By 2025, over 41 billion Internet of Things devices will be online globally. From smart thermostats in office buildings to sensors on manufacturing production lines, the Internet of Things has fundamentally altered how organisations operate. This connectivity promises efficiency, real-time monitoring capabilities, and data-driven insights that can transform business operations. However, each connected device creates a potential entry point for cyber attackers, massively expanding the attack surface that organisations must defend.
The scale of this challenge is unprecedented. Traditional IT security focused on protecting a defined perimeter of computers, servers, and mobile devices. The Internet of Things shatters this boundary, distributing computing across thousands of devices, many operating outside traditional security controls. A smart lightbulb in a conference room now connects to the same network as servers containing sensitive customer data. A fitness tracker worn by an employee can bridge corporate and personal networks through VPN connections.
For IT leaders and business executives, understanding Internet of Things security is no longer just about preventing data breaches. It concerns ensuring physical safety, maintaining operational continuity, and achieving regulatory compliance. The true risks of insecure Internet of Things deployments threaten to halt production lines, breach GDPR through surveillance devices, and physically endanger employees through compromised medical devices or building automation systems.
UK organisations face particular pressure as regulatory requirements tighten. The Product Security and Telecommunications Infrastructure Act 2024 introduces mandatory security standards for consumer Internet of Things products. GDPR enforcement continues intensifying, with the Information Commissioner’s Office scrutinising how organisations handle data collected by connected devices. Failure to address Internet of Things security adequately can result in fines reaching £17.5 million or 4% of global turnover.
This guide analyses the strategic business, operational, and legal implications of the Internet of Things landscape, with specific focus on the UK regulatory environment. You’ll discover how Shadow Internet of Things creates invisible vulnerabilities, why physical safety risks demand attention alongside data protection, and how to implement practical mitigation strategies that balance security with operational requirements.
Table of Contents
What is Internet of Things Security?
Internet of Things security refers to the cybersecurity measures required to protect internet-connected devices and the networks they operate on from unauthorised access, data breaches, and malicious attacks. Unlike traditional IT security that focuses on computers and servers built with security in mind, Internet of Things security must address devices often designed with convenience prioritised over protection.
The Internet of Things encompasses everyday objects that connect to the internet to exchange data and automate tasks. This includes consumer devices like smart speakers and fitness trackers, industrial equipment including manufacturing sensors, medical devices such as insulin pumps, and vehicles with connected navigation systems.
What distinguishes Internet of Things security from traditional IT security? Several fundamental differences create unique challenges. First, Internet of Things devices typically have limited computing resources. A smart doorbell or temperature sensor cannot run the same comprehensive security software as a laptop or server. Memory constraints, processing limitations, and power requirements force compromises that often sacrifice security features.
Second, Internet of Things devices have substantially longer operational lifespans than traditional IT equipment. Organisations replace computers every three to five years. Internet of Things devices often remain deployed for ten to fifteen years. A building automation system installed in 2015 may still operate in 2030, but the manufacturer likely stopped providing security updates years earlier.
Traditional IT environments secure devices running operating systems that receive regular patches and updates. The Internet of Things turns this logic upside down. A smart temperature sensor in a server room may run for five years without human interaction. This creates what security analysts call “abandonware”, devices that remain physically functional but become digitally obsolete, serving as open backdoors for years after manufacturers stop issuing security patches.
Third, many Internet of Things devices lack user interfaces. A server has a screen where administrators can monitor activity and apply updates. A motion sensor embedded in a ceiling has no screen, no keyboard, and often no accessible way to check its security status or modify its configuration. This “headless” design makes security management substantially more complex.
The combination of these factors means that Internet of Things security cannot simply adapt existing IT security practices. It requires fundamentally different approaches that account for resource constraints, extended lifecycles, and limited management capabilities.
The Expanded Attack Surface: Why Internet of Things is Different
The Internet of Things fundamentally differs from traditional IT security in ways that create unique vulnerabilities. Understanding these differences is essential for organisations deploying connected devices across their operations.
The Convergence of IT and Operational Technology
The blurring line between Information Technology (IT) and Operational Technology (OT) represents the most critical implication. IT deals with data such as emails and files. OT deals with the physical world, including valves, pumps, and robotic arms.
Historically, OT was “air-gapped”, physically disconnected from the internet. The Internet of Things bridges this gap. When a factory floor connects its machinery to the cloud for predictive maintenance, it exposes physical infrastructure to digital threats. A cyberattack doesn’t just steal data anymore. It can physically overheat a boiler, shut down a power grid, or disable the brakes on a connected vehicle.
