IoT Device Security Best Practices: How to Protect Connected Devices Across Your Network

Top Cybersecurity Configuration Tips for IoT Devices

Last updated: May 2026

Most IoT devices ship with default credentials, limited encryption, and firmware that receives infrequent updates. They cannot run endpoint security agents. They communicate over protocols that many monitoring tools do not parse. And they are deployed at a scale that makes manual security management impossible. SonicWall recorded a 124% year-over-year increase in IoT attacks in 2024, Forescout found that routers and switches average 32 vulnerabilities per device in 2026, and the connected device population now exceeds 21 billion globally. The gap between the number of IoT devices on enterprise networks and the security controls protecting them continues to widen. This guide covers the IoT device security best practices that reduce real risk in production environments, from initial procurement through operational monitoring and end-of-life management.

On this page:

Why IoT Devices Need Their Own Security Approach
IoT Device Security Best Practices
Configuration Management for IoT Devices
Building an IoT Device Security Program
Frameworks and Standards for IoT Device Security
How Asimily Supports IoT Device Security Best Practices

Why IoT Devices Need Their Own Security Approach

Traditional IT security assumes the endpoint cooperates: it runs an agent, it authenticates to directory services, and it accepts patches on a regular cycle. IoT devices break every one of these assumptions. A network-connected infusion pump, a building HVAC controller, and an IP camera all lack the compute resources, memory, and operating system flexibility to support the security tools that protect a laptop or server.

This creates a set of challenges that IoT device security best practices must address directly:

No endpoint agent means no endpoint visibility. Without an agent, security teams have no direct telemetry from the device. Visibility must come from the network layer, through passive traffic analysis that observes what the device communicates with, how often, and over which protocols.

Patching is constrained by operational reality. IoT device manufacturers may not provide regular firmware updates. When patches exist, deploying them may require vendor coordination, compatibility testing, and maintenance windows. Some patches void manufacturer warranties. Some devices have reached end-of-life and will never receive another update. Forescout’s 2026 research found that 35% of devices in healthcare environments run legacy Windows systems.

Default credentials persist at scale. Multiple IoT botnets in 2025 and 2026, including Aisuru, Kimwolf, and Matrix, relied on default passwords as their primary recruitment method. Manufacturers often publish default credentials in publicly available documentation, and many organizations never change them after deployment.

Protocol diversity creates monitoring blind spots. IoT devices communicate over BACnet, Modbus, HL7, DICOM, MQTT, CoAP, and dozens of vendor-specific protocols. Standard IT security tools designed for HTTP/HTTPS and SMB traffic miss this communication entirely.

Scale overwhelms manual processes. A mid-size hospital may have 15,000 connected devices. A manufacturing campus might have 50,000. Writing security policies, assessing vulnerabilities, and monitoring behavior for each device manually is not viable.

IoT device security best practices must account for all of these constraints. The practices below are designed for the reality of how IoT devices actually operate, not the way IT security teams wish they would.

IoT Device Security Best Practices

1. Discover and Inventory Every IoT Device Continuously

You cannot secure devices you do not know are on your network. Enterprise environments routinely discover 15-30% more connected devices than IT teams expected once proper discovery tools are deployed. Facilities teams install building automation. Clinical engineers connect medical devices. Vendors deploy monitoring equipment during service visits. Each adds to the attack surface without appearing in a traditional IT asset inventory.

Discovery must be passive in environments with sensitive devices. Active scanning sends probes that can disrupt medical equipment, crash PLCs, and cause operational outages. Passive deep packet inspection observes network traffic without injecting packets, building an inventory from observed communications.

A useful inventory captures manufacturer, model, firmware version, operating system, communication patterns and peers, open ports, known vulnerabilities, operational role, and physical location. Asimily’s protocol analyzer uses passive deep packet inspection to discover and classify IoT devices across IT, IoT, OT, and IoMT environments. When the platform encounters a new device type, rapid protocol analysis allows classification without waiting for a product release cycle.

2. Change Default Credentials at Deployment

Default usernames and passwords are one of the most commonly exploited attack vectors for IoT devices. Manufacturers include this information in publicly available manuals and technical documentation. The Aisuru, Kimwolf, and Matrix botnets all used automated scanning for default credentials as their primary infection method, collectively compromising millions of devices in 2024-2026.

