There is a persistent misconception in mid-market technology planning that ransomware is primarily an enterprise problem — that the criminals targeting critical infrastructure, hospitals, and major corporations are operating at a different level than the threat facing a 200-person logistics company or a regional professional services firm. That misconception is now operationally dangerous.

The data tells a different story. Businesses with 100 to 1,000 employees now represent the largest share of successful ransomware incidents in Canada. They are attacked more frequently than enterprise targets, and they are compromised at a substantially higher rate.

The Economics of Targeting Mid-Market Organisations

Ransomware operators are running businesses. They have acquisition costs, operational costs, and yield targets. Large enterprise targets are increasingly expensive to attack — security budgets are higher, response capabilities are faster, and the legal consequences of a successful attack are significant.

Mid-market organisations carry a combination of characteristics that make them disproportionately attractive: sufficient revenue to make a ransom payment viable (typically between $50,000 and $500,000), insufficient internal IT and security resources to detect or respond quickly, legacy infrastructure with inconsistent patch management, increasing reliance on digital operations making downtime expensive, and less mature backup and recovery infrastructure than enterprise counterparts.

How Ransomware Attacks Actually Happen

The entry vectors for most mid-market ransomware incidents are not exotic. They are predictable, preventable, and well-documented. The three most common are phishing emails with credential-harvesting payloads, exploitation of unpatched remote access infrastructure (particularly VPN appliances and RDP endpoints), and compromised third-party vendors with trusted network access.

What happens after initial access is where mid-market organisations lose ground fastest. Enterprise security teams have tooling that detects lateral movement. Mid-market organisations rarely have equivalent detection capability. The average dwell time for mid-market incidents is 18 days — during that window, attackers are mapping the network, identifying backup systems, and exfiltrating data before they encrypt anything.

What a Proportionate Cybersecurity Response Looks Like

The answer is not to build an enterprise security function. The answer is to make the economics of attacking your organisation less favourable.

Endpoint Detection and Response (EDR)

Basic antivirus is not sufficient against modern ransomware. EDR tools monitor behaviour rather than signatures — they can detect lateral movement, unusual process execution, and credential dumping even when the malware itself is unknown.

Multi-Factor Authentication (MFA)

MFA on all remote access points and all cloud services eliminates the most common credential-based attack vector. Stolen passwords are useless without the second factor.

Backup Architecture That Survives Encryption

Backups that are connected to the network are vulnerable to encryption alongside production data. Air-gapped or immutable backups — stored offline or in a system that prevents modification — are the only backup architecture that reliably survives a ransomware event.

Network Segmentation

Flat networks — where every device can communicate with every other device — allow ransomware to propagate from a single compromised endpoint to the entire environment. Network segmentation limits what a compromised device can reach.

Incident Response Planning

An incident response plan that has been documented, reviewed by leadership, and tested through a tabletop exercise reduces the cost and duration of a ransomware event significantly.

The Cost of Inaction

The average cost of a ransomware event for a mid-market business in Canada — including ransom payment, downtime, recovery, legal, and notification costs — now exceeds $1.2 million. The cost of a proportionate security programme that addresses the primary attack vectors is typically less than $50,000 per year. The arithmetic is not close.

If your organisation has not conducted a formal security assessment, or if your last assessment did not specifically address ransomware readiness, that is the right starting point. A structured assessment will identify specific vulnerabilities and prioritise remediation by impact.