Blog de WatchGuard

Go to 

Zero Trust for Mid-Market: Why Modern IT Security Assumes Attacks Will Succeed

Why mid-market security must assume breaches will happen. Learn how Zero Trust, EDR, MFA, and 24/7 monitoring reduce real-world risk.

Guest post by WatchGuard Tech All-Star, Marko Bauer 

It's Monday morning, 7:30 AM. Your employees arrive at the office and can't log in. Systems are dead. Your phone rings. IT reports: Ransomware. All data encrypted. Then the email: €500,000 ransom. In 48 hours, the attackers will begin publishing customer data, contracts, and internal documents on the dark web. The first dump is already online, as “proof.” 

Your company is paralyzed. Production can't work. Sales has no access to orders. Accounting sits in front of blank screens. Every hour costs you tens of thousands. 

This isn't dystopian fiction. It happens to hundreds of mid-market companies in Germany alone, every year. And it almost always follows the same pattern: The attackers didn't come through your firewall. They came through a supplier, a service provider, a partner with trusted access to your network. Then they moved undetected through your systems for weeks, copying data, installing backdoors, until Sunday evening when they flipped the switch. 

Why the Old Security Strategy Failed 

Traditional IT security builds a wall around your network and hopes nobody gets through. That worked when attacks were slow and your employees sat in the office behind the same firewall. 

Today, attackers use artificial intelligence to find in minutes what used to take weeks. They don't compromise you directly; they compromise your IT provider, your tax advisor, your cloud backup vendor. And inherit trusted access to your network. Your employees work from home, from hotels, from cafés. Your “firewall wall” no longer exists. 

Modern IT security thinks differently: It doesn't assume it can prevent attacks. It assumes attacks will succeed, and ensures they still can't cause catastrophic damage. 

Four Measures That Make the Difference 

Don't think of your network as a castle with a wall. Think of it as a modern maximum-security prison: Even if someone breaches an outer wall, they don't get far. Every door is individually secured. Every area is monitored. Movement is immediately detected. 

You achieve this through four core principles: 

  • Network segmentation: Divide your network into many small, isolated areas. A compromised workstation doesn't become a highway through all systems. 
  • Endpoint protection everywhere: Every laptop, every tablet outside your office needs its own local security systems, not just protection from your data center firewall. 
  • Personal access: No more permanent master keys. Every access must be personal and immediately revocable. 
  • 24/7 monitoring: Attacks happen at night, on weekends, on holidays. You need eyes that never sleep. 

Let's examine each measure in detail. 

Network Segmentation: Trapping Attackers in the Basement 

Imagine this: A burglar breaks into your office building, comes through a basement window, and is stuck there. All doors to other floors are locked. He has access to an empty storage room, but not to your vault. 

That's exactly what network segmentation is. 

In classic networks, everything is connected to everything. Every computer can talk to every server. That was convenient, and is deadly today. 

Modern networks work differently: They divide your network into many small zones. Each zone can only communicate with very specific other zones. 

Specifically: 

  • Your accounting laptop can access the accounting server, and nothing else 
  • Production servers cannot communicate with the Internet 
  • Guest Wi-Fi has zero access to corporate resources 
  • Printers, cameras, IoT devices sit isolated in their own zones 

If an attacker compromises a laptop, they're stuck in a dead end. They can't jump to your servers. Not to other workstations. Not to your backups. They can't start a wildfire. 

Does this apply to cloud too? Absolutely. Whether your systems are in your own data center or with Microsoft, Amazon, or Google, the principle remains the same. Segment. Without segmentation, your cloud environment is just as vulnerable as your old network. 

Endpoint Protection: Because Your Employees Work Everywhere 

Your employees work from home. On trains. In hotels. At airport cafés. Each of these places has open or poorly secured Wi-Fi. Each is a potential attack point. 

You need security that travels with the device. Every laptop must be its own fortress: A local firewall that blocks unwanted connections. Software that detects suspicious behavior, like when thousands of files are suddenly encrypted. Automatic responses: The device disconnects itself from the network when it detects a threat. 

(In the WatchGuard portfolio, this is EPDR and FireCloud Total Access.)  

Why isn't the old antivirus program enough? Because modern attacks no longer work with recognizable “viruses.” They use legitimate tools that only reveal themselves as malicious through their behavior. 

Access Control: The End of Shared Passwords 

The most common security disasters in mid-market: 

The Wi-Fi password hangs on the bulletin board. Everyone knows it: employees, former employees, visitors, the technician from two years ago. When someone leaves, nobody changes it. 

VPN access with just username and password, nothing more. When the password is leaked (and eventually every password is leaked), your systems are open. 

Modern access control: 

Personal accounts for everyone. When Sarah leaves, you lock Sarah's account. Done. 

Two-factor authentication everywhere. VPN, cloud access, critical systems, everything requires more than just a password. This can be an app, an SMS code, a hardware token. (WatchGuard AuthPoint makes this easy, even with different services.)  

Wi-Fi with personal login. Instead of a shared password, everyone logs in with their own credentials (802.1x). You see who's on the network. You can block individual access. 

