According to Statista, customers across the globe spent $805 billion on Internet of Things solutions in 2023. However, the rapid growth of smart devices and interconnected systems could provide hackers with more ways to access data if your IoT device's security issues aren’t addressed. This blog post will examine IoT security and how to ward off cyberattacks.
Contents:
What is IoT?
The Internet of Things (IoT) is what we call networks of physical objects that are packed with sensors, cameras, listening devices, and other technologies—like today's smartphones, appliances, wearables, and cars. These devices are connected over the internet or a local network, so they can exchange data with each other. This allows them to work together as part of a smart system, enabling the automation of tasks and the creation of intelligent environments like smart homes or smart workplaces. Because of the way IoT devices operate, the Internet of Things and cybersecurity must go hand in hand to deliver smart experiences while ensuring safety and privacy for all users.
What is IoT security?
IoT security is all about protecting the interconnected smart devices and the networks they connect to. Since these devices can collect, store, and share data about users' surroundings, this data must be handled with the utmost care and caution. These devices aren’t just for personal use—more and more are making their way into workplaces. For example, businesses now install smart thermostats, blinds, and seating planners to optimize resources in their offices.
Unfortunately, many IoT products are simply not built with security in mind, as manufacturers often prioritize low costs and quick time-to-market over robust protection, which leads to widespread vulnerabilities. To address this security-as-an-afterthought problem, there is a growing shift toward standardized safety benchmarks like the NISTIR 8259 series. This series of reports acts as a foundational manual for manufacturers, providing clear guidance on the baseline security measures a company should implement before a device ever reaches your office.
To help you identify which hardware meets these standards, the FCC recently introduced the US Cyber Trust Mark. The shield logo indicates that a device meets specific, high-level cybersecurity standards. When you see this mark, it means the manufacturer is transparent about their security practices and is committed to protecting your data from unauthorized access. Prioritizing certified devices is a practical, proactive way to manage your attack surface and stay ahead of potential threats.
Why is IoT security important?
The recent influx of IoT devices has provided another avenue for hackers to exploit in recent years. IoT devices can be particularly vulnerable to security breaches. At the end of 2021, a study concluded that up to 82% of healthcare organizations experienced an IoT cyberattack over 18 months. There are often security oversights regarding the IoT and its apps. For example, a German teenager hacked Tesla vehicles' app component not that long ago. While he couldn't access the driving functions like steering or brakes, he could still exploit other potentially dangerous features like unlocking doors, playing music at max volume, and flashing lights. The more IoT devices become common, the more widespread their security threats will become.
Applying zero-trust architecture to the IoT ecosystem
Traditional security often focuses on a single perimeter, which works fine until a threat gets inside and moves freely through your network. A zero-trust IoT framework changes this approach by assuming the network is already compromised and requiring every connection to be verified. This shift moves you away from trusting a device based simply on its IP address, replacing a vulnerable entry point with a strategy centered on micro-segmentation and identity-based security.
Micro-segmentation divides your network into small, isolated zones. This ensures that a smart thermostat, for instance, can only communicate with its specific controller, rather than with your entire server room. This effectively contains breaches by trapping threats in a tiny digital room and preventing the lateral movement that often leads to major security incidents. To make this possible, all data on the network passes through software-defined network agents that generate instant feedback, allowing managers to monitor network traffic and user behavior in real time. This setup helps IT teams instantly detect threats and enables technicians to change security policies for any connected device. Because everything works via software tools, there is no need for manual hardware reconfiguration, which keeps your defense both agile and simple to manage.
Identity-based security takes this a step further by focusing on the unique identity of a device rather than its location on the network. By assigning a secure identity to every IoT asset, your team can scan, analyze, and detect exactly which device is requesting access at any given time. This ensures that security policies are based on verified identities and actual behavior, making your defense proactive rather than reactive. Combining these two strategies builds a resilient environment where every device on your network is constantly verified and strictly contained.
Which industries need IoT security?
Smart devices have made their way into almost every part of our lives. However, some industries rely more heavily on IoT technology than others and require additional security due to its strategic meaning for the nations' and communities' welfare.
Healthcare. Patient monitoring, advanced medical equipment, administering treatments and vaccines: Medical services increasingly rely on smart devices. Cynerio and Ponemon's Study proves that healthcare is especially vulnerable to cyber attacks involving the IoT devices as they constitute 88% of all hospital data breaches. More than half of hospitals in the US have experienced an attack on their smart devices between 2020 and 2022. The damage that cybercriminals can cause in healthcare is horrifying—the mortality rate increased in 24% of the attacked hospitals.
