April 23, 2025

The Internet of Things (IoT) has woven itself into the fabric of modern business. Whether it’s smart security cameras, connected HVAC systems, or industrial sensors humming away on a factory floor, these devices are now critical to everyday operations. But beneath convenience and innovation lies a serious, often underestimated threat: IoT devices are increasingly being used as backdoors for ransomware attacks. “According to a report by Zscaler, there has been a 400% increase in IoT and OT malware attacks year-over-year. The manufacturing industry, which relies heavily on both IoT and OT, was the top targeted sector, accounting for 54.5% of all attacks and averaging 6,000 weekly attacks across all monitored devices”.

For many businesses, especially small and mid-sized ones without a dedicated cybersecurity team, this presents a growing vulnerability that can no longer be ignored.

When Convenience Becomes a Cyber Risk

 The problem isn’t the technology itself; it’s how IoT devices are deployed and managed. These devices are designed to be plug-and-play, often shipped with default login credentials and minimal built-in security. Firmware updates, if they exist, are infrequent. Logging and monitoring are rarely enabled by default. In some cases, IT may not even know a device is on the network.

This creates a perfect storm. A single unsecured camera or sensor can become an open door, one that ransomware actors are all too happy to walk through. Once inside, attackers can move laterally across the network, bypass traditional defenses, and eventually deploy ransomware to encrypt sensitive business data or shut down critical systems.

The 2021 Verkada breach was a loud wake-up call: hackers gained access to over 150,000 IoT-connected security cameras inside companies, hospitals, jails, and schools, simply by using administrative credentials. It highlighted how a relatively small oversight can have enterprise-wide consequences. This this case the consequences totaled nearly $3 million. Yikes.

Why Small and Mid-Sized Businesses Are Most at Risk

Larger organizations often have in-house security teams and budgets to match. They’re more likely to segment their networks, enforce patching, and monitor devices closely. But many small and mid-sized businesses are operating without that kind of support. They may not have a single person dedicated to cybersecurity, let alone a team.

Without someone keeping tabs on IoT security, basic missteps add up quickly: default passwords remain unchanged, firmware updates fall by the wayside, and traffic from these devices goes unmonitored. When something goes wrong, there’s often no incident response plan or security partner to call.

These businesses aren’t just at risk, they’re attractive targets. Ransomware groups understand that smaller companies are easier to compromise and more likely to pay, especially if the attack disrupts operations or locks up vital systems “reports have shown that 71% of ransomware attacks target small businesses, with an average ransom demand of $116,000. Attackers know that smaller businesses are much more likely to pay a ransom, as their data is often not backed up and they need to be up and running as soon as possible”.

The good news is that even if you don’t have in-house cybersecurity staff, you’re not without options. Managed Service Providers (MSPs) and virtual Chief Information Security Officers (vCISOs) are two of the most effective ways to bring cybersecurity expertise into your business without building a team from scratch.

MSPs offer 24/7 monitoring, patch management, threat detection, and incident response. They can help you stay ahead of vulnerabilities and respond quickly if something goes wrong. A vCISO, on the other hand, plays a more strategic role in helping your leadership team understand risk, shape policy, guide procurement decisions, and build a roadmap to long-term security maturity.

This kind of partnership is especially valuable when it comes to securing IoT environments. Many MSPs now offer specialized tools and services to monitor IoT traffic and manage devices that fall outside traditional IT infrastructure. Additionally, a vCISO can help ensure IoT security is built into your business from the top down, not treated as an afterthought. “A vCISO helps manage cybersecurity risks and ensures compliance, keeping your organization secure and protected from evolving threats. It mentions that vCISOs bring value by aligning security with business goals, ensuring good governance, and fostering a security-conscious culture”.

Building a Secure IoT Environment

 Securing IoT devices doesn’t have to be complex, but it does need to be intentional. Start by ensuring that connected devices aren’t sharing the same network as your critical business systems. Even a basic level of network segmentation can prevent an exploited device from being used to reach more valuable assets.

Credentials also matter. Default usernames and passwords are still one of the most common reasons IoT devices are compromised. They should be replaced with strong, unique credentials immediately and, wherever possible, two-factor authentication (or better yet MFA tokens) should be enabled.

It’s also essential to stay on top of firmware updates. Many devices require manual updates, and some won’t notify you when they’re available. Keep a list of your IoT devices and set a recurring schedule to check for and apply updates. If you’re working with a trusted vendor or MSSP, they can often handle this for you.

Finally, visibility is key. If you’re not monitoring IoT traffic, you won’t see signs of compromise until it’s too late. Tools that provide insight into what these devices are doing—and when they deviate from normal behavior—can make a huge difference.

