IoT security: Challenges and best practices for a hyperconnected world

Imagine waking up one morning to find your smart home turning against you. Your thermostat is cranked to extremes, your security cameras have gone dark and your smart fridge is placing orders you never approved. Outside, your electric vehicle suddenly flashes its headlights, blasts the radio at full volume and randomly locks and unlocks its doors — without anyone inside. It rolls slowly down the driveway, not by command but under someone else’s control.

This isn’t science fiction — it’s a plausible scenario in today’s hyperconnected world where the security of Internet of Things (IoT) devices is too often an afterthought.

The expanding attack surface

The IoT revolution is reshaping industries — from precision agriculture to autonomous vehicles, from remote healthcare to predictive maintenance in manufacturing. But this unprecedented proliferation has created an equally unprecedented attack surface. The sheer scale and heterogeneity of IoT ecosystems — spanning devices from multiple vendors, operating on divergent protocols and deployed across critical environments — make them an attractive and vulnerable target for attackers.

In early 2025, security researchers uncovered the Murdoc Botnet, a new strain of the infamous Mirai malware. It exploited known vulnerabilities in AVTECH and Huawei IoT devices to orchestrate large-scale DDoS attacks. The campaign, active since mid-2024, demonstrated just how devastating unpatched and unsecured devices can be.

Understanding the core challenges of IoT security

IoT security cannot be abstract — it must be grounded in the operational realities that CIOs and CISOs face. Here are six persistent challenges that must be addressed head-on:

• Device proliferation. Millions of IoT devices ship with minimal or no security controls. They’re often deployed in the field with default credentials and outdated firmware.
• Legacy infrastructure. Many organizations continue to run IoT devices that were never designed with security in mind and that lack support for updates.
• Weak authentication. Hardcoded passwords and basic authentication mechanisms remain widespread, enabling trivial exploitation.
• Data privacy risks. IoT devices constantly collect sensitive data. Weak encryption or insecure APIs create data leakage risks.
• Lack of standards. Unlike traditional IT systems, IoT lacks consistent global security frameworks, leading to fragmented, ad hoc defenses.
• Supply chain vulnerabilities. Insecure third-party firmware, libraries and components can introduce risks far upstream of deployment.

These challenges are not theoretical — they are operational landmines waiting to be triggered.

Best practices for building a resilient IoT ecosystem

Securing IoT ecosystems requires more than vigilance — it requires architectural shifts. Here are eight best practices that every CIO and CISO should mandate across their environments:

1. Zero trust architecture (ZTA). Trust nothing. Validate everything. Every device, user and packet must prove legitimacy before gaining access.
2. End-to-end encryption. Whether in transit or at rest, data must be shielded using modern encryption standards — TLS 1.3 and AES-256 as minimums.
3. Automated firmware and software updates. Patch management is non-negotiable. Automation ensures that even remote or embedded devices stay updated without manual intervention.
4. AI-powered threat detection. Use machine learning models to monitor behavioral anomalies, detect zero-day threats and trigger rapid incident response.
5. Regulatory compliance. Adhere to frameworks like NIST SP 800-213, GDPR and ISO/IEC 30141. Don’t just comply — embed security into your organizational DNA.
6. Hardware root of trust. Leverage secure boot, trusted platform modules (TPMs) and hardware-backed key storage to establish tamper-resistant trust anchors.
7. Multi-factor authentication (MFA). Extend MFA beyond users to include device-to-device and service-level communications.
8. Network segmentation. Isolate IoT devices on separate VLANs or micro-segmented zones. Assume breach and contain it before it spreads.

Together, these practices lay the groundwork for operational resilience in an inherently hostile threat landscape.

Looking ahead: Emerging technologies redefining IoT security

Innovation cuts both ways — it empowers defenders just as it equips attackers. Fortunately, a new class of technologies promises to elevate IoT defense strategies:

• Blockchain. Distributed ledgers can secure device identities, ensure data integrity and provide immutable audit trails.
• Quantum encryption. Post-quantum cryptographic schemes are becoming essential as quantum computing inches closer to practical reality.
• AI-driven security orchestration. Integrate AI into security information and event management (SIEM) platforms to enable real-time decision-making and autonomous response.

These emerging capabilities are not silver bullets — but they represent the next layer in a modern security stack.

The road ahead: Security by design

As a community of technology leaders, we must adopt a fundamental mindset shift: from security as a bolt-on to security as a design principle. The future of IoT security hinges on three imperatives:

1. Security-by-design. Manufacturers must embed security into device architecture — from chipset to API layer.
2. Policy and regulation. Governments and industry bodies must define, enforce and evolve standards for IoT security. Voluntary compliance is no longer sufficient.
3. Automation at scale. Managing tens of thousands of devices manually is infeasible. Automation in threat detection, response and lifecycle management is key.

A shared responsibility

The reality is that no single stakeholder — be it vendor, enterprise or regulator — can secure the IoT landscape alone. It’s a shared responsibility. Every decision made at the design table, in the boardroom or on the assembly line has implications for global cybersecurity.

To fellow CIOs and CISOs reading this: We cannot wait for the perfect solution. We must act now. Start by asking the tough questions within your organization:

• Are all IoT devices inventoried and continuously monitored?
• Do we have a segmentation policy that truly isolates high-risk zones?
• Is our IoT security governance aligned with our broader enterprise security strategy?

If the answers aren’t clear, you’re not alone — but inaction is no longer an option.

Final thought

Security is not a feature. It’s a foundation.

Let’s commit — collectively — to designing and deploying IoT systems that are not only innovative but inherently secure. Because in the interconnected future we’re building, trust is everything — and trust starts with security.

Join me at the IoT Tech Expo in Santa Clara this June 5th, where I will be presenting on a topic that’s top-of-mind for every CISO and CIO: IoT security. With over 30 billion connected devices expected by 2030, this conversation is no longer optional. It’s critical.

Leo Rajapakse is the head of platform infrastructure and advanced technology for Grupo Bimbo. He leads the company’s technology platform organization, which provides critical technology infrastructure platforms on-premise and cloud. Before joining Bimbo Bakeries, Leo held several leadership positions with the technology arms of leading institutions, including the Australian government. He has extensive experience in managing large, global and diverse technology organizations where he has transformed and modernized complex technology platforms to greatly improve the stability, resiliency and cybersecurity of applications and infrastructure.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?