In the rush to digitise operations, businesses have embedded Internet of Things (IoT) devices deep into their infrastructure, ultimately controlling everything from climate systems to production lines. However, while these devices enhance efficiency, they’re often deployed without proper oversight, leaving significant gaps in enterprise security. These unmanaged endpoints aren’t just blind spots; they’re active vulnerabilities, quietly accumulating risk until they detonate as full-blown breaches.
Table of Contents
Growth Outpacing Governance
The IoT market is expanding at a rapid pace, with connected devices projected to increase from 13.1 billion in 2022 to 30.9 billion by 2025, a 136% rise in just three years (Statista). While this fuels digital transformation, it also opens the door to escalating cyber risk.
In 2023, over one-third of all cyberattacks targeted IoT devices (Palo Alto Networks). Alarmingly, nearly 50% of compromised devices were unmanaged, untracked, unpatched, and unprotected. Often dismissed as low-risk because they’re not traditional endpoints, these devices have become the most vulnerable layer of enterprise infrastructure.
Unsecured Endpoint
Unsecured connected devices carry a high cost. IBM’s 2024 Cost of a Data Breach report shows IoT-related breaches average $5.81 million, 25% more than typical incidents driven by downtime, fines, reputational loss, and customer churn.
The 2016 Mirai botnet attack, which exploited insecure devices to disrupt sites like Twitter and Netflix, was an early warning. Today, threats are more advanced, yet many organizations still lack visibility and control over their connected infrastructure.
Supply Chain Vulnerabilities and IT Blind Spots
A key driver of IoT risk lies in Shadow IT devices deployed outside IT’s oversight. From smart lighting to voice assistants, teams often install connected tools for convenience, unknowingly bypassing security protocols.
The threat escalates when these devices come from unvetted vendors, many with default credentials or insecure by design firmware. The Verkada breach in 2021 exposing live security feeds from Tesla, schools, and gyms highlights the fallout of ignoring IoT supply chain risks.
Aligning Cybersecurity with Business Goals
IoT security demands more than tactical fixes; it requires a strategic, enterprise-wide risk posture. CIOs and CISOs must treat it as a core business resilience issue, not just an IT concern. Gaining real-time visibility into all connected assets, including unmanaged and headless devices, is critical. Adopting Zero Trust for Things (ZT4T) ensures continuous verification and least-privilege access. Security must also be embedded in procurement, with strict vendor standards for encryption, updates, and lifecycle management. Finally, risk ownership must extend beyond IT when all departments are aligned on the business impact, security becomes a shared imperative.