Every IoT device should have its default credentials changed before it connects to the production network. Where possible, integrate IoT devices into your identity management system. For devices that do not support centralized authentication, maintain a credential inventory and audit for default passwords on a regular cycle. Disable any default administrative accounts that are not required for device operation.

3. Segment IoT Devices from Critical Systems

A flat network, where IoT devices share the same segments as user workstations, email servers, and domain controllers, allows an attacker who compromises any device to move laterally with minimal resistance. The Aisuru botnet’s Kimwolf variant demonstrated this by introducing a propagation method that reached devices on internal networks behind home routers.

IoT device security best practices require network segmentation at multiple levels. At minimum, IoT devices should be on separate VLANs from general-purpose IT. For higher security, apply targeted segmentation that groups devices by exploit vector rather than by location. Asimily’s targeted segmentation identifies the attack vectors across device populations and blocks them at the network level, protecting every device vulnerable to that vector simultaneously. The platform integrates with existing NAC platforms (including Cisco ISE), firewalls, and switch infrastructure, and the Policy Simulation feature lets teams preview effects before enforcement.

4. Disable Unnecessary Features and Services

Many IoT devices ship with features, services, and open ports that your organization does not use: Telnet, FTP, UPnP, unnecessary web interfaces, debug modes, and cloud connectivity features. Each enabled service is an additional attack surface. SonicWall’s 2025 data showed that IoT cameras alone were targeted by over 17 million attacks in 2024, with many exploiting management interfaces that were enabled by default but never used by the device owner.

Disable everything that is not required for the device’s operational function. Close unused ports. Turn off remote management interfaces that are not actively used. If the device supports it, disable cloud phone-home features that are not part of your operational workflow. Disable Universal Plug and Play (UPnP), which automatically opens firewall ports and can expose devices to external traffic without the administrator’s knowledge. Document the resulting configuration as the device’s approved baseline, and use that baseline for configuration drift detection going forward.

5. Prioritize and Remediate Vulnerabilities by Actual Risk

A large connected device environment might carry hundreds of thousands of CVEs across thousands of devices. Treating every vulnerability equally buries security teams in work that does not meaningfully reduce risk.

Raw CVSS scores are insufficient for IoT. A critical CVSS score on a device sitting on a segmented network with no known exploit carries far less actual risk than a medium-severity vulnerability on an internet-facing device with a published proof-of-concept. Effective IoT vulnerability management requires contextual analysis: Is there a known exploit in the wild? Is the device reachable from the internet or from other compromised zones? What is the business function of the device? What compensating controls are already in place?

Asimily’s vulnerability prioritization combines analysis from Asimily Labs, AI/ML techniques, and the MITRE ATT&CK framework for attack path analysis. The platform determines whether a vulnerability on a specific device in a specific network context is realistically exploitable, reducing the actionable list by an order of magnitude.

6. Apply Compensating Controls for Unpatchable Devices

Many IoT devices cannot be patched on the timelines that vulnerability severity would dictate. The manufacturer may not have released a patch. The patch may require a maintenance window that is months away. The device may have reached end-of-life and will never receive another update. 60% of medical devices in active clinical use are end-of-life with no available patches.

Compensating controls bridge this gap: network segmentation policies restrict what a vulnerable device can communicate with, virtual patching blocks known exploitation techniques at the network layer, and configuration hardening removes unnecessary services. Asimily prescribes the most efficient compensating control for each vulnerable device and provides specific implementation instructions. The Risk Simulator models the impact of remediation actions before they are executed.

7. Encrypt Network Communications Where Possible

Many IoT devices lack the ability to encrypt data at rest. Some communicate over protocols that predate modern encryption standards entirely. Where the device supports encryption (TLS, DTLS, WPA3), enable it. Where the device does not support encryption natively, use network-layer protections: encrypted tunnels between network segments, firewalls that inspect and restrict unencrypted traffic, and segmentation that limits the exposure of unencrypted communications to the smallest possible network zone.

8. Implement Multi-Factor Authentication for Device Access

For IoT devices and management interfaces that support authentication, implement multi-factor authentication. MFA requires two or more verification factors (something the user knows, has, or is) before granting access. The Change Healthcare breach in 2024, the largest healthcare cyberattack in history, occurred because MFA was not enabled on a critical remote access service.

