TL;DR: Credential-based attacks account for 88% of basic web application breaches, and Microsoft and Sophos data show SMBs face frequent compromise, costly recovery, and credential reuse exposure across unmanaged devices and weak MFA deployments, according to the 2025 Verizon DBIR, Microsoft Security, and Sophos. The real failure is not password complexity alone but the absence of continuous credential screening, least-privilege containment, and exposure monitoring.
NHIMG editorial — based on content published by Enzoic: Protecting Your SMB Credential Screening
By the numbers:
- 88% of basic web application breaches involve the use of stolen credentials.
- 1 in 3 SMBs experienced a cyberattack in the past year.
- Compromised credentials were the most common root cause among businesses with 100-250 employees, playing a role in 30% of ransomware attacks in that segment.
Questions worth separating out
Q: How should security teams handle exposed credentials in SMB environments?
A: Treat exposed credentials as an active compromise signal, not a hygiene issue.
Q: Why do credential-based attacks remain so effective against SMBs?
A: They succeed because valid logins are trusted by default.
Q: What do organisations get wrong about MFA and password policy?
A: Many teams treat MFA and password rules as complete defences when they are only partial controls.
Practitioner guidance
- Deploy continuous credential screening Check new and existing passwords against breached credential lists and block known exposed secrets before users can authenticate.
- Replace expiry-based password policy Retire arbitrary rotation schedules unless a compromise occurs and move to risk-based password verification aligned with NIST SP 800-63B.
- Enforce phishing-resistant MFA on critical access Require strong second factors for remote access, privileged accounts, and any system that can reach sensitive records.
What's in the full article
Enzoic's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step password screening guidance for SMB environments that need to block exposed credentials without disrupting users
- Practical advice on configuring MFA, password policy, and AD hardening in smaller identity estates
- Implementation detail on aligning credential checks with NIST SP 800-63B and Zero Trust access patterns
- Partner-selection considerations for SMBs that rely on MSPs or external security support
👉 Read Enzoic's analysis of credential-based attacks and SMB identity controls →
Credential-based attacks in SMBs: what IAM teams need to fix now?
Explore further
Credential exposure, not password weakness alone, is the governing failure mode in SMB identity security. The article shows that attackers are not relying on novel exploits. They are using credentials that were reused, guessed, or already exposed, which means the real control gap is the absence of continuous screening and exposure-aware authentication. NIST SP 800-63B aligns with this view because static password rules do not address breached credential reuse. Practitioners should treat exposure status as the primary trust signal.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when compromised credentials lead to a breach?
A: Accountability sits with the identity and access owners, not only the security team. If credential screening, MFA enforcement, or privilege scoping is inconsistent, the failure is governance-related. SMBs should map responsibility across IAM, IT operations, and service owners so gaps are not hidden by tooling ownership.
👉 Read our full editorial: Credential-based attacks expose SMB identity gaps that IAM teams miss