The State of Ohio’s Cybersecurity in 2025: Progress, Pressure, and the Path Forward

Ohio’s Wake-Up Calls

Ohio has learned some of its toughest cybersecurity lessons the hard way. In one headline-grabbing case, a former software developer sabotaged his employer’s systems, embedding a hidden “kill switch” that destroyed user accounts and left the business with costly downtime and cleanup. More recently, the city of Columbus faced a ransomware attack that exposed sensitive data and drew national criticism for how the incident was handled. The city’s initial downplaying of the crisis—and the legal fight that followed—served as a stark reminder that transparency and readiness matter as much as firewalls and backups.

These incidents aren’t distant history—they are scars still shaping the way Ohio leaders think about risk. And they underscore a simple truth: from Columbus to Cleveland, Akron to Canton, and Medina to Painesville, no Ohio organization is immune.

Cybersecurity in Columbus: Lessons from a Ransomware Attack

In July 2024, Columbus—home to nearly 1 million residents—fell victim to a severe ransomware attack. The group known as Rhysida claimed to have stolen 6.5 terabytes of city data, including police records, court files, and sensitive municipal operations (StateScoop).

City leaders initially downplayed the severity, suggesting much of the data was corrupted. But within days, cybersecurity researcher Connor Goodwolf revealed that residents’ personal information was already circulating on the dark web. Instead of acknowledging the discrepancy, Columbus officials filed a gag order against him, sparking widespread criticism over the city’s lack of transparency (Ohio Capital Journal).

The financial and reputational cost was staggering. Columbus budgeted up to $7 million for recovery—covering forensics, legal fees, and credit monitoring for residents. Class-action lawsuits soon followed, and by mid-2025, WOSU reported that “little details or accountability” had been shared, with the city still withholding its final forensic report.

Lesson for Ohio businesses: the damage didn’t come from ransomware alone—it came from poor communication and delayed transparency. For any organization in Columbus, Cleveland, Akron, or beyond, the takeaway is clear: if systems go down, silence or spin will only deepen the crisis.

Insider Threats: A Cautionary Tale for Cleveland and Beyond

The Eaton “kill switch” sabotage is one of the most chilling insider threat cases to emerge in recent years—and it happened right here, in Ohio. In 2019, a disgruntled developer embedded logic bombs in his employer’s systems that triggered server crashes, wiped co-worker profiles, and locked users out entirely when his access was revoked. His code even checked whether his own account was active—hence the chilling name: “IsDLEnabledinAD.” The fallout was immediate, and the damage ran into hundreds of thousands of dollars (CSO Online).

Fast-forward to August 2025: the former developer, Davis Lu, received a four-year federal prison sentence—proof that insider threats carry serious legal and financial consequences for those on both sides of the breach (CSO Online). But for Ohio’s business leaders, the real cost isn’t only in loss and litigation—it's in blind spots within your people and processes.

Why this matters regionally:

• Whether it’s a dev in Cleveland, a contractor in Akron, or an office manager in Canton, any employee with elevated system access needs to be considered a potential risk—not as a mistrust exercise, but as a professional responsibility.

• Traditional network defenses won’t catch an insider who knows where to strike. The most trusted employees may also be the most dangerous if their access controls are lax.

What should happen next:

• Treat offboarding as a coordinated, automated process—not a day-one “whoops we forgot to revoke his access.” On- and offboarding should be immediate and system-enforced.

• Put your dev, HR, and IT leadership hand in hand: no one gets access or gets cut off without multiple coordinators confirming.

• Monitor for warning signs—not just logins, but intent. Behavior analytics tools (UEBA) give you insight into abnormal patterns before they go fatal.

If you're managing operations anywhere from Medina to Painesville, this Eaton case should be your wake-up call: insider threats aren’t abstract—they’re local and real. The technical talent pipeline here is strong, but so is the potential for human error—or worse, betrayal.

What separates organizations that survive an insider incident from those that don’t isn’t an extra firewall—it’s advance planning, coordination, and execution. When the real threat comes from inside, the only defense that matters is your readiness to act smarter, faster, and together.

Akron and Canton Business Leaders Face New Cyber Laws in 2025

Ohio’s leadership isn’t waiting for the next cyber crisis—they’re acting now. Effective September 30, 2025, House Bill 96 (HB 96) mandates that every local government—cities, counties, townships, school districts, and libraries—must implement a formal cybersecurity program that safeguards data, systems, and services in line with generally accepted frameworks like NIST or CIS (Bricker Graydon LLP).

That program must include:

• Identification of critical systems and their risks

• Detection and response mechanisms for cyber threats

• Incident response protocols, including containment and recovery

• Employee training calibrated to roles and responsibilities

Beyond the policy, the law places strict requirements on how governments handle ransomware:

• Ransom payments are prohibited unless approved by a formal legislative resolution or ordinance that explains why paying is in the local government's best interest.

• Mandatory reporting: Any cybersecurity or ransomware incident must be reported to Ohio Homeland Security within 7 days, and to the Auditor of State within 30 days (Bricker Graydon, plus additional guidance from the Auditor's office).

Why this is urgent for Akron, Canton, and surrounding businesses

1. Compliance is becoming table stakes. Even if your business isn't a city or school, your clients—especially public sector partners—will soon expect rigorous cybersecurity standards from their vendors and contractors.

2. Legal obligations mirror client expectations. Loose security practices are no longer tolerable. Whether you're providing software, cloud services, facilities, or consulting, your partners need to know you follow the same rules they do.

3. No funding = resource pressure. While training is available through CyberOhio and state initiatives, the law doesn’t allocate budget for implementation. Local governments—and their partners—must be proactive or risk falling behind.

