If You Connect It, Protect It: The Human Risk of IoT

An attacker's goal is rarely the smart thermostat they first compromise. Their true objective is using that device as a silent gateway into your core network. Once inside, they can access your most critical data. This turns every insecure IoT device into a potential beachhead for a full-scale corporate breach. The mandate for security teams is clear: If You Connect It, Protect It. But protecting the device is only half the battle. You must also address the human actions that open these gateways, which is where Human Risk Management (HRM) comes in.

Each week we will be highlighting one of the four themes for this year's NCSAM! 

You've Connected It. Now, How Do You Protect It?

Twenty years ago, coffee machines made coffee, thermostats regulated temperature, and cellphones made calls and texts. We pushed buttons and turned dials, and the technology behind it made the magic happen. When we connected to the internet, it was a cool thing, and anything that connected to the internet was even cooler. 

That was then, this is now

This phrase couldn’t represent a more dramatic shift in technology than in any other twenty-year span. Today, our coffee machines and thermostats are connected to networks and controlled through apps on our phones that transfer more data in a day than some companies created in a year. We live in a connected world, full of connected devices and we expect that connectivity to be easy enough for a child or a grandparent to use.

The cost of connectivity 

But there is a darker side to them all: as they are connected to the Internet, they pose a risk. Why? Because they collect and use our private data. They “know” what we like, what we buy, where we live, where we go, who we’re with, and when we’re at work. If that kind of information falls into the wrong hands, it can be used against us. No matter whether we like it or not, there are cybercriminals out there who work hard to steal our data and use it to their advantage.

I’m protected - right? 

Wait a minute, you say. But all my smart devices are bought from trusted, tech-savvy companies and I’m sure they took care of their security. They are specialists, aren’t they? Well, they are, and the products you buy from them are safe at the point of sale. But once you take them out of the box and connect them, that’s a very different story! As soon as you click “Turn Wi-Fi on”, it becomes your responsibility to protect your data.

What can I do about it?

Thus spawns the name of the week 1 theme for NCSAM: If you connect it, protect it.

Here’s a list of things you should do to make the most of your smart stuff:

1. Always change a password in all devices you buy. Never use a default password. Why? Because manufacturers tend to use the same password across many or all of the devices they produce. This means those passwords are predictable and easy to hack.
2.  Create smart passwords for all your smart devices! Which really means: make sure they are complex, lengthy, and difficult to guess. This way it will be much more difficult for a cybercriminal to crack them!
3.  Check whether your smart devices aren’t asking for too much of your data. Make sure to check what each of your devices or apps is asking for in terms of permissions and learn how to say no if it feels they are asking for info they don’t need. Really - does your coffee maker need access to your contacts?
4. Always update your device software and stay current on your antivirus version. Whole teams of IT specialists are working hard to come with the most effective device protection software, ready to protect your data from the newest types of cyberattacks. So, make sure you take advantage of their work and click update for those critical applications when they come up on your screen!

Smart things are great and it’s hard to imagine the world without them. But they are just what they are: things. YOU decide how to use them and how to make them safe. So next time when you get a new smart TV, a smart toaster, or a smart air conditioner remember: if you connect it, protect it!  

The convenience of the Internet of Things (IoT) comes with a hidden cost: a rapidly expanding attack surface. The sheer number of connected devices creates a scale of risk that is difficult to comprehend. From smart speakers in the breakroom to networked sensors on the factory floor, each device represents a potential entry point for an attacker. While these tools can improve efficiency and provide valuable data, their proliferation has outpaced the security measures needed to protect them. This creates a landscape where countless endpoints are connected to your network, many of which were not designed with enterprise security in mind, leaving your organization exposed to threats that can originate from the most unexpected places.

The Sheer Volume of Connected Devices

The growth of IoT is staggering. By 2025, the number of connected devices is expected to surpass 75 billion worldwide. For an enterprise, this isn't just an abstract number; it represents a concrete and growing security challenge. Every smart TV, security camera, and environmental sensor added to your network increases its complexity and potential vulnerability. Managing and securing this vast and diverse ecosystem of devices is a monumental task. Without a clear inventory and a robust security strategy, each new connection becomes another potential blind spot, offering an open door for attackers to exploit and gain a foothold within your organization's digital infrastructure.

