GUEST ESSAY: Why IoT security must start at the module—a blueprint for scaling IoT security – Source: www.lastwatchdog.com

By Enrico Milanese

A few years ago, a casino was breached via a smart fish tank thermometer.

Related: NIST’s IoT security standard

It’s a now-famous example of how a single overlooked IoT device can become an entry point for attackers — and a cautionary tale that still applies today.

The Internet of Things (IoT) is expanding at an extraordinary pace. Researchers project over 32.1 billion IoT devices worldwide by 2030 — more than double the 15.9 billion recorded in 2023. From connected vehicles to smart agriculture, businesses are scaling their deployments fast. But security, far too often, is an afterthought.

This gap has real consequences. One in three data breaches now involves an IoT device. That’s because attackers know these endpoints are often poorly secured, rarely monitored, and easy to exploit. The time has come for enterprises to treat IoT risk not as an infrastructure footnote, but as a central pillar of resilience.

Today’s IoT security gaps

IoT devices are often designed for utility, not defense. Many ship with default passwords, unpatched firmware, or weak communication protocols. Palo Alto researchers recently found that 98% of IoT device traffic remains unencrypted. That makes these devices — from smart cameras and medical sensors to HVAC controllers and vehicle modules — easy targets for lateral movement.

Even more dangerous is the growing threat of “shadow IoT”: unauthorized or unmanaged devices connecting to enterprise networks without proper oversight. The result? A swelling attack surface with very few guardrails.

Organizations need to shift from reactive security toward proactive control. An IoT cloud management platform can help. These platforms enable centralized patching, configuration control, and real-time monitoring — offering a scalable way to protect growing fleets of devices.

Not all modules created equal

One often overlooked security anchor in any IoT deployment is the module — the component that connects devices to cellular or other wide-area networks. It handles data exchange, enables cloud communication, and often performs edge-level processing.

But not all modules are created equal. Some vendors rush products to market with poorly vetted software, proprietary systems, or unverified components. Others fail to support long-term security updates, leaving customers with devices that degrade in safety over time.

When choosing a module vendor, enterprises should prioritize those with proven track records — providers who embed secure-by-design principles and follow universal security frameworks. They should support operational resilience while also helping customers meet compliance obligations under frameworks like the EU’s Radio Equipment Directive and the forthcoming Cyber Resilience Act.

Innovation vs. resilience

Balancing innovation speed with robust security is a constant challenge. But in the IoT era, it’s no longer optional.

Every new device adds opportunity — and risk. Enterprises that embed security from the module level up, that evaluate their vendors critically, and that treat visibility and patchability as first principles, will not only reduce their exposure — they’ll position themselves for long-term resilience.

The key is to scale with clarity. With the right strategy and trusted partners, IoT innovation doesn’t have to come at the expense of control.

About the essayist: Enrico Milanese is Head of Product Security, Telit Cinterion, a global provider of secure IoT modules, connectivity, and edge solutions.

July 16th, 2025 | Essays | Top Stories