Manufacturing facilities using Internet of Things sensors for real-time monitoring face particular risk. A 2024 study by Dragos found that 75% of industrial organisations experienced at least one intrusion affecting their OT environment in the previous year, resulting in production downtime, equipment damage, and safety incidents.
The Shadow Internet of Things Phenomenon
Shadow Internet of Things refers to internet-connected devices operating on corporate networks without the IT department’s knowledge or approval. Unlike sanctioned equipment that undergoes security vetting before deployment, these devices create unmonitored entry points for attackers to exploit. The term “shadow” captures how these devices operate invisibly within network environments, escaping the security controls applied to approved technology.
Common examples in UK workplaces include smart coffee machines in breakrooms that connect to Wi-Fi for remote monitoring and ordering, personal fitness trackers that sync health data over corporate networks, wireless presentation dongles plugged into meeting room displays, smart televisions in reception areas streaming content via company internet connections, and employee-owned voice assistants like Amazon Echo or Google Home devices brought from home.
The prevalence of Shadow Internet of Things surprises most IT leaders. Research from Infoblox found that 80% of IT professionals discovered Internet of Things devices on their networks they didn’t know existed. In organisations with 1,000 or more employees, the average number of unauthorised devices reached 34 per company. Each represents a potential gateway for lateral movement attacks, where hackers use low-security devices to access high-value systems.
Why does the Shadow Internet of Things develop? Several factors contribute. Employees often connect personal devices without realising the security implications. A staff member might bring a smart speaker from home to play music in their office, connecting it to corporate Wi-Fi because the personal device worked flawlessly at home. They don’t recognise that the device now sits inside the corporate security perimeter without any vetting.
Building contractors and service providers create another Shadow Internet of Things source. When an HVAC maintenance company installs new thermostats with remote monitoring capabilities, they may connect these devices to the building’s network without coordinating with IT security. The facilities team approved the installation for operational benefits, but IT security never assessed the devices’ security posture.
The risk compounds in hybrid working environments where employees working from home connect to corporate networks via VPN. An employee’s home network may include a smart TV, a connected doorbell, and various other consumer Internet of Things (IoT) devices. When that employee connects their laptop to the corporate VPN whilst on their home network, they create a potential bridge between enterprise systems and poorly secured consumer devices. If an attacker compromises the employee’s smart TV, they might leverage that access to intercept VPN traffic or launch attacks against corporate resources.
Organisations should deploy Network Access Control systems that require device authentication before granting network access. NAC solutions can identify devices attempting to connect, compare them against approved device inventories, and either block unauthorised devices or quarantine them in restricted network segments pending security review.
Regular network scanning using tools that identify device fingerprints can reveal Shadow Internet of Things for remediation. Passive network monitoring detects devices based on their communication patterns, MAC addresses, and protocol usage. Solutions like Nozomi Networks (pricing from £15,000 annually) and Forescout (enterprise pricing starting at £25,000) specialise in Internet of Things device discovery and classification. However, according to Gartner research, only 35% of UK organisations currently employ automated IoT discovery tools, leaving the majority vulnerable to unseen device proliferation.
Beyond technical controls, organisations need clear policies addressing Shadow Internet of Things. Acceptable use policies should explicitly prohibit connecting personal Internet of Things devices to corporate networks without IT approval. Security awareness training should explain the risks, helping employees understand why that innocent-looking smart speaker creates genuine security concerns.
Critical Security Risks in Internet of Things Devices
The Internet of Things introduces security vulnerabilities that differ substantially from traditional computing environments. These risks emerge from design compromises, insufficient security standards, and the challenge of managing devices with 10-15 year lifespans.
Device Vulnerabilities and Weak Credentials
Default and weak passwords remain the primary vulnerability in Internet of Things devices. A 2024 analysis by Kaspersky of 15 million IoT devices found that 61% retained manufacturer default credentials, making them instantly compromisable through credential stuffing attacks.
Consumer Internet of Things manufacturers optimise for ease of setup rather than security. Devices ship with passwords like “admin,” “12345,” or the device model number. These credentials appear in publicly available product manuals that attackers can easily access.
The 2016 Mirai botnet attack infected over 600,000 Internet of Things devices using just 61 default username-password combinations. The resulting distributed denial-of-service (DDoS) attack reached 1.2 terabits per second, temporarily taking down major websites including Twitter, Netflix, and Reddit across the UK and US.