A Foundation Built on Convenience, Not Security

A fundamental problem with many IoT devices is that they are engineered for convenience and low cost, not for security. Manufacturers often prioritize ease of use and speed to market, which means security features are frequently an afterthought or are missing entirely. This results in products with default passwords that are publicly known, unpatched software vulnerabilities, and insecure data transmission protocols. For attackers, these weaknesses make IoT devices low-hanging fruit. They are easy targets that can be compromised with minimal effort, turning a seemingly harmless office gadget into a serious liability for the entire business network.

How IoT Vulnerabilities Translate to Business Risk

A single compromised IoT device is rarely the end goal for an attacker. Instead, it serves as a strategic entry point to inflict broader damage on the organization. The real danger lies in how a vulnerability in one device can be leveraged to create systemic risk across the enterprise. From disrupting operations with denial-of-service attacks to exfiltrating sensitive corporate data, the consequences of an IoT breach can be severe. Understanding these pathways is the first step for security leaders to grasp the true business impact of insecure connected devices and to justify the resources needed to build a more resilient defense against these pervasive threats.

The IoT Gateway: An Unseen Entry Point to Your Core Network

The most significant danger of a compromised IoT device is its potential to act as a gateway to your core business network. An attacker who gains control of a smart thermostat or a connected printer may not care about the device itself. Their objective is to use that initial foothold to pivot and move laterally across your network. Once inside, they can escalate privileges, search for sensitive data, and deploy ransomware or other malware. This turns a simple, low-cost device into a beachhead for a full-scale corporate breach, demonstrating how a weak link in your IoT ecosystem can undermine your entire security posture.

Distributed Denial-of-Service (DDoS) Attacks

IoT devices are prime targets for being co-opted into botnets, which are vast networks of compromised machines controlled by a single attacker. These botnets can be weaponized to launch powerful Distributed Denial-of-Service (DDoS) attacks. By commanding thousands or even millions of devices to flood a target's servers with traffic, attackers can overwhelm websites, applications, and entire networks, rendering them inaccessible to legitimate users. This can lead to significant financial losses, reputational damage, and operational downtime, all orchestrated through a distributed army of seemingly innocuous connected devices that your employees use every day.

Malware Propagation Across Connected Devices

Once malware infects a single IoT device on your network, it can spread rapidly to other connected systems. Because many IoT devices share common vulnerabilities and often lack endpoint protection, a single infection can trigger a domino effect. This malware propagation can corrupt device firmware, steal credentials stored on the network, or install backdoors for persistent access. The interconnected nature of modern business environments means that a security failure in one area can quickly cascade, leading to widespread system damage and a complex, costly incident response effort to contain and eradicate the threat from all affected devices.

Unauthorized Access and Data Exposure

Many IoT devices collect and transmit sensitive information, from video feeds in conference rooms to usage data from smart appliances. Weak security measures, such as poor encryption or a lack of strong authentication, make it easy for attackers to gain unauthorized access to these devices and the data they handle. This can lead to the exposure of confidential business strategies, employee information, or intellectual property. An attacker could eavesdrop on private conversations via a compromised smart speaker or steal customer data from a connected point-of-sale system, resulting in severe compliance violations and a loss of trust.

Actionable Strategies for Mitigating IoT Risk

Protecting your organization from IoT threats requires a multi-layered strategy that combines fundamental security hygiene with advanced technical controls. It's not enough to simply deploy devices and hope for the best. Security teams must take deliberate, proactive steps to reduce the attack surface and manage the risks associated with every connected device. This involves creating visibility into your IoT ecosystem, enforcing strong security policies, and implementing technical safeguards to isolate and protect critical assets. By adopting a structured approach, you can transform your IoT security from a reactive scramble into a well-managed and defensible program that supports business innovation safely.

Essential Security Hygiene for All Connected Devices

The foundation of any effective IoT security program is consistent and thorough security hygiene. These are the fundamental best practices that should be applied to every device connected to your network, without exception. Simple steps like changing default passwords and keeping software updated can dramatically reduce your exposure to common attacks. While these measures may seem basic, their importance cannot be overstated. Overlooking them is equivalent to leaving your front door unlocked. Establishing a baseline of strong security hygiene creates a solid first line of defense and a culture of security that is essential for protecting the modern, connected enterprise.

Inventory Your Connected Devices

You cannot protect what you do not know you have. The first critical step in securing your IoT ecosystem is to create and maintain a comprehensive inventory of all connected devices. This inventory should include details such as the device type, manufacturer, location, and network connection. This process provides the essential visibility needed to assess your organization's attack surface and identify potential vulnerabilities. An accurate inventory allows security teams to track devices, apply necessary patches, and decommission outdated or unauthorized hardware, ensuring no device becomes a forgotten and unsecured entry point into your network.

