans but without sufficient processes for ongoing vulnerability management. The traditional "set and forget" model is simply no longer viable. 

The Persistent Human Element—and the New Frontier of AI Risk

Around 60% of breaches involved human factors, including errors, social engineering, and misuse. New this year: early signs of AI-driven risks, with threat actors using generative AI to craft more convincing phishing attacks.

Building resilient systems isn’t just about better firewalls; it’s about equipping organizations to anticipate and defend against sophisticated multi-vector attacks, including those that exploit human trust.

Why This Matters for the Future of Connected Products

The DBIR makes it clear: cybersecurity risk doesn’t stop at the network perimeter. It’s embedded deep inside our devices, software, and supply chains. Regulations like the EU Cyber Resilience Act and initiatives like the U.S. Cyber Trust Mark are pushing manufacturers toward more proactive security practices, but there is much work to do.

At Finite State, we’re committed to helping manufacturers, suppliers, and asset owners build a stronger, more transparent, and more secure foundation for the connected world. By combining rigorous SBOM management, vulnerability intelligence, and supply chain validation with industry-leading cybersecurity services—from strategic advisory and penetration testing to managed security and compliance consulting—we deliver end-to-end support for your product security journey. Whether you're navigating evolving regulations or defending against real-world threats, our platform and expert-led services ensure you're not going it alone.

The bottom line: The threat landscape is shifting rapidly. Organizations that invest today in securing their products and supply chains will be tomorrow's market leaders.

Ready to future-proof your security posture? Let’s work together.