Energy and utilities. IoT devices are widely used in the energy and utilities sector for smart grid management, optimizing energy consumption, and remote monitoring of infrastructure. However, monitoring tools such as smart meters, security cameras, and chemical leak controls are prime targets for cybercriminals, making the management of IoT security issues essential to preventing disruptions to critical services like electricity, heating, traffic control, and medical care.
Manufacturing. It's hard to imagine a modern factory without Internet of Things solutions enabling process automation, supply chain management, and predictive maintenance. The endless possibilities that smart devices present to this sector can be overshadowed by the costs of cyberattacks, as hackers often target factories to demand ransom.
Logistics. IoT systems have become foundational to fleet, vessel, and traffic management. Self-driving vehicles are becoming commonplace in major cities. Also, the railway relies on IoT devices for traffic planning and power supply management. Hacking an IoT-reliant logistics system could cause chaos on highways or railroads.
Supply chain. In the supply chain industry, connected devices are used for tracking, monitoring, and managing goods throughout transportation. The security risk created by IoT tools used in day-to-day operations grows with the number of vendors a company cooperates with. Supply chain attacks often target third-party partners or suppliers to access the company's assets.
IoT security challenges
While smart devices introduce plenty of opportunities and convenience to our lives, they also open up the possibility of cyberattacks. Industries such as healthcare and manufacturing increasingly rely on IoT devices, exposing unprepared organizations to cyberattacks. Here are some of the threats IoT devices are susceptible to:
Malware: Because cybersecurity isn't the primary concern of many smart devices, hackers don't require advanced malicious software to attack. Rudimentary malware can steal data and cause damage to networks and devices. Mirai is used to infect security cameras, scan the network for the IP address of IoT devices, and connect. This allows hackers to launch significant DDoS attacks.
Credential-based attacks: Using stolen login IDs and passwords is a popular method for hackers because many people's logins are already floating around online thanks to massive data leaks such as Collection #1. Once a business's smart device's application layer is breached, hackers can access any device connected to the network.
Data theft and exposure: Adding IoT devices to your home or office will introduce more potential entry points for hackers to access data. This increases the risk of personal information being stolen and exposed on the internet. A good example of this is when hackers used Amazon's Alexa to issue self-commands allowing the attackers to control smart lights, buy items on Amazon, and tamper with calendars.
Incorrect device management and configuration: Similar to the above, the more devices and accounts you add, the greater the chance of reusing passwords and usernames. Companies often ship IoT devices with default logins that should be changed during their setup. However, a survey of CIOs and IT managers showed that almost 50% of them allowed IoT devices onto their corporate network without changing the default passwords.
Complex ecosystem and smart device diversity: An office's IoT ecosystem can quickly become a juggernaut of interconnected devices. These devices have many moving parts that operate at different levels. Overseeing and managing your wide array of IoT devices will help you prevent IoT attacks.
Not following security by design: Cybersecurity is generally not the main focus of many IoT devices, often taking a backseat to its functionality. Your office's IoT security could be at risk because specific devices may have cybersecurity weaknesses that need to receive software updates. There's also the possibility that any security features may be obsolete if the product is discontinued and no longer supported by its developer.
Mitigating supply chain risk: the role of SBOMs in IoT
When you buy a piece of software or a connected device, you aren't just getting one product—you're getting a bundle of third-party components, open-source libraries, and proprietary code. This complex web is your software supply chain, and it's often where hidden cyber risks live. To manage this, security teams are increasingly relying on a software bill of materials (SBOM). Think of an SBOM as a complete ingredient list for a device’s software. It’s a formal, structured record that details every component used to build the product, including versions and license types.
Knowing these ingredients is essential for effective patching and vulnerability management. Without an SBOM, it’s impossible to know if your office’s smart security cameras are affected by a newly discovered vulnerability in a specific open-source library. You simply don't know if that specific code is inside your device. With an SBOM, however, your team can detect exactly which assets are at risk the moment a new vulnerability is announced. This transparency provides a clear roadmap for faster risk assessment, helping you apply patches or mitigation strategies before a threat can be exploited.
Examples of IoT security threats
Jeep Grand Cherokee
Back in 2015, security researchers Charlie Miller and Chris Valasek set out to see if they could remotely hack into and take control of a new Jeep model—the Jeep Grand Cherokee. They ran a series of cybersecurity tests, and sure enough, they found a major backdoor in the Jeep's built-in infotainment system, which handles things like navigation and entertainment.