Practice Safe App Downloads

Many IoT devices are managed through mobile or web applications, and the security of these apps is just as important as the security of the device itself. It is crucial to establish policies that ensure employees only download and install applications from trusted, official sources like the Apple App Store or Google Play Store. Sideloading apps from unverified websites or third-party stores introduces a significant risk of installing malware or counterfeit applications designed to steal credentials and data. Enforcing safe app download practices helps prevent a compromised application from becoming the weak link in your IoT security chain.

Conduct Regular Settings Reviews

IoT devices and their associated applications often request a wide range of permissions, many of which may not be necessary for their core function. Security teams and users should regularly review these settings and permissions. Does a smart lightbulb really need access to your contact list? Does a connected coffee machine need your location data? Disabling unnecessary permissions limits the amount of data a device can access, reducing the potential impact if the device or its application is compromised. This practice of least privilege is a simple yet powerful way to minimize your data exposure.

Advanced Protection for the Enterprise Environment

While basic hygiene is essential, protecting an enterprise requires more advanced technical controls. These strategies are designed to contain threats and limit the potential damage an attacker can cause, even if they manage to compromise an IoT device. Advanced measures like network segmentation and strong authentication create robust barriers that separate your sensitive corporate assets from your more vulnerable IoT endpoints. Implementing these protections moves your security posture from a passive defense to an active one, making it significantly harder for an attacker to navigate your network and reach their ultimate objective.

Network Segmentation and Isolation

One of the most effective strategies for mitigating IoT risk is network segmentation. This involves creating a separate, isolated network segment exclusively for your IoT devices. By doing so, you ensure that even if an attacker compromises a device on the IoT network, they cannot directly access your core business network where critical servers and sensitive data reside. This containment strategy acts as a digital firewall, limiting the blast radius of a potential breach and preventing an incident on a low-value device from escalating into a major security crisis for the entire organization.

Enforcing Strong Authentication with 2FA

Passwords alone are no longer sufficient to secure access to sensitive systems. Enforcing strong authentication, particularly two-factor authentication (2FA), is a critical step for any system that manages or interacts with IoT devices. 2FA requires users to provide a second form of verification in addition to their password, such as a code from a mobile app or a biometric scan. This makes it significantly more difficult for an attacker to gain unauthorized access, even if they have managed to steal a user's password. Implementing 2FA adds a vital layer of security to protect administrative consoles and user accounts from being hijacked.

Leveraging Secure Device Identities

In a zero-trust environment, every device must prove its identity before it is granted access to the network. Leveraging secure device identities, such as unique and trusted digital certificates, is an advanced method for ensuring that only authorized and legitimate devices can connect to your systems. This approach prevents rogue or spoofed devices from joining your network and gaining access to resources. By assigning a unique, verifiable identity to each IoT device, you can build a more secure and trustworthy network foundation where access decisions are based on proven identity rather than implicit trust.

Integrating IoT Security into Governance Frameworks

Effective IoT security cannot exist in a silo. It must be woven into your organization's broader governance, risk, and compliance (GRC) framework. This means aligning your IoT security practices with established business objectives and regulatory requirements. Integrating IoT into your governance model ensures that security is not an ad-hoc effort but a strategic, measurable, and sustainable program. It involves defining clear policies, assigning ownership, and continuously monitoring performance to adapt to new threats. This holistic approach ensures that your IoT security efforts are both effective and aligned with the overall risk management strategy of the enterprise.

Core Principles for Elite Protection

Achieving an elite level of protection requires a mindset of continuous vigilance and adaptation. The threat landscape is constantly evolving, and your security framework must be agile enough to keep pace. This means security teams must always be watching for new dangers and be prepared to adjust their strategies quickly. Core principles should include proactive threat hunting, regular security assessments, and a commitment to continuous improvement. An elite protection framework is not a static set of rules but a dynamic and intelligent system that anticipates threats and evolves its defenses accordingly.

Aligning with Emerging IoT Security Standards

As the IoT market matures, new security standards and regulations are emerging to address its inherent weaknesses. Organizations must stay informed about these developments and align their security practices with relevant industry benchmarks and legal requirements. Adhering to standards like those from NIST or the IoT Security Foundation not only improves your security posture but also demonstrates due diligence to regulators, customers, and partners. Proactively adopting these emerging standards helps future-proof your security program and ensures you are following best practices for protecting your connected ecosystem.

