Posted on by

Transition from isolation to exposure brings evolving threats to IoT and OT systems

Source: key05/iStock via Getty images.

A study conducted by S&P Global Market Intelligence 451 Research examines security implementation at computing endpoints, including the security tooling on standard IT endpoints such as PCs, laptops and mobile devices, as well as the variety of endpoints in internet of things systems. The survey addresses the number of security products deployed, deployment venues, level of effectiveness, responses to ransomware, and where security professionals identify threats to IoT.

The Take

IoT systems, along with internet-accessible operational technology (OT) deployments that bypass legacy isolation, represent an ongoing information security challenge. Key factors include the variety of non-standard endpoints, legacy approaches to remote access for maintenance, adjacency to vulnerable IT networks, and an ever-increasing attack surface as technology modernizes. While vendor solutions continue to grow, so does the threat landscape, exemplified by malware targeted at industrial control systems and the formation of large IoT botnets. Because these systems are vital to critical infrastructure, they are often a target for nation-state actors.

In recent years, the US Cybersecurity and Infrastructure Security Agency (CISA) and former government officials have issued warnings regarding advanced persistent threat actors such as Volt Typhoon, allegedly backed by the Chinese state, that have infiltrated and maintained access to critical infrastructure, including energy and water utility systems. Ransomware attacks that move laterally from IT to OT networks, or that use the former to disrupt the latter, remain an issue, following the model of the 2021 Colonial Pipeline attack and continuing with breaches such as the one affecting major US steel producer Nucor Corp. in 2025. Canadian utility Nova Scotia Power also reported a ransomware attack that disrupted the ability to read billing information from customer smart electrical meters.

Summary of findings

When survey respondents are asked to identify threats to IoT systems, the discussion quickly extends past IoT endpoints themselves. In a 2023 study conducted by S&P Global Market Intelligence 451 Research, the top cited IoT security threat was unpatched application security vulnerabilities, reflecting the difficulty of patching IoT and OT devices after they have been deployed. That dropped to second in 2024, superseded by attacks against a centralized control point, reflecting potential shifts in the behavior of threat actors. In our latest study, vulnerable IoT databases or data stores (32%) have risen to become the top concern. Unpatched application security vulnerabilities (28%) remain second, followed by attacks against unsecured networks between device endpoints and central control points (27%).

Approximately 13% of respondents report experiencing a ransomware attack in 2025. This figure is comparable to the 14% response rate in 2024 and down from the peak of 23% in 2023. Among those who experienced an attack, the most common outcomes were that network security tools (25%) or endpoint security tools (17%) interrupted the attack. However, we see evidence of overconfidence in security tooling. For example, 26% of respondents who did not experience a ransomware attack in 2025 believe their endpoint security tooling would interrupt an attack, exceeding the effective percentage in real cases. While only 4% of unaffected respondents say they would pay a ransom, 6% of those affected actually paid.

The most striking indicator of overconfidence is in the ability to restore from backups: 24% of unaffected respondents believe they could restore successfully from backup without data loss, but only 15% of those attacked were able to do so.

While security tooling is a key part of ransomware prevention and detection, security professionals would do well to collaborate with their storage and backup counterparts on resiliency strategy. More than one-third (35%) of security professionals believe it would be somewhat difficult to restore from backup, and given the delta in results after an actual ransomware attack, that percentage likely understates reality. To help transfer risk, 83% of security professionals report purchasing or expanding a cyber insurance policy following a ransomware incident.

Respondents report an average of 3.2 security tools installed per endpoint, up slightly from an average of 3 in the year-ago survey. This trend reflects a post-pandemic reality characterized by the expansion of hybrid and remote working environments, as well as an increase in mobile computing, which in turn has called for more proxy-based and endpoint-centric security controls. The growing number of endpoint security tools has significant ramifications for device stability and increased patching requirements. Additionally, more highly resourced security organizations, such as those of large enterprises, tend to run a greater number of tools.

On average, organizations with 10,000 or more employees (averaging 3.7 tools) use one additional security tool per endpoint compared with organizations with fewer than 249 employees (averaging 2.7 tools).

In interviews, security practitioners express a desire to better consolidate and integrate endpoint security tools to simplify management and operations.

Quizzically, respondents cite malware prevention as both the greatest strength of their endpoint security tools and the area most in need of improvementIn prior studies, as one might expect, endpoint security features identified as performing poorly were generally widely cited as opportunities for improvement. However, in the most recent study, respondents indicate that malware prevention — endpoint security’s primary preventative use case — is both what it does best (45%) and where it most needs improvement (26%), reflecting the intractable nature of the malware challenge. By contrast, conducting after-the-fact investigations or incident response follows a more expected historical pattern: This feature is cited as effective by only 2% of respondents and cited as needing improvement by 22%. Endpoint security vendors that can make a case for their tools enabling effective incident response or threat hunting will have a differentiating feature in the current market.

The Security Talent Gap is More Complicated Than You Think

Read Report

Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.

Published by Daniel Kennedy

Daniel Kennedy is the Principal Research Analyst for Information Security for quantitative research at 451 Research, a part of S&P Global Market Intelligence. He is responsible for managing all phases of the research process. Dan is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference. Prior to 451 he was a Partner in the information security consultancy Praetorian Security, LLC where he directed strategy on risk assessment and security certification. Before that he was Global Head of Information Security for D.B. Zwirn & Co. as well as Vice President of Application Security and Development Manager at Pershing LLC, a division of the Bank of New York. Daniel holds a Master's of Science degree in Information Systems from Stevens Institute of Technology, a Master's of Science in Information Assurance from Norwich University, and a Bachelor's of Science in Information Management and Technology from Syracuse University. He has gained certification as a CEH (Certified Ethical Hacker) from the EC-Council, a CISSP, and has a NASD Series 7 license.