April 23, 2025
The Internet of Things (IoT) has woven itself into the fabric of modern business. Whether it’s smart security cameras, connected HVAC systems, or industrial sensors humming away on a factory floor, these devices are now critical to everyday operations. But beneath convenience and innovation lies a serious, often underestimated threat: IoT devices are increasingly being used as backdoors for ransomware attacks. “According to a report by Zscaler, there has been a 400% increase in IoT and OT malware attacks year-over-year. The manufacturing industry, which relies heavily on both IoT and OT, was the top targeted sector, accounting for 54.5% of all attacks and averaging 6,000 weekly attacks across all monitored devices”.
For many businesses, especially small and mid-sized ones without a dedicated cybersecurity team, this presents a growing vulnerability that can no longer be ignored.
When Convenience Becomes a Cyber Risk
The problem isn’t the technology itself; it’s how IoT devices are deployed and managed. These devices are designed to be plug-and-play, often shipped with default login credentials and minimal built-in security. Firmware updates, if they exist, are infrequent. Logging and monitoring are rarely enabled by default. In some cases, IT may not even know a device is on the network.
This creates a perfect storm. A single unsecured camera or sensor can become an open door, one that ransomware actors are all too happy to walk through. Once inside, attackers can move laterally across the network, bypass traditional defenses, and eventually deploy ransomware to encrypt sensitive business data or shut down critical systems.
The 2021 Verkada breach was a loud wake-up call: hackers gained access to over 150,000 IoT-connected security cameras inside companies, hospitals, jails, and schools, simply by using administrative credentials. It highlighted how a relatively small oversight can have enterprise-wide consequences. This this case the consequences totaled nearly $3 million. Yikes.
Why Small and Mid-Sized Businesses Are Most at Risk
Larger organizations often have in-house security teams and budgets to match. They’re more likely to segment their networks, enforce patching, and monitor devices closely. But many small and mid-sized businesses are operating without that kind of support. They may not have a single person dedicated to cybersecurity, let alone a team.
Without someone keeping tabs on IoT security, basic missteps add up quickly: default passwords remain unchanged, firmware updates fall by the wayside, and traffic from these devices goes unmonitored. When something goes wrong, there’s often no incident response plan or security partner to call.
These businesses aren’t just at risk, they’re attractive targets. Ransomware groups understand that smaller companies are easier to compromise and more likely to pay, especially if the attack disrupts operations or locks up vital systems “reports have shown that 71% of ransomware attacks target small businesses, with an average ransom demand of $116,000. Attackers know that smaller businesses are much more likely to pay a ransom, as their data is often not backed up and they need to be up and running as soon as possible”.
The good news is that even if you don’t have in-house cybersecurity staff, you’re not without options. Managed Service Providers (MSPs) and virtual Chief Information Security Officers (vCISOs) are two of the most effective ways to bring cybersecurity expertise into your business without building a team from scratch.
MSPs offer 24/7 monitoring, patch management, threat detection, and incident response. They can help you stay ahead of vulnerabilities and respond quickly if something goes wrong. A vCISO, on the other hand, plays a more strategic role in helping your leadership team understand risk, shape policy, guide procurement decisions, and build a roadmap to long-term security maturity.
This kind of partnership is especially valuable when it comes to securing IoT environments. Many MSPs now offer specialized tools and services to monitor IoT traffic and manage devices that fall outside traditional IT infrastructure. Additionally, a vCISO can help ensure IoT security is built into your business from the top down, not treated as an afterthought. “A vCISO helps manage cybersecurity risks and ensures compliance, keeping your organization secure and protected from evolving threats. It mentions that vCISOs bring value by aligning security with business goals, ensuring good governance, and fostering a security-conscious culture”.
Building a Secure IoT Environment
Securing IoT devices doesn’t have to be complex, but it does need to be intentional. Start by ensuring that connected devices aren’t sharing the same network as your critical business systems. Even a basic level of network segmentation can prevent an exploited device from being used to reach more valuable assets.
Credentials also matter. Default usernames and passwords are still one of the most common reasons IoT devices are compromised. They should be replaced with strong, unique credentials immediately and, wherever possible, two-factor authentication (or better yet MFA tokens) should be enabled.
It’s also essential to stay on top of firmware updates. Many devices require manual updates, and some won’t notify you when they’re available. Keep a list of your IoT devices and set a recurring schedule to check for and apply updates. If you’re working with a trusted vendor or MSSP, they can often handle this for you.
Finally, visibility is key. If you’re not monitoring IoT traffic, you won’t see signs of compromise until it’s too late. Tools that provide insight into what these devices are doing—and when they deviate from normal behavior—can make a huge difference.
Conclusion: Prevention Pays Off
IoT is here to stay, and for good reason. These devices power smarter buildings, streamline operations, and open the door to innovation. But they also open doors to attackers—unless you secure them. “By prioritizing IoT security, businesses can safeguard their operations and protect against the growing threat of ransomware attacks.” says ACP CreativIT’s Rod Kahl. “For businesses without cybersecurity teams, IoT doesn’t have to be a blind spot.” By leaning on trusted partners like MSPs and vCISOs, and by taking a few foundational steps to improve device security, you can protect your organization from ransomware and other advanced threats.
About Mindsight
Mindsight delivers enterprise managed services and technology solutions to the mid-market across a variety of industries including manufacturing, financial services, government, education – just to name a few. Our solution architects and engineers are 100% expert-level and work as an extension of your IT team. Mindsight is headquartered in Downers Grove, IL, a suburb of Chicago.
Mindsight is part of the ACP CreativIT Family of Technology Solution Providers