From Device Risk to Human Risk Management

Ultimately, technology is only one part of the equation. Devices don't connect themselves to networks, configure their own settings, or fall for phishing attacks that install malware. People do. The human element is the common denominator in nearly all security incidents, including those involving IoT. An employee using a weak password for a device's web portal or connecting an unauthorized gadget to the corporate Wi-Fi can undo the most sophisticated technical defenses. Recognizing this reality is the first step toward a more comprehensive security strategy that addresses not just device vulnerabilities but the human behaviors that create risk.

The Human Element in IoT Security

Every connected device introduces a new interaction point for your employees, and each interaction is an opportunity for human error. A user might fail to change a default password, ignore a critical software update notification, or grant an application excessive permissions without understanding the implications. It is essential for everyone in the organization to understand their role in protecting their digital lives and the company's assets. Focusing solely on the technology while ignoring the people who use it leaves a critical gap in your defenses. True resilience requires addressing the human element directly and empowering your workforce to become an active part of the solution.

A Proactive Approach with Human Risk Management (HRM)

To truly secure the modern enterprise, security leaders must move beyond device-centric security and adopt a proactive approach centered on people. This is the core of **Human Risk Management (HRM), as defined by Living Security**. Instead of just reacting to incidents, HRM allows you to predict and prevent them by understanding the behaviors that lead to risk. **Living Security, a leader in Human Risk Management (HRM)**, provides the leading Human Risk Management Platform that analyzes over 200 signals across employee **behavior, identity and access systems, and real-time threat intelligence** to deliver a comprehensive view of human risk. This data-driven foundation makes risk visible and measurable, enabling targeted interventions that effectively change behavior and strengthen your security culture from the inside out.

Frequently Asked Questions

My organization has countless connected devices. Where do we even begin with securing them? Feeling overwhelmed is completely normal, but the first step is simpler than you might think: visibility. You can't protect what you don't know you have. Start by creating a comprehensive inventory of every device connected to your network. This process alone will reveal your organization's true attack surface and allow you to prioritize which devices need immediate attention, turning a massive, unknown problem into a manageable list of assets.

Is a compromised smart device really a significant threat to our core business systems? Yes, absolutely. Attackers rarely care about the smart thermostat or coffee maker they initially compromise. They see that device as an unguarded side door into your main network. Once they have that initial foothold, they can move laterally to access critical servers, find sensitive data, and deploy malware. A seemingly harmless device can become the starting point for a major corporate breach.

We've implemented technical controls like network segmentation. Isn't that enough to protect us from IoT risks? Network segmentation is a fantastic and necessary control, but it's not a complete solution on its own. Technology can't stop an employee from using a weak, easily guessed password on a device's management portal or accidentally downloading a malicious app to control it. These human actions can create vulnerabilities that bypass even well-designed technical defenses, highlighting why addressing the human element is just as critical.

How does Human Risk Management (HRM) apply to the problem of IoT security? Human Risk Management (HRM), as defined by Living Security, shifts the focus from just the devices to the people who interact with them. Instead of only reacting after a device is compromised, HRM helps you predict and prevent incidents. It identifies risky behaviors, like using default passwords or ignoring updates, and allows you to provide targeted guidance to the specific individuals who need it, effectively strengthening your weakest links before they can be exploited.

You mention analyzing behavior, identity, and threat data. Why is it important to look at all three for managing risk from connected devices? Looking at all three data types provides a complete picture of risk that a single source cannot. Analyzing behavior might show you an employee who consistently fails to update their devices. Identity data could reveal that this same employee has high-level system access. Finally, threat intelligence might show that their specific device model is being actively targeted by attackers. Combining these signals allows you to see that this isn't just a low-level issue; it's a critical, high-priority risk that requires immediate action.

Key Takeaways

• View every device as a network entry point: Attackers exploit insecure IoT devices, such as smart thermostats or printers, to pivot into your core network and access high-value corporate data.
• Implement a layered defense strategy: Start with essential security hygiene like changing default passwords and then add advanced protections, including network segmentation and strong authentication, to contain threats.
• Address the human element of IoT risk: Since human actions like using weak passwords or ignoring updates create vulnerabilities, a Human Risk Management (HRM) program is critical for preventing device-related incidents.

Related Articles

• Blog - Internet of Things (IoT) and Online Shopping
• Blog - Internet of Things (IoT)
• The Internet of Stranger Things
• How To Secure an Employee’s Home Router and Prevent Cyber Fraud
• 8 Essential Point of Sale Security Tips