Phishing cost for mid-market: the segment attackers most prefer

Phishing cost for organisations in the 500 to 5,000 employee band sits at $4.20M average per IBM 2025, just below the cross-sector mean of $4.88M. The figure obscures the more important structural point about this segment: mid-market is the single most-targeted population in the entire phishing landscape because the attacker risk-adjusted return is highest here.

The economics work as follows. Mid-market organisations move meaningful dollar volumes through wire transfers, payroll, and accounts-payable. Mid-market organisations hold meaningful customer-data records that translate into per-record liability if exposed. Mid-market organisations operate the same SaaS-app surface (Microsoft 365, Salesforce, Workday, etc.) as much larger enterprises, which means the attacker tooling library that works against Fortune 500 targets works equally well against the mid-market. But mid-market organisations typically have a security team of 1 to 10 people, partial MFA deployment, no in-house SOC, and an incident-response capability that depends on an external IR-retainer call when something serious happens. The combination of meaningful dollar volume with weaker controls is what makes the segment the highest-return target population.

The implication for mid-market CISOs and CFOs is that the segment-wide attacker attention is structural rather than incidental. Mid-market organisations should expect to be targeted, expect that the targeting will be sophisticated (because the attacker tooling that worked at Fortune 500 targets works here), and invest in controls that close the gap with larger enterprises in the highest-leverage areas: MFA, EDR, behavioural email security, and a documented incident-response capability.[IBM 2025 mid-market sub-cohort + IC3 2024 + Mandiant M-Trends 2025 victim-population analysis]

An incident-response retainer is a pre-negotiated contract with an IR firm that guarantees response within defined time windows when an incident occurs. The economics for mid-market organisations favour a retainer over relying on emergency-rate engagement because the per-hour difference is large (typically $300 to $500 per hour at retainer rates versus $750 to $1,500 per hour at emergency rates), the response-time guarantee matters during the critical first 24 hours of an event, and the relationship-building with a known IR firm reduces the overhead of getting started when an event lands.

Pricing for mid-market IR retainers in 2025-2026 typically runs $30,000 to $150,000 per year for a 4-hour or 8-hour response SLA. The variance reflects firm size, industry, regulatory exposure, and the pre-paid hour bank included. A typical $75,000 mid-market retainer might include 50 to 100 pre-paid hours per year (enough for routine tabletop work, threat-intelligence briefings, and a small initial response to a contained event) with additional hours billed at $400 per hour during the year. The major IR vendors include Mandiant, CrowdStrike, Unit 42 (Palo Alto), Kroll, and Stroz Friedberg; mid-market-focused providers include CYE, Arete, and Tetra Defense.

The retainer should be sized to typical mid-market event scope. A major phishing-initiated event at a 2,000-employee mid-market organisation typically requires 200 to 800 hours of IR engagement, which exceeds the retainer hour-bank by a wide margin. The retainer's value is not in covering the full event cost but in compressing the time-to-engagement, locking in negotiated rates for the additional hours, and providing access to the IR firm's threat-intelligence and playbook library during the event. The IR retainer is a critical input to the post-event cost-line build and one of the highest-leverage spending decisions a mid-market security team makes.[IR firm public retainer pricing + Forrester IR-retainer market analysis 2024-2025]

The 24x7 security operations capability decision is one of the largest single-line investments mid-market security teams make. The two options are building an in-house SOC or buying managed detection and response (MDR) from a third-party provider. The economics typically favour MDR for organisations below approximately 5,000 employees because the in-house SOC requires fixed-cost staffing that is hard to justify at smaller scale.

In-house SOC economics for 24x7 coverage with reasonable staffing depth require 8 to 12 analysts (3-shift coverage with vacation and training depth) plus SOC management, plus the underlying SIEM, EDR, and threat-intelligence tooling. Total fully-loaded cost for a mid-market in-house SOC typically runs $1.5M to $4M per year, with hiring and retention difficulty as additional drag. The skill-gap problem is severe: the cyber-security labour market is tight at the analyst level and mid-market salary bands frequently cannot compete with major-enterprise or vendor-side compensation.

MDR economics provide equivalent 24x7 coverage at $200K to $800K per year for a mid-market organisation, depending on the endpoint count, the data-volume to monitor, and the response-action scope included. Major MDR providers include CrowdStrike Falcon Complete, SentinelOne Vigilance, Sophos MDR, Arctic Wolf, Expel, eSentire, and Red Canary. The pricing models vary (per-endpoint, per-user, per-data-volume) but the per-customer total typically lands in the same range. MDR is the dominant model for mid-market in 2026; in-house SOC is reserved for organisations either above 5,000 employees or with regulatory requirements that mandate in-house capability. Cross-reference: mdrcost.com.[Forrester MDR market analysis 2024 + IDC MDR pricing surveys 2024-2025]

The IR-forensics line is structurally larger as a percentage of total for mid-market than for either SMB (where IR is more limited because budget caps engagement scope) or for enterprise (where pre-existing controls compress the IR engagement). Mid-market events frequently involve full-event IR work without the benefit of pre-existing internal SOC capability.[IBM 2025 mid-market sub-cohort + IR vendor pricing surveys]

Universal FIDO2 hardware-key deployment is the single most-leveraged structural phishing-defence investment available to mid-market organisations. The economics for a typical 2,000-employee mid-market organisation are favourable. Hardware-key cost at approximately $50 per user (YubiKey or equivalent) plus replacement and onboarding overhead lands at roughly $100,000 in hardware. Deployment and change-management work (rolling out the keys, enrolling users, updating internal documentation, training the helpdesk on key-replacement procedures) typically adds $50,000 to $200,000 depending on internal capability. Total program cost in the $150,000 to $300,000 band, amortised over 3 to 5 years of key lifetime.

Against the modelled $4.20M average breach cost, the program ROI is favourable even on a single avoided event. The reduction in modelled credential-pivot value is approximately 95 percent (FIDO2 breaks AitM, prevents MFA fatigue, eliminates push-bomb success), which translates to a per-event reduction in breach cost in the $1.5M to $3M band depending on how much of the typical event is credential-pivot-driven. Phasing the deployment over 12 to 18 months allows the change-management work to land without overwhelming the helpdesk, with administrative and finance roles prioritised in the first phase.

The deployment-friction challenges that have slowed FIDO2 adoption in larger enterprises are typically smaller in mid-market because the user population is smaller and the SaaS-app surface is more contained. Many mid-market organisations can complete universal FIDO2 deployment in a single 6-month program window once executive sponsorship is in place. The most common deployment-pattern friction is around legacy-application authentication where FIDO2 is not natively supported; the workaround is typically to gate access to legacy applications through an identity-provider that does support FIDO2 (Okta, Microsoft Entra, Duo) and federate the application authentication through the provider. See /by-attack/aitm for the AitM-specific defence argument and /by-attack/mfa-fatigue for the push-bomb-specific argument.[FIDO Alliance deployment economics analyses 2024-2025 + YubiKey + IdP-vendor pricing data]

• Phishing cost for small business
• Phishing cost for enterprise
• AitM phishing cost
• MFA fatigue cost
• BEC cost
• Phishing cost in manufacturing
• Abnormal Security cost
• mdrcost.com
• edrcost.com
• databreachcost.com