IoT and security: challenges, best practices & scaling safely

Connected devices are no longer pilots tucked away in innovation teams. From smart shelves and cold-chain sensors to remote condition monitoring in utilities, IoT now underpins critical operations. 

The upside is obvious (efficiency, new data, automation); the exposure is less visible. IoT connections are projected to rise from 13.8 billion in 2022 to 40.6 billion by 2034, expanding the enterprise attack surface across factories, shops, depots and field assets

This article explains how IoT security works, the biggest challenges at scale, and the controls and standards that help, drawing on recognised frameworks. We’ll also look at network choices (including when private 4G/5G makes sense), and finish with a roadmap and partner checklist.

Understanding IoT and security

At its simplest, the Internet of Things (IoT) is a network of physical objects (devices with sensors and/or actuators) equipped with processing and connectivity so they can collect data and communicate with other systems. 

In practice that spans everything from temperature probes and asset trackers to smart meters, cameras and industrial controllers.

In enterprises, IoT is best understood as a stack rather than a single technology:

• Devices and sensors capture telemetry and, in some cases, trigger actions.
• Connectivity (Ethernet, Wi-Fi, LPWAN, public or private 4G/5G) moves data securely and reliably.
• Edge gateways/compute normalise data, enforce policies and run workloads close to where data is generated.
• Platforms and applications store, analyse and visualise data, then integrate with business systems.

As operational technology environments connect to IT and cloud platforms, they naturally inherit benefits and risks, so clarity on boundaries and interfaces matters. Guidance from the NCSC and CISA underlines the need to manage this convergence carefully.

It’s worth noting that IoT is not only something that requires security, it also actively strengthens resilience. Smart cameras, access control systems and environmental sensors are already part of many enterprise security estates, providing live intelligence to protect people, assets and infrastructure.

Why IoT security is important

Business risks that go beyond IT

When connected devices underpin day-to-day operations, overlooked security gaps can escalate into business disruption. A compromised sensor can halt a production line, spoil a cold-chain shipment, or take a service offline. 

In fact, 81% of security leaders say their organisations experienced an IoT-focused attack in the past year.

If not managed, the risks span:

• Operational disruption – downtime in plants, warehouses or field networks.
• Safety impacts – when IoT touches OT, faults can put people or environments at risk.
• Data exposure – from customer data to sensitive operational telemetry.
• Brand and revenue damage – security incidents erode trust and invite scrutiny from regulators, investors and customers.

Regulation is raising the bar

Enterprises can’t treat IoT as unregulated territory. In the EU, NIS2 directives place stricter obligations on essential and important entities, including risk management and rapid incident reporting: an early warning within 24 hours, a notification in 72 hours, and a full report within one month. These timelines are shaping incident playbooks well beyond Europe.

In the UK, the Product Security and Telecommunications Infrastructure (PSTI) regime sets a baseline for consumer-connectable devices. It bans universal default passwords, requires a clear vulnerability disclosure policy, and mandates transparency on how long products will receive security updates. 

For enterprises, these requirements are valuable procurement signals when consumer-grade devices enter corporate estates.

A rapidly growing attack surface

The scale of IoT makes security a board-level issue. Connections are forecast to climb from 13.8 billion in 2022 to 40.6 billion by 2034, more than doubling in just over a decade. Each new device is a potential entry point for attackers, but also a new stream of data that can make operations safer and more efficient when managed securely.

The challenge for enterprises isn’t the growth itself, but ensuring that connected assets are visible, governed and protected as estates expand. With the right IoT security controls, scale becomes an advantage, with wider coverage, faster insights, and stronger resilience.

IoT security challenges

Adopting IoT at scale doesn’t mean inheriting unmanageable risk. The main challenges are well known, and there are proven ways to mitigate them.

1. Device identity and authentication

Weak or default credentials remain one of the simplest ways attackers gain access to IoT. Some devices may even lack authentication altogether, or operate in physically exposed environments. Enterprises can address this by insisting on unique identities, certificate-based or SIM/eSIM authentication, and strong access controls as part of procurement.

