TL;DR: Lateral movement remains central to modern breaches in IoT and OT environments, with Elisity citing IBM’s $4.88 million global average breach cost and research showing 60% of successful breaches involve lateral movement, while attackers dwell for 280 days on average before detection. The problem is not just detection; it is whether segmentation, access control, and response coordination actually work under realistic pressure.
NHIMG editorial — based on content published by Elisity: Cyber Resilience Best Practices for testing lateral movement prevention
By the numbers:
- The global average cost of a data breach has reached $4.88 million, a 10% spike from the previous year.
- Research from Elisity's Microsegmentation Buyer's Guide 2025 indicates that 60% of successful breaches now involve lateral movement.
- Attackers dwell in networks for an average of 280 days before detection.
Questions worth separating out
A: Design the exercise around realistic pivot paths, not abstract incident narratives.
Q: Why do IoT and OT environments make lateral movement harder to control?
A: Because many connected devices cannot run endpoint agents, and many operational protocols do not produce the same visibility that IT tools expect.
Q: What breaks when segmentation policies are only tested on paper?
A: What breaks is the assumption that a policy statement equals a working control.
Practitioner guidance
- Model real pivot paths in your tabletop scenarios Use scenarios such as IT-to-OT pivots, vendor credential compromise, and dual-homed workstation abuse to test whether segmentation actually blocks movement between trust zones.
- Test contractor access as a lateral movement pathway Include third-party remote access, VPN reuse, and maintenance workflows in your exercise design so you can verify whether vendor connectivity is constrained to the intended systems.
- Validate isolation authority before the exercise starts Document exactly who can disconnect an engineering workstation, shut down a vendor tunnel, or quarantine an OT segment when suspicious activity appears.
What's in the full article
Elisity's full blog post covers the operational detail this post intentionally leaves for the source:
- Scenario templates for phishing-to-OT pivots, vendor compromise, and IoT device abuse that can be adapted to your environment.
- Detailed tabletop design guidance for segmentation validation, containment decision points, and cross-functional participation.
- Measurement ideas for mean time to detect, mean time to contain, and segmentation effectiveness after the exercise.
- Practical examples of how organisations with healthcare and industrial environments structure hybrid red, blue, and purple team testing.
👉 Read Elisity's tabletop exercise guidance for lateral movement prevention in IoT and OT →
Lateral movement prevention in IoT and OT: are your tabletops realistic?
Explore further
Lateral movement prevention is now a governance test, not just a network design problem. The article shows that segmentation only matters if people can validate it under realistic attack paths. For identity teams, that means access, trust, and isolation controls must be examined as an integrated system, not as separate checklist items.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should be accountable when lateral movement reaches critical OT or IoT systems?
A: Accountability should sit with the teams that own the access path, the segmentation boundary, and the containment decision, not with one security function alone. OT operations, network teams, and incident response all have to agree on authority before an event occurs. If no one can isolate a segment quickly, the governance model has failed.
👉 Read our full editorial: Lateral movement tabletop exercises expose IoT and OT resilience gaps