Apply MFA to all IoT device management portals, remote access connections, vendor access sessions, and any administrative interface that can modify device configurations. For devices that do not support MFA natively, apply it at the network access layer through your NAC platform.

9. Monitor for Anomalous Device Behavior

IoT devices that behave normally follow predictable communication patterns. A device that suddenly connects to an unfamiliar external IP, transfers unusual data volumes, or communicates over a protocol it has never used before warrants investigation. The Raptor Train botnet operated undetected for four years because the organizations it compromised lacked behavioral monitoring on their IoT devices.

Baseline normal communication for each device type and alert on deviations. Monitoring should cover the IoT-specific protocols your devices actually use, not just standard IT traffic. In healthcare, that means monitoring HL7 and DICOM alongside HTTP. In manufacturing, it means covering Modbus, CIP, and BACnet. In enterprise environments, it means parsing MQTT, CoAP, and the vendor-specific protocols that building automation and physical security systems use.

Behavioral monitoring also serves as an early warning system for devices that have been enrolled in botnets. A compromised IP camera participating in DDoS attacks will show communication patterns that deviate from its normal traffic profile, connecting to command-and-control servers, generating outbound traffic at unusual volumes, or communicating with geographic regions it has never contacted before. Without behavioral monitoring, these devices can operate as botnet nodes for months or years without detection.

Asimily’s threat detection supports custom detection rules, integrates with SIEM and SOAR platforms, and provides packet capture on detection events for forensic analysis.

10. Evaluate Device Security Before Purchase

The most cost-effective time to reduce IoT device risk is before a device enters your environment. BadBox 2.0 demonstrated in 2025 that devices can arrive with malware pre-installed. Even without supply chain compromise, devices vary widely in their security capabilities, patching commitments, and end-of-life policies.

Pre-purchase security assessment should evaluate manufacturer security practices, firmware update frequency, supported authentication methods, encryption capabilities, SBOM availability, and end-of-life projections. 84% of healthcare organizations now include cybersecurity requirements in vendor RFPs, and 56% have rejected a device due to cybersecurity concerns.

Asimily’s ProSecure database provides pre-purchase security risk profiles for IoT and IoMT devices, allowing procurement and security teams to make informed decisions before a device enters the environment.

Configuration Management for IoT Devices

IoT device security best practices do not end after initial deployment. Device configurations change over time: firmware updates alter settings, operational changes modify network connectivity, and manual adjustments accumulate. This configuration drift can reintroduce vulnerabilities that were previously addressed.

Effective configuration management for IoT requires maintaining a snapshot of each device’s approved configuration (known good state), monitoring for unauthorized or unintended changes to firmware versions, open ports, enabled services, and network settings, alerting when configurations drift from the approved baseline, and having a process to restore devices to their known good state when drift is detected.

Asimily’s Configuration Control capability tracks device configurations over time, detects drift from approved baselines, and alerts security teams when changes occur. The platform maintains a record of each device’s configuration history, making it possible to identify when a change was introduced and whether it was authorized.

Building an IoT Device Security Program

These best practices work together as layers of a program, not as independent items:

Pre-deployment (Practices 2, 4, 10) reduces risk before a device reaches the production network. Procurement assessment, credential changes, and service hardening ensure devices start from a secure baseline.

Network architecture (Practices 3, 7) limits the blast radius of any single device compromise. Segmentation and encryption contain threats within zones.

Operational management (Practices 1, 5, 6, 8) maintains security throughout the device lifecycle. Continuous inventory, vulnerability prioritization, compensating controls, and access management keep pace with a changing environment.

Detection and response (Practice 9) identifies threats that prevention does not stop. Behavioral monitoring catches compromised devices that signature-based tools miss.

Configuration governance maintains the security posture over time. Drift detection prevents the gradual erosion of controls that accumulates across large device populations.

For most organizations, the highest-impact starting points are device inventory (you cannot secure what you do not know exists), network segmentation (the single most effective control for devices that cannot protect themselves), and vulnerability prioritization (focusing effort where it reduces the most actual risk).