Research from NHS Digital identified that 30% of connected medical equipment runs outdated operating systems with known, unpatched vulnerabilities. The PSTI Act 2024 addresses this by prohibiting default passwords in consumer Internet of Things products sold in the UK, though it exempts industrial Internet of Things and legacy devices manufactured before April 2024.
Network and Data Transmission Risks
Internet of Things devices frequently transmit data over wireless networks without adequate encryption. A 2023 audit by the European Union Agency for Cybersecurity examined 200 consumer Internet of Things products available in the UK market. The audit found that 43% transmitted sensitive data without encryption, 28% used outdated SSL protocols vulnerable to known attacks, and only 19% implemented certificate pinning to prevent man-in-the-middle attacks.
Cross-border data transfers present particular challenges for UK organisations subject to GDPR. Many Internet of Things devices automatically upload data to cloud servers located in jurisdictions outside the UK and EU. Most consumer Internet of Things devices provide no control over data location, creating potential compliance violations.
Network segmentation provides critical mitigation. The National Cyber Security Centre recommends isolating Internet of Things devices on separate VLANs with firewall rules that prevent lateral movement to core business systems. Despite this guidance, a 2024 survey found that only 42% of UK organisations had implemented network segmentation for Internet of Things deployments.
Botnets and DDoS Attack Amplification
Compromised Internet of Things devices form botnets that launch large-scale DDoS attacks. The distributed nature of Internet of Things deployments and the typically always-on status of connected devices make them ideal for attackers seeking to overwhelm target networks.
By 2023, the Mozi botnet had infected over 1.5 million devices globally, according to IBM X-Force research. These botnets persist because infected devices continue functioning normally for their intended purpose whilst simultaneously participating in attacks, making detection difficult.
Ofcom data shows that DDoS attacks against UK organisations increased by 37% in 2023 compared to 2022. The average attack duration increased to 4.7 hours, with the longest recorded attack lasting 73 hours.
Mitigation requires multiple layers of defence. DDoS protection services from providers like Cloudflare (starting at £180 per month for Business plans) or Akamai (enterprise pricing starting at £20,000 annually) can absorb attack traffic before it reaches organisational networks. The NCSC recommends implementing rate limiting on Internet of Things devices to restrict the volume of traffic they can generate.
Business and Operational Implications
The security vulnerabilities in Internet of Things deployments translate directly into business risks that extend beyond IT departments. Understanding these operational and financial implications is essential for proper risk assessment.
Financial Liability and Brand Reputation
Internet of Things security breaches create quantifiable financial impacts through incident response, forensic investigation, legal fees, and regulatory fines. Indirect costs emerge from business disruption, customer churn, and brand damage.
The British Airways data breach in 2018 demonstrates UK regulatory enforcement. The Information Commissioner’s Office initially proposed a £183 million fine before reducing it to £20 million. The breach affected 429,000 customers and resulted in substantial reputational damage.
Manufacturing downtime proves particularly expensive. Gartner estimates the average cost of manufacturing downtime at £17,000 per minute for automotive manufacturers. If Internet of Things sensor networks controlling production lines become compromised, a four-hour disruption could cost £4 million in lost production.
Research by IBM found that organisations experiencing data breaches saw their share prices underperform the market by 7.5% in the year following disclosure, translating to millions in lost market capitalisation for publicly traded UK companies.
Data Privacy Concerns and GDPR Compliance
Internet of Things devices frequently collect personal data without clear user awareness or adequate protection. GDPR Article 5 requires that personal data be processed lawfully, fairly, and transparently. Many Internet of Things devices collect data beyond what’s necessary for their primary function.
The ICO issued guidance in 2020 specifically addressing Internet of Things, emphasising that manufacturers cannot assume users understand data collection practices. Organisations deploying Internet of Things devices must ensure compliance with data protection principles including purpose limitation and data minimisation.
Location data from Internet of Things devices creates particular sensitivity. Connected vehicles, delivery trackers, and employee wearables continuously generate location information. The ICO can issue fines up to £17.5 million or 4% of global annual turnover for serious violations.
Workplace Internet of Things deployments require careful consideration of employee privacy rights. Employers must balance legitimate business interests against employee privacy expectations.
Physical Safety Risks from Internet of Things Vulnerabilities
The convergence of information technology and operational technology means cyberattacks can now cause physical harm, not just data breaches. When Internet of Things devices control physical systems, security failures can endanger lives.
