SMBs Largely Unprepared for IoT, Ransomware Attacks

Written by

At the intersection of the internet of things (IoT) and ransomware lies a disturbing reality: Small- and medium-sized businesses are critically unprepared for an attack in this arena; and, nearly half of them would pay a ransom on connected things to reclaim their data.

That’s according to Arctic Wolf, which found that 45% of participants in a recent survey claim they are likely to pay up. It also found that 13% of SMBs (one in eight) have experienced an IoT-based attack already.

The study, which surveyed 300 individuals responsible for the IT or security functions inside companies with between 200 to 3,000 employees, also discovered that the most impacted industry so far is transportation, with 29% of companies indicating they have already experienced an IoT attack. Companies in the energy, construction and technology industries have also been ongoing targets.

Unfortunately, many still are not taking the necessary security measures. According to the research, SMBs are woefully unprepared for new cyber threats and most still struggle with security basics: For instance, nearly 70% of respondents do not have a formal incident response plan. Most (80%) don’t have products to protect against zero-day threats, and over half (62%) do not conduct log analysis.

The survey showed that despite the lack of precautionary measures, SMBs have embraced IoT, with more than 80% indicating that IoT functionality is a plus when buying devices. Also, organizations are well aware of the threat, with over 70% of respondents expressing concern about an IoT-based ransomware attack.

“The next chapter in the story will raise the stakes with possible attacks on medical devices, electric grids and transportation systems, which could cause the loss of life,” said Brian NeSmith, CEO and co-founder of Arctic Wolf. “Companies not spending millions of dollars on security will be at a severe disadvantage fending off criminals who are organized, well-funded and very sophisticated in their methods.”

The report found that the targets of greatest concern for attack are computer hardware and systems, followed by key locks, industrial control systems and printers/scanners.

"For smart device ransomware, the asset value determination has an added factor from ransomware that targets traditional technologies, such as laptops and desktops," Javvad Malik, security advocate at AlienVault, via email. "On such devices, ransomware will only affect the data that is stored within them. However, with IoT, in addition to impacting the data within the devices, ransomware can render physical functions inaccessible. For example, ransomware that infects a smart thermostat can turn up the heat to full unless a ransom is paid. Looking forward, smart cars and even smart cities may be targeted – and while real-life attacks have not yet been seen, the impact of ransomware on such utilities can be truly life-threatening.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

What’s hot on Infosecurity Magazine?