2. Updates and long lifecycles

Unlike phones and computers, IoT assets are often deployed for a decade or more. Without secure update paths, vulnerabilities can linger in the field. The fix is well established: signed, over-the-air (OTA) updates, rollback protection and clear end-of-life processes ensure devices remain protected throughout their lifecycle.

3. Data protection and ecosystem security

IoT devices rarely stand alone, they interact with APIs, mobile apps and cloud services, and they transmit sensitive data. If those links aren’t secured, data can be intercepted or systems compromised. The solution is end-to-end encryption, robust API security and supply-chain transparency (e.g. requesting a software bill of materials, or SBOM, from suppliers).

4. Visibility and asset management

As estates expand, untracked or “shadow” devices can quietly increase the attack surface. This is particularly critical when IoT overlaps with operational technology (OT). Maintaining a live asset inventory, continuous monitoring and network segmentation ensures every device is accounted for and policies can be enforced.

5. Interoperability and legacy systems

IoT environments are often a mix of new and old technologies. Legacy OT systems weren’t designed for internet connectivity, and multi-vendor devices can create inconsistent standards. Enterprises overcome this through segmentation, virtual patching where updates aren’t possible, and aligning with recognised frameworks such as IEC 62443 for industrial environments.

Using IoT to strengthen security

IoT is not only something that needs to be secured, it can also strengthen security itself. Enterprises are increasingly deploying connected devices to protect people, assets and operations. The challenge is making sure these same devices don’t introduce new risks.

Smarter physical security

Connected cameras, access control systems and environmental sensors create a live picture of sites and assets. 

• Smart cameras can detect movement, analyse behaviour and trigger alerts automatically.
• Connected access systems log entries in real time, integrate with HR or visitor systems, and raise alarms if credentials are misused.
• Environmental sensors monitor for smoke, gas, flooding or temperature changes, providing early warning for safety incidents.

These systems add layers of protection but must themselves be treated as IoT assets; provisioned with strong identities, kept up to date, and segmented from critical operational technology.

Enhancing operational resilience

IoT also enhances continuity by spotting issues before they escalate. Vibration sensors on machinery, for example, can detect early signs of failure; structural sensors can flag stress in bridges or pipelines. These signals allow operations teams to respond quickly and in advance, often avoiding costly outages or safety incidents.

Integration with security operations

IoT’s value multiplies when integrated into enterprise monitoring:

• Existing security monitoring systems can ingest logs and alerts from IoT devices alongside IT data, giving analysts a single view of potential threats.
• Operational technology monitoring platforms can correlate IoT sensor readings with industrial control system data, helping operators distinguish between faults and potential intrusions.

This integrated approach reduces blind spots and ensures IoT data informs both cyber and physical security decisions.

IoT security best practices

1. Integrate security into procurement

The easiest way to avoid insecure devices is to stop them entering the estate in the first place. That means asking suppliers to align with recognised baselines:

• NISTIR 8259A – US guidance on core device features such as unique identity, secure updates and logging.
• ETSI EN 303 645 – European baseline for consumer IoT security (no default passwords, clear update policies, vulnerability disclosure).
• IEC 62443 – international standard for securing industrial and operational technology systems where uptime and safety are critical.

2. Segment networks and apply Zero Trust

Even within a private network, not every IoT device should have unrestricted access. By logically segmenting devices into groups (for example, separating cameras from sensors, or IT from operational technology) and only allowing the traffic that’s required, enterprises can reduce the risk of an issue spreading.

Applying a ‘Zero Trust’ approach strengthens this further. It means devices and users must authenticate their identity every time they connect, rather than being trusted once they’re inside. This combination helps contain threats and ensures that mission-critical OT systems remain insulated from less-trusted IoT traffic.

3. Use private cellular where it adds resilience

In many cases, private 4G/5G networks provide a stronger foundation than Wi-Fi or shared public networks. SIM or eSIM-based authentication gives every device a unique, verifiable identity. Traffic is isolated on dedicated infrastructure, with predictable performance for mission-critical workloads. For use cases in logistics, utilities and manufacturing, private cellular offers both resilience and tighter security control.