Conclusion: Prevention Pays Off

IoT is here to stay, and for good reason. These devices power smarter buildings, streamline operations, and open the door to innovation. But they also open doors to attackers—unless you secure them. “By prioritizing IoT security, businesses can safeguard their operations and protect against the growing threat of ransomware attacks.” says ACP CreativIT’s Rod Kahl. “For businesses without cybersecurity teams, IoT doesn’t have to be a blind spot.” By leaning on trusted partners like MSPs and vCISOs, and by taking a few foundational steps to improve device security, you can protect your organization from ransomware and other advanced threats.

About Mindsight

Mindsight delivers enterprise managed services and technology solutions to the mid-market across a variety of industries including manufacturing, financial services, government, education – just to name a few. Our solution architects and engineers are 100% expert-level and work as an extension of your IT team. Mindsight is headquartered in Downers Grove, IL, a suburb of Chicago.

Mindsight is part of the ACP CreativIT Family of Technology Solution Providers

 

April 1, 2025

If you think the biggest threat to your organization is some hoodie-wearing hacker pounding away at a keyboard in a dark basement, think again. The real danger? A distracted employee who clicks the wrong link in an email while rushing between meetings. That’s how ransomware sneaks in, which is why training your people is one of the most important things you can do to stay safe.

Whether you’re running a company, a school district, or a government office, the message is the same: Ransomware readiness starts with your team. And unfortunately, most training programs just aren’t cutting it.

“Stop treating your people like they are part of the problem and start training them to be part of the solution,” says Mindsight’s Matt Cox. From Integrating Cybersecurity into Your C-Suite to creating a cybersecurity culture Mindsight shares the elements necessary to keep your network safe.

Phishing Emails Are the Front Door to Ransomware

Most ransomware attacks start with something simple: a phishing email. It looks innocent. Maybe it says it’s from the boss. Maybe it’s a fake invoice. One click later, and suddenly your data is encrypted, your network is in chaos, and you’re the subject of a very serious Zoom meeting.

That’s why training matters so much. Because it’s not just about technology. It’s about people knowing how to spot shady stuff before it becomes a disaster.

Click Rates Are Not the Holy Grail

A lot of security programs love to brag about low phishing “click rates.” But here’s the thing: click rates are easy to manipulate. Want to make it look like no one’s falling for phishing? Just send out an obviously fake email, like one from a “Nigerian Prince” promising you a yacht.

Instead of obsessing over who clicked, focus on who reported the phishing attempt. Reporting is what actually helps stop a real attack in its tracks. If your team is quick to flag suspicious emails, they’re doing exactly what you want them to do.

Training Shouldn’t Be a Snoozefest

You know what doesn’t work? One long, boring training session once a year. People zone out. They forget everything two weeks later. And let’s be honest, no one remembers that PowerPoint about password hygiene from last March.

Effective training is short, regular, and actually engaging. Think quick videos, interactive quizzes, even a little friendly competition. Got departments? Create a leaderboard. People love seeing how their team stacks up, especially if there are bragging rights on the line.

Don’t Just Train the “Clickers”

A big mistake? Only training the people who mess up and click on phishing emails. That’s like giving swim lessons only to the folks who fell in the pool. Everyone needs to be in on the training, not just the people who slipped up.

And stop treating employees like they’re the problem. They’re not. They’re your first line of defense. When they’re confident and informed, they make smarter choices. Whether it’s recognizing a phishing email, avoiding sketchy Wi-Fi, or using strong passwords, trained employees are security assets.

One Size Doesn’t Fit All

Different people face different risks. Your software developers, help desk crew, and leadership team all deal with different kinds of threats. So why give them the same training? Mix it up. Tailor your content. Make it relevant to their roles and they’ll actually pay attention.

If you’re in a smaller organization, that’s okay, too. Start simple, train consistently, and keep it fresh. Even 10 minutes of training a month can pay off in a big way.

Ransomware Doesn’t Wait, So Don’t Wait to Train

Cybercriminals are getting smarter, faster, and sneakier. And now they’re using AI to craft scarily convincing phishing emails. It’s not a matter of if your organization gets targeted. It’s when.

So ask yourself: when that moment comes, do you want an unprepared team that panics? Or a crew that spots the danger, reports it, and shuts it down before it spreads?

Your best defense isn’t just firewalls and fancy tools. It’s people who know what to do.

TL;DR

• Ransomware starts with people, so train your people.
• Don’t just track click rates. Encourage reporting.
• Make training engaging, not exhausting.
• Train everyone, not just the folks who slip up.
• Keep it regular, relevant, and role-specific.

Because when the next phishing email hits someone’s inbox, it won’t be your antivirus making the call. It’ll be a person. And if that person is trained and ready, you’re already winning.

About Mindsight

Mindsight delivers enterprise managed services and technology solutions to the mid-market across a variety of industries including manufacturing, financial services, government, education – just to name a few. Our solution architects and engineers are 100% expert-level and work as an extension of your IT team. Mindsight is headquartered in Downers Grove, IL, a suburb of Chicago.

Mindsight is part of the ACP CreativIT Family of Technology Solution Providers