IoT Device Security Best Practices by Industry

While the core practices apply universally, each industry faces specific IoT device security challenges that shape how those practices are implemented:

Healthcare. Hospitals sometimes manage between 10,000 to 50,000 connected devices, many of which directly affect patient care. 60% of medical devices in active use are end-of-life with no available patches. Device security must balance cybersecurity with clinical availability, since taking a device offline for remediation can disrupt patient care. HIPAA, FDA Section 524B, and state mandates like New York’s 10 NYCRR 405.46 impose regulatory requirements on connected medical device security. Passive discovery is essential because active scanning can disrupt clinical equipment.

Manufacturing. The most targeted sector for IoT and OT attacks, accounting for 14% of all ransomware incidents in 2025. IIoT sensors, PLCs, and building automation systems create a mixed IT/OT environment where segmentation between enterprise and production networks is critical. Mergers and acquisitions introduce unknown device populations from legacy environments that may lack even basic security controls.

Financial Services. Forescout’s 2026 data shows that financial services have the highest average device risk of any industry. ATMs, trading infrastructure, surveillance systems, and branch IoT all require security coverage. Regulatory requirements, including PCI DSS, DORA (in the EU), and CMMC (for defense supply chain participants), mandate connected device security controls.

Government. Second-highest average device risk. Large, heterogeneous device environments spanning physical security, building automation, IT infrastructure, and specialized operational systems. CISA CPG 2.0 and Cyberscope requirements apply. CISA has issued orders for federal agencies to remove unsupported network and IoT edge devices that no longer receive security updates.

Energy and Utilities. Geographically distributed SCADA, smart grid, and remote monitoring infrastructure. NERC CIP compliance applies to bulk electric system components. Nation-state pre-positioning campaigns have specifically targeted utility IoT and edge devices for persistent access.

Related: Asimily for Healthcare

Related: Asimily for Manufacturing

Frameworks and Standards for IoT Device Security

NISTIR 8259 Series defines a core baseline of cybersecurity capabilities that IoT device manufacturers should build into their products, covering device identification, configuration, data protection, logical access, software updates, and cybersecurity awareness.

NIST SP 800-183 (Networks of Things) addresses the architecture and security considerations of IoT deployments, including communication patterns, data protection, and system composition.

CISA CPG 2.0, released December 2025, unifies IT, IoT, and OT security goals under six functions for the first time, recognizing the convergence of these device categories.

EU Cyber Resilience Act introduces mandatory security requirements for all products with digital elements sold in the EU. Incident reporting obligations take effect September 2026.

U.S. Cyber Trust Mark is a voluntary FCC labeling program for consumer IoT products. ioXt Alliance assumed Lead Administrator responsibilities in April 2026. While currently focused on consumer devices, the program signals growing expectations for IoT security transparency.

IEC 62443 covers industrial automation and control system security, applicable to OT and IIoT connected devices in manufacturing, energy, and critical infrastructure.

How Asimily Supports IoT Device Security Best Practices

Asimily provides the capabilities that make IoT device security best practices operational at scale: passive device discovery across IoT, IoMT, OT, and IT environments, contextual vulnerability prioritization using MITRE ATT&CK-based attack path analysis, automated segmentation policy generation with simulation, configuration drift detection and management, continuous behavioral monitoring, and forensic packet capture for incident response.

The platform integrates with existing network infrastructure, including Cisco ISE and other NAC platforms, firewalls, SIEM, SOAR, and CMDB systems, enforcing protection through the equipment already in place. Asimily customers can pinpoint and prioritize the top 1% of high-risk devices, the ones with both a high likelihood of exploitation and a high impact if compromised, making security teams significantly more efficient.

Talk to an Asimily IoT Security Expert

See the Asimily Platform Overview

Asimily is the next-generation cyber asset and exposure management platform for IT, IoT, OT, and IoMT environments. Learn more.

Configuration Control , Risk Mitigation

Secure Every IoT Device.
Automatically.

Cyber threats move fast — so should you. Asimily gives instant inventory and smart, prioritized risk mitigation insights for every IoT, OT, and IoMT device — so you can take action before threats strike.

Schedule a Demo

Connected Device Visibility

Vulnerability Detection And Mitigation

IoMT

IT, IoT and OT

Compliance and Regulation