The principle: Every access must be personal and immediately revocable. 

24/7 Monitoring: Because Attackers Don't Clock Out 

Even if you do everything right, attacks will happen. The question is: Do you notice in time? 

It's Saturday night, 2 AM. An attacker logs in through a compromised partner access. They start copying data. Slowly, inconspicuously. They have two full days until Monday morning. 

What happens in your company? Probably nothing. Because nobody's watching. 

You need a security operations center (SOC), a permanent monitoring center that never sleeps. A SOC collects data from all your systems, analyzes it with AI and human expertise, detects anomalies, and raises alarms. 

Critical: A SOC is only as good as the data it receives. If it only monitors your firewall but not your endpoints ‒ blind spot. Only servers but not cloud systems ‒ blind spot. Only logins but not data movements ‒ blind spot. 

An effective SOC needs visibility into: 

  • All endpoints: Laptops, tablets, smartphones 
  • Network and firewalls: Who's connecting to whom? What data volumes? 
  • Cloud systems: Microsoft 365, AWS, Azure, Google 
  • Infrastructure: Servers, databases, backups 

(WatchGuard MDR, Managed Detection and Response, monitors exactly that: endpoints, network, cloud, and infrastructure.)  

'But we can't afford our own SOC!' You don't have to. Managed SOC services share highly specialized experts and AI systems across hundreds of customers. You get access to expertise you could never afford alone, at affordable monthly costs per endpoint. 

Even more important: Cyber insurance increasingly requires 24/7 monitoring. Without proof, you won't get coverage, or only at unaffordable rates. 

What It Costs: And What It Costs You Not To Do It 

Realistic investment for a mid-market company (50 to 100 employees): 

  • EPDR for all endpoints: Low double-digit euro amounts per device/month 
  • Managed SOC (MDR): Similar range per endpoint/month 
  • 802.1x and two-factor authentication: One-time setup, then marginal ongoing costs 
  • Network segmentation: Depends on your infrastructure, often achievable with existing hardware 

Total package: Typically, mid four-figure monthly amount, depending on company size. 

Cost of a ransomware attack: 

  • Average ransom: €200,000 to 500,000 
  • Business interruption: €50,000 to 200,000 (depending on duration) 
  • Recovery costs: €100,000 to 300,000 
  • GDPR fines: Up to €20 million or 4% of annual revenue 
  • Customer loss and reputation damage: Incalculable 

A single prevented attack finances the security measures for years. 

A Real-World Example 

A mid-sized machine builder in southern Germany, 80 employees, had done everything right: network segmentation, EPDR on all devices, 24/7 SOC. 

On a Friday evening at 10 PM, the SOC raised an alarm: unusual login patterns from a suppliers VPN access. The compromised account was immediately locked. Analysis showed: attackers had gained access and were in the process of scanning the network. 

Thanks to segmentation, they couldn't get beyond the VPN zone. Thanks to SOC, the attack was detected and stopped in 15 minutes. Damage: Zero. Monday morning, production ran normally. Customers noticed nothing. 

Without these measures? The attack would have only been noticed Monday morning, with encrypted systems and stolen design data. 

Your Concrete Next Step 

You don't have to implement everything immediately. But you should start today: 

This week: 

  • Schedule a security assessment with a specialized partner 
  • Enable two-factor authentication for VPN and cloud access (takes one day) 
  • Install EPDR and FireCloud on all mobile devices 

This month: 

  • Set up personal Wi-Fi authentication for your main Wi-Fi 
  • Evaluate and engage SOC service 
  • Create incident response plan 

Next 6 months: 

  • Implement network segmentation progressively, starting with highest-risk areas 
  • Establish regular testing 

Realistic timeframe for complete implementation: 6 to 12 months, depending on your starting point. The good news: Every step brings immediate, measurable security gains. 

The Future Belongs to the Prepared 

Let's end with a different vision than we started: 

It's Monday morning, 7:30 AM. Your employees arrive at the office and log in as usual. Systems are running. Your phone rings. IT reports: An attack attempt was automatically detected and blocked over the weekend. The attacker came through a compromised partners access but was stuck in an isolated zone. Your SOC responded before any damage could occur. Everything is documented. Your business continues normally. 

This isn't utopia. This is the new standard for companies that treat IT security for what it is: A fundamental requirement for successful business in the 21st century. 

The threats won't disappear. They'll get smarter and faster. But with the right architecture, segmentation, endpoint protection, access control, and permanent monitoring, you transform your company from a soft target into a hard nut. 

You can implement this. Many mid-market companies have already done so. The only question is: Will you wait until your Monday morning becomes a nightmare? Or will you act today? 

The next attack is coming. The only question is: Are you prepared? 

About The Author 

Marko Bauer is Managing Director of Fornax GmbH, an IT systems house specializing in cybersecurity solutions for mid-market companies. As a WatchGuard Tech All-Star, he helps organizations navigate the evolving threat landscape with practical, implementable security strategies. 

WatchGuard Tech All-Star
Archivado bajo: Cybersecurity Trends, Ransomware, Security Models, Zero Trust, Data Privacy, Risk Management, WatchGuard MDR