Why IoT Security Must Be a Top Priority for Modern Enterprises

June 03, 2025

The modern enterprise is undergoing a rapid evolution, driven in large part by the growing number of Internet of Things (IoT) devices. As organizations embrace digital transformation and edge computing, the number of connected devices, many of which fall outside traditional IT governance, is growing at an unprecedented pace. While these technologies bring efficiency and innovation, they also create new security challenges that are often overlooked until it’s too late.

IoT devices range from simple sensors and smart thermostats to complex operational technologies (OT) such as drones or critical medical equipment. Regardless of complexity, the challenge is the same: how do we secure systems that were never designed with security in mind?

Prefer to watch? Find this discussion on IoT security, featuring Optiv’s Sean Tufts and Scott Farley, in the video below.

Understanding What Counts as IoT

The definition of IoT varies widely depending on context. For security practitioners, the distinction often comes down to two factors: business criticality and system architecture. Devices that are vital to core business functions but lack standard operating systems like Windows or Linux — such as badge readers, smart cameras or HVAC systems — typically fall into the IoT category. These are difficult to manage with traditional enterprise tools and often fly under the radar of asset inventory systems.

Adding to the complexity is the vast array of industries that rely heavily on IoT. While critical infrastructure sectors like oil, gas and electricity have long invested in industrial IoT, surprising trends have emerged in other verticals. Financial services, healthcare, professional services, education and even wholesale trade are increasingly dependent on IoT, creating new risk profiles and attack surfaces.

Hospitals, for example, are filled with mission-critical machines that are connected to the network and may not be visible through conventional IT lenses. Universities are another underappreciated vector, with sprawling campuses, experimental technologies and research labs often deploying IoT devices without robust security vetting.

The Silent Threats Lurking on the Network

The IT world is usually pretty guarded and well walled, right? IoT devices usually come in the side door. Unlike new laptops or servers, which are typically vetted through formal IT processes, IoT devices are frequently introduced by individual departments trying to solve specific problems. They get plugged in, connected to Wi-Fi and forgotten. That is, until a breach occurs.

These devices are difficult to inventory, monitor and control. Many lack standard identifying markers such as make, model and operating system. As a result, they end up in an "unknown" category within asset inventories, leaving organizations blind to their presence and unable to apply even basic security controls.

In one notable case, a state agency discovered a suite of unauthorized surveillance cameras in a prison yard after performing a more advanced asset inventory scan. The devices had been installed without oversight, raising both compliance and national security concerns. This scenario is far from unique and underscores the need for better visibility into IoT environments. It’s not unusual for organizations to discover more devices than they thought they had, making it easier for rogue devices to pop up on the network and go unnoticed.

The Security Gaps Created by Manufacturers

Another key factor contributing to IoT risk is the lack of manufacturers with a secure by design mindset. Many devices are developed without any consideration for confidentiality, integrity or availability. And when they do design sensors or IoT devices with security in mind, organizations don't tend to have the budgets to purchase and procure them.

Third-party risk is a particularly acute issue. Even when the organization itself is security-conscious, the vendors supplying IoT devices may not be. Whether it’s hardcoded admin credentials, unencrypted communications or outdated firmware with no upgrade path, the vulnerabilities often lie in places that are invisible until exploitation occurs.

Effective risk mitigation starts with demanding more from vendors. Organizations should require secure software development lifecycle (SDLC) processes, mandate default password changes and scrutinize device supply chains. Unfortunately, security is often a lower priority in RFP evaluations.

And even when we talk with these device makers, all of them have this opinion that cybersecurity won't win you a bid, but it could definitely lose you one. They know not having those best practices built in has really been knocking people out.

The Hidden Costs of Connectivity

While the value derived from IoT, especially in areas like uptime, analytics and automation, is undeniable, it comes at a cost. Many IoT protocols were never intended to connect to the internet. Now that they do, often over cellular or Wi-Fi networks, they create backdoors that undermine traditional air gaps and segmentation strategies.

5G, in particular, is a double-edged sword. Its ultra-low latency and edge computing capabilities make it ideal for real-time analytics, autonomous systems and smart infrastructure. But these same features also make it easier for rogue devices to communicate undetected. Think about an airport. As you're walking on the concourse, there are countless vending machines, selling everything from earbuds to state lotteries. They have an Ethernet cord in the wall, but then they also have a little cell antenna sticking out of the top. They've built 5G functionality into that vending machine kiosk, effectively dual homing them into public and private networks without adequate security controls.

Building a More Secure IoT Strategy

Securing IoT devices requires a layered and pragmatic approach. It begins with governance — integrating security requirements into procurement processes and establishing clear ownership of connected devices. Just as importantly, organizations need better visibility through improved asset inventory tools that can detect and classify IoT devices based on native protocols without disrupting operations.

Segmenting IoT devices into dedicated network enclaves is another best practice. This limits their ability to communicate with sensitive internal systems and reduces lateral movement if a device is compromised. Incorporating physical security, role-based access control and policy enforcement, both technical and procedural, rounds out a strong defense-in-depth strategy.

Logging, monitoring and alerting also play a crucial role. Integrating IoT telemetry into the security operations center (SOC) allows for faster incident detection and response. The ability to spot behavioral anomalies in devices, particularly those given specific roles or identities, enables proactive threat mitigation.

Lastly, encryption should not be overlooked. Many IoT devices transmit data in clear text, which leaves them vulnerable to interception and manipulation. Where possible, organizations should enforce encrypted communication channels and ensure firmware upgrades follow a trusted chain of custody.

Final Thoughts

The proliferation of IoT is transforming how businesses operate. But without proper security measures, these same devices can become the weakest link in an otherwise strong cybersecurity posture. From unauthorized cameras in correctional facilities to vending machines acting as cellular gateways, the threats are real and growing.

Modern enterprises must treat IoT as more than a technology issue — it is a strategic security priority. The ability to see, manage and secure every connected device is not optional; it is essential for protecting data, ensuring operational continuity and maintaining trust in an increasingly connected world.

To learn more about how to make IoT security an effective, strategic part of your cybersecurity program, Optiv experts are here to help.