4. Your preparedness may become public record. Even if you're not covered by the law, failing to align with its standards could expose you to audit scrutiny, reputational damage, or contract opportunities slipping to more compliant competitors.

What to do now, before you’re under the spotlight:

• Start aligning your policies and playbooks with NIST or CIS frameworks—not because you're forced, but because the law is moving that way.

• Build or update your incident response processes with communication, containment, reporting, and recovery paths—just like the new requirements.

• Train your team annually—role-based, scenario-informed, and documented.

• Use CyberOhio resources like tabletop exercises, state training modules, and policy templates to strengthen your plans—at minimal cost.

• Assume your municipal or school district clients will ask for compliance evidence. Be ready to show them your program, your training records, and your incident response plan.

For leaders from Akron and Canton to Painesville and Medina, this is more than a legal shift—it marks a transformation in the standard of care for cybersecurity in Ohio.

It isn’t about fear or fines. It’s about build­ing confidence. When your public sector partners—and even private peers—know you’re ready, you’ll distinguish yourself not just as compliant, but as trusted.

Medina and Painesville: Closing the Last Mile

Ohio’s centralized cybersecurity efforts, led by CyberOhio, have delivered a powerful foundation. Key tools like the Ohio Persistent Cyber Improvement (O-PCI) program—offering free training, assessments, tabletop exercises, and mentorship statewide—and the Ohio Cyber Range Institute (OCRI), with its hands-on simulations and workforce development, are cornerstones of the state’s strategy (Ohio Cyber Range Institute).

Yet in this story, the tools are not the finish line—they’re just the starting point.

For a mid-size manufacturer in Medina or a country club in Painesville, the reality is this: having frameworks and funding at the state level doesn’t automatically translate into operational readiness. Those resources are only valuable if someone takes ownership—for example:

• Putting policies into practice. Drafting an incident response plan is not enough; it must be tested, refined, and updated—or else it stays in a folder.

• Running tabletop exercises. Rehearsals reveal whether your team can actually execute when the lights go out—and highlight blind spots that stay hidden in theory.

• Aligning response with state standards. When an incident strikes, your organization won’t be creating on-the-fly strategies; you'll be applying playbooks tested in training and aligned with CyberOhio expectations.

• Ensuring real-time readiness. Staff must know their role—who calls whom, how you notify clients, how you coordinate recovery—without scrambling for guidance in a crisis.

This is the last mile of cybersecurity—the critical zone between having resources and turning them into capability. It’s where too many local organizations stumble.

A view from the ground

Imagine this: a ransomware simulation through O-PCI triggered a discovery—your backup systems were intact, but the communications plan wasn’t. In a real event, you’d be unprepared to maintain customer confidence or coordinate a recovery. That’s the last-mile gap.

But it doesn’t have to stay that way.

By proactively embedding training outcomes into your operations, you turn statewide strategy into local resilience. That’s what separates organizations that merely have cybersecurity resources from those that are truly cyber-resilient.

Where Ohio Stands Today

Ohio’s cybersecurity scene in 2025 looks stronger than most—rooted in a clear statewide strategy, emerging legislation, and a rapidly expanding talent pool fueled by graduates from universities across the state. Columbus alone leads rapid hiring, with projected job growth rates of over 30% by 2032 and average salaries rising past six figures (NuCamp)). Cleveland isn’t far behind: it posted an astounding 60% year-over-year job growth in cybersecurity roles—one of the highest in the nation (Cybersecurity Job Index)).

But strength on slides and stats isn’t the same as resilience when the breach hits.

Across Ohio—from Columbus and Cleveland to Akron, Medina, Canton, and Painesville—the picture is mixed. Some organizations are building muscle: practicing drills, updating policies, staffing up. Others are still waiting for a crisis to wake them up.

Why Local Leaders Should Care

• Talent is abundant—but competitive. With hiring surging, staying ahead means you must hire smarter, not just faster.

• Strategy matters—but deployment matters more. Even with frameworks like CyberOhio and Cyber Range in place, without execution, plans remain on paper.

• Resilience isn’t optional. Whether you're in manufacturing, legal services, real estate, or local government, your readiness—or lack of it—will define whether you recover or get left behind.

A Checklist for Ohio Business Leaders

If you’re running a business, practice, or firm in Ohio, here’s where to start:

1. Audit insider access. Know who has the keys to your systems and shut those doors promptly when roles change.

2. Test your incident response. Run tabletop exercises—don’t just file away a PDF plan.

3. Plan your communications. Decide in advance how you’ll notify clients, staff, and partners if systems go down.

4. Align with CyberOhio standards. Use the frameworks and grants that are already available to strengthen your defenses.

5. Fill capacity gaps. Don’t assume your internal IT team can do it all. Know when to bring in outside expertise.

Cybersecurity in Ohio is at a crossroads. The state has resources, talent, and strategy on its side. But incidents like the Columbus ransomware attack and the Eaton insider sabotage remind us that strategy means little without execution.

For leaders across Ohio, the message is clear: the tools exist, the funding exists, and the standards exist. What’s missing is often the consistent, disciplined follow-through. That’s where organizations like Securafy help close the last mile—not as a vendor with another tool to sell, but as a partner that ensures Ohio businesses are truly resilient when it matters most.

That “last mile” is where preparation becomes protection. Services like Cybersecurity Protection, Penetration Testing, Compliance Support, and Managed IT Services give Ohio organizations the discipline and coverage to put plans into motion. More details on our Ohio IT hub.

In 2025, Ohio has the opportunity to be a leader in cybersecurity. Whether your organization is part of that story will depend on the steps you take now.