4. Strengthen device identity and key management

Every device should be uniquely identifiable. That may mean certificates, hardware roots of trust, or SIM-based credentials. Public key infrastructure (PKI) is still the most reliable method to issue and manage device certificates at scale. With eUICC/eSIM, enterprises can also manage profiles remotely, but governance of keys and profiles is essential to keep the system secure.

5. Monitor continuously

Security doesn’t stop at deployment. Enterprises should feed device and network telemetry into their security monitoring systems, use behavioural baselining to spot anomalies, and set alerts for unusual traffic patterns. With continuous monitoring in place, issues can be detected and contained before they escalate into major incidents.

6. Secure the update lifecycle

IoT devices need to stay secure for years, often without being physically touched. That’s why they should support over-the-air (OTA) updates, software and firmware patches delivered remotely across the network. Updates should be digitally signed (to prove they’re genuine), include rollback protection (so devices can’t be forced back to insecure versions), and be deployed in stages to avoid disruption.

7. Protect the data itself

Securing the device is only part of the picture, the data it generates and transmits also needs protection. That means:

• Encrypting data in transit (so it can’t be read if intercepted while moving across the network).
• Encrypting data at rest (so stored data is protected if a device or server is accessed).
• Refreshing encryption keys regularly to reduce the risk of compromise.
• Collecting only the data you need — data minimisation lowers regulatory exposure and makes stolen data less valuable to attackers.

These measures ensure that even if a device or system is breached, the information it handles remains far harder to exploit.

8. Plan for secure decommissioning

Every connected device has an end of life. Without a retirement plan, old devices can linger on networks with outdated firmware and valid credentials. Secure decommissioning means wiping data, revoking keys, and updating asset inventories so “ghost devices” don’t become hidden entry points.

Network choices for IoT: Wi-Fi, public cellular, private networks

Connectivity underpins every IoT deployment. The right option depends on scale, criticality and environment. Each has strengths and trade-offs that directly affect security and resilience.

Enterprises often mix these options depending on use case. For high-performance, regulated or mission-critical workloads, private mobile networks are increasingly seen as the most secure and resilient foundation.

Finding the right IoT partner

Securing IoT at scale depends on more than the right devices and policies. It requires a partner that can bring the pieces together and embed security throughout the lifecycle.

• End-to-end IoT solutions – from device onboarding and connectivity to platforms and analytics.
• Managed connectivity – the ability to provide resilient coverage across public, private and hybrid networks.Private networks – options for dedicated 4G/5G infrastructure with traffic isolation and policy control.
• Security by design – alignment with recognised frameworks such as NISTIR 8259A, ETSI EN 303 645, and IEC 62443.
• Device lifecycle management – tools for secure onboarding, updates, monitoring and decommissioning.
• Global SIM and eUICC – flexible identity and connectivity that can be managed centrally across regions.
• Observability – visibility into device behaviour and network performance, with integration into SOC/SIEM tools.
• Standards support – evidence that suppliers align with NIS2, PSTI and other regulatory obligations.

Most enterprises don’t have the resources to integrate all of this themselves. The right partner provides the expertise and infrastructure to make IoT deployments secure, scalable and future-proof.

“Whether you need to keep utilities running smoothly for households, manage the complex operations of an airport, or secure critical infrastructure, Three Group Solutions brings proven expertise across multiple sectors. Our experience spans the unique challenges of utilities, transport, retail, healthcare and large-scale operational environments, ensuring we deliver robust, secure IoT solutions tailored to each context. With end-to-end capabilities and a commitment to security, we’re a trusted partner for enterprises looking to scale safely and confidently.”

James Bracken, IoT Product Manager, Three Group Solutions

Explore our IoT solutions

At Three Group Solutions, we offer end-to-end IoT solutions and private networks designed for regulated business and mission critical environments, giving enterprises the foundation to scale securely. Contact us to discuss your requirements with our experts.