Medical Device Vulnerabilities
In 2021, the US Food and Drug Administration issued a recall affecting 465,000 pacemakers from Medtronic due to vulnerabilities allowing unauthorised remote reprogramming. Similar flaws in insulin pumps could enable malicious dosage delivery.
The UK’s Medicines and Healthcare products Regulatory Agency now requires cybersecurity compliance before approving connected medical devices. However, NHS Digital’s 2023 assessment found that 42% of medical devices on NHS networks run operating systems that no longer receive security updates.
Connected Vehicle and Smart Building Risks
Modern vehicles contain 50-100 Internet of Things sensors controlling systems from brakes to steering. In 2015, security researchers remotely disabled the brakes of a Jeep Cherokee, prompting Fiat Chrysler to recall 1.4 million vehicles. The Society of Motor Manufacturers and Traders reports that 94% of new cars sold in the UK in 2024 include internet connectivity features.
Internet of Things (IoT)- controlled HVAC systems, elevators, and fire suppression equipment pose physical security risks. A 2023 assessment by the Centre for the Protection of National Infrastructure found that 68% of smart building installations in UK commercial properties had at least one critical security vulnerability.
The Target data breach demonstrates how building systems provide entry points. Attackers compromised Target’s HVAC system, then pivoted into payment systems, stealing 40 million credit card numbers.
UK Regulatory Compliance for Internet of Things Security
UK businesses deploying Internet of Things devices must navigate an evolving regulatory landscape. The Product Security and Telecommunications Infrastructure Act 2024 introduces mandatory security requirements.
Product Security and Telecommunications Infrastructure Act 2024
The PSTI Act came into force on 29th April 2024, establishing three core security requirements for Internet of Things manufacturers, importers, and distributors operating in the UK market. This legislation represents a significant shift in UK regulatory approach, moving from voluntary security guidelines to mandatory, enforceable standards with substantial penalties for non-compliance.
First, the Act bans default passwords across all covered devices. All Internet of Things products must have unique passwords that cannot be reset to universal factory settings. This requirement addresses the single most exploited vulnerability in Internet of Things security. Manufacturers must either assign unique passwords to each device during production or force users to create strong passwords during initial setup. The regulation explicitly prohibits passwords like “admin,” “password,” or “12345” that have enabled countless breaches. Devices must not allow users to set weak passwords that fail to meet minimum complexity requirements.
Second, manufacturers must provide a public point of contact for security researchers to report vulnerabilities. This vulnerability disclosure policy requirement ensures that discovered security flaws can be reported and addressed through coordinated disclosure processes. The policy must include a clear process for receiving and responding to reports within reasonable timeframes. This provisions recognises that security research plays a vital role in identifying flaws before malicious actors can exploit them. By mandating public contact points, the Act removes the uncertainty that previously prevented researchers from reporting vulnerabilities due to potential legal consequences.
Third, companies must transparently state the minimum period they will provide security updates. Consumers and businesses purchasing Internet of Things devices need clarity about how long devices will receive patches for newly discovered vulnerabilities. If a manufacturer commits to three years of security updates, they must honour that commitment or face penalties. This requirement addresses the “abandonware” problem where devices remain functional for a decade but stop receiving security patches after two years. The transparency allows buyers to make informed decisions, potentially favouring manufacturers offering longer support periods.
Non-compliance carries substantial penalties designed to ensure manufacturers take these requirements seriously. The Office for Product Safety and Standards can issue fines up to £10 million or 4% of global turnover, whichever is higher. This enforcement mechanism mirrors GDPR penalties in scale, signalling the government’s serious approach to Internet of Things security. The OPSS can also issue compliance notices requiring manufacturers to fix non-conforming products within specified timeframes. Continued non-compliance following a compliance notice can result in product recalls or bans from the UK market.
The PSTI Act applies broadly to consumer Internet of Things products including smartphones, tablets, smart speakers, connected cameras, fitness trackers, smartwatches, and smart home devices such as thermostats, lighting systems, and security equipment. The definition captures any network-connectable product designed primarily for consumers, regardless of whether it’s also used in business contexts.
However, the Act contains significant exemptions that limit its coverage. Industrial Internet of Things devices used exclusively in commercial or industrial settings fall outside the Act’s scope. Medical devices are excluded because they’re covered by separate regulations through the MHRA. Vehicles are exempt, as are devices integral to vehicles’ operation. Most significantly, legacy devices manufactured before 29th April 2024 are exempt, meaning millions of insecure devices remain in use across the UK without any requirement for retrofitting security improvements.