Using this vulnerability, they were able to connect to the car's other systems and take control of the car's key mechanics like braking, engine control, air conditioning, and transmission. Basically, they turned that Jeep into one of the most expensive remote-controlled toy cars in the world! After this demonstration, Chrysler (the owner of Jeep) had no choice but to recall more than 1 million Grand Cherokees to fix the software vulnerability.
Mirai botnet
Probably the most famous—or infamous, actually—IoT security breach ever, the Mirai botnet was first identified in 2016 and has remained a persistent cyber threat ever since. It works by infecting vulnerable IoT devices—like AVTECH CCTV cameras and Four-Faith industrial routers—and using them to launch large-scale distributed denial-of-service (DDoS) attacks.
In 2018, a Mirai variant was used in a 1.35 Tbps DDoS attack against GitHub, briefly knocking the platform offline. In 2020, the FBI issued a warning that Mirai-based attacks could go beyond websites and target critical infrastructure, like power grids and industrial systems.
But here's the real problem: the Mirai botnet is still out there. Its original creators released the source code online, and since then, cybercriminals worldwide have been modifying and weaponizing it. Even today, in 2025, Mirai-based botnets are still behind record-breaking cyberattacks, targeting everything from internet service providers to government networks.
ThroughTek
In 2021, security researchers uncovered a serious flaw in ThroughTek's IoT software, which is used in millions of smart cameras, baby monitors, and security systems around the world. It turned out that hackers could use this vulnerability to remotely access live video and audio streams from the cameras, and in some cases, even take full control of these devices, exposing sensitive footage from homes and businesses in the process.
The vulnerability was so severe that the Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning, rating it 9.1 out of 10 on the severity scale.
How to secure IoT devices
The good news is that maintaining an overall good cybersecurity policy for your company will help safeguard your IoT devices. Training your staff with cybersecurity best practices and appointing specific admin roles to deal with the security of IoT devices in your organization are all methods for securing your business from IoT threats.
Regularly updating and checking IoT devices for patches: By staying up to date with your IoT devices' firmware, you're better equipped to protect your workplace from ever-evolving cyber threats. While people regularly update their computers and phones, they may forget to update their IoT devices.
Monitoring device behavior: By knowing your device's base behavior and aspects such as its performance or regular network activity, you can recognize irregular behavior and intervene if you notice any deviations to your device's performance.
Using strong and unique passwords: Using a password manager for your organization helps secure your IoT data security. creates unique, complex passwords. Additionally, it regularly reminds you to update passwords if they're old, reused, or weak.
Checking app permissions for IoT devices: If an IoT device comes with an app, it is better to review the permissions it's requesting before allowing access to your device or network. You shouldn't grant apps more permissions than are strictly necessary.
Applying network segmentation and network security: Your workplace should have a way to monitor network activity and any devices connected to it. Tracking this information will help you recognize irregular internet traffic and act as an additional layer of security. This means that if one device is affected by an attack, it won't be passed on to your other devices.
Considering additional security solutions and tools: To secure the app component of IoT devices, consider only accessing the app via a VPN. Doing so will encrypt the data transferred and give your network an extra layer of security.
Using multi-factor authentication (MFA): The more layers of security (authentication factors) smart devices used in your workplace have, the safer your company assets are. Incorporating additional factors to authenticate the user, such as biometric data or the user's geolocation, makes your IoT devices less vulnerable to cyber attacks.
Applying Cloud IoT Security: Many IoT applications leverage cloud computing for storing, processing, and analyzing data. Therefore, it's essential to implement security strategies, procedures, and tools that encompass cloud security if your organization utilizes smart devices.
How NordPass Business boosts your IoT security
The surge of IoT devices in private and professional settings provides more potential routes for hackers to steal valuable data and information. These devices and networks are more intertwined than ever, meaning cybersecurity for IoT shouldn't be ignored. For companies working with large amounts of data, NordPass Enterprise is the cybersecurity solution you're looking for. With NordPass, you can securely store and share login credentials for all your accounts and generate strong, unique logins in no time. NordPass allows you and your colleagues to quickly access important office notes (alarm PINs, WiFi passwords, and recovery codes) in one place.
Try NordPass Business' free 14-day trial and discover how a business password manager can make corporate data security a smooth experience.