Businesses procuring Internet of Things products should verify supplier compliance with PSTI requirements before purchase. Whilst purchasing non-compliant devices doesn’t directly create liability for buyers, it exposes organisations to security risks that could breach other regulatory obligations including GDPR and Network and Information Systems Regulations. Procurement teams should request attestations from suppliers confirming PSTI compliance and detailing the minimum security update period. This information should inform purchasing decisions, particularly for devices expected to remain deployed for many years.
NCSC Guidelines and ICO Requirements
The National Cyber Security Centre provides specific guidance for organisations deploying Internet of Things devices. Network segregation forms the foundation, with Internet of Things devices operating on separate network segments from core business systems.
The NCSC recommends default-deny firewall policies for Internet of Things networks and quarterly scans using network mapping tools to detect unauthorised devices. Following NCSC recommendations helps organisations meet their obligations under the Network and Information Systems Regulations.
The Information Commissioner’s Office enforces GDPR compliance for Internet of Things deployments that process personal data. Organisations must establish a lawful basis for processing, provide transparent information about data collection practices, and conduct Data Protection Impact Assessments for high-risk deployments.
Mitigating Internet of Things Security Risks
Addressing Internet of Things security requires a comprehensive approach that combines technical controls, organisational policies, and ongoing monitoring.
Strong Authentication and Authorisation
Implementing robust authentication mechanisms represents the most fundamental security control. All Internet of Things devices should require unique, complex passwords following organisational password policies. The NCSC recommends passwords of at least 12 characters including uppercase letters, lowercase letters, numbers, and special characters.
Multi-factor authentication should be enabled wherever devices support it. Certificate-based authentication provides stronger security than passwords for device-to-device communications. Role-based access control limits what authenticated users and devices can do, ensuring that compromised credentials provide attackers with limited capabilities.
Network Segmentation and Zero Trust Architecture
Network segmentation isolates Internet of Things devices from critical business systems, limiting the potential impact of compromised devices. A three-tier segmentation model works well, containing untrusted Internet of Things devices, trusted operational devices, and business-critical IT systems with the strictest access controls.
Zero Trust architecture assumes that no user or device should be trusted by default, regardless of network location. Every access request must be authenticated, authorised, and encrypted before being granted. For Internet of Things environments, this means continuous verification of device identity and health before allowing communications.
Regular Firmware Updates and Patch Management
Maintaining current firmware versions is critical for addressing known vulnerabilities. Organisations should maintain inventories of all Internet of Things devices including make, model, current firmware version, and update status. Critical security updates should be deployed within 30 days of release.
Testing updates before deployment reduces operational risk. Organisations with large deployments should maintain test environments for validation. When manufacturers stop supporting devices, organisations must decide between replacement or accepting the security risks of continued operation.
Future of Internet of Things Security: AI and Blockchain
Emerging technologies are reshaping the Internet of Things security landscape.
Artificial intelligence enhances Internet of Things security through anomaly detection. AI systems analyse traffic patterns from thousands of devices, identifying unusual behaviour. Providers like Darktrace (from £25,000 annually) and Vectra AI (starting at £50,000) offer platforms designed for Internet of Things environments.
Blockchain technology offers solutions for device authentication and secure data exchange. Distributed ledger systems create immutable records of device identities. Smart contracts automate security policies, verifying devices have the latest firmware before allowing network access.
Internet of Things security represents one of the most significant cybersecurity challenges facing UK organisations. With over 41 billion connected devices expected globally by 2025, the attack surface continues expanding rapidly.
UK businesses must prioritise Internet of Things security through comprehensive strategies addressing device vulnerabilities, network architecture, and regulatory compliance. The PSTI Act 2024 establishes baseline requirements, but organisations bear responsibility for secure deployment.
Key strategies include strong authentication controls, network segmentation to isolate Internet of Things devices, and rigorous patch management programmes. Addressing Shadow Internet of Things through network audits prevents unauthorised devices from creating security gaps.
Regulatory compliance requires attention to the PSTI Act for device procurement and GDPR for data protection. Following NCSC recommendations helps meet obligations under the Network and Information Systems Regulations.
The financial risks of inadequate Internet of Things security are substantial. Manufacturing downtime, regulatory fines, and brand damage can cost millions of pounds. By implementing these strategies, UK organisations can deploy Internet of Things securely whilst maintaining compliance and protecting against cyber threats.