IoT Security – Who Holds the Responsibility?

Many still view people as the weakest link in security, but the reality is that an entire ecosystem can be vulnerable. IoT, with its near‑complete automation, is often mistakenly assumed to be safe. That assumption is dangerous: nothing in cyberspace is inherently secure.

IoT devices are a magnet for cybercriminals, and the threat landscape is expanding 15 % year‑on‑year to an estimated 20 billion units, according to IHS Markit. For context, global mobile subscriptions top 4.9 billion per the GSMA. The sheer scale of IoT far eclipses P2P mobile connections, amplifying its breach potential, notes Sanjay Khatri, global director of product marketing at Cisco IoT.

The value chain is long and complex—every link is essential yet interdependent, and each represents a potential vulnerability. No single vendor can address every gap, so IoT security truly takes a village.

Building the IoT Security Village

Device manufacturers—often specialists in communication modules or sensors—are the most visible link. They are not necessarily the makers of the “things” themselves, but they enable connectivity. Assigning responsibility is critical: the party with technical control may differ from what end users perceive as accountable. Ultimately, the end‑user‑facing firm bears responsibility, as it faces consequences if a breach occurs.

Hardware providers may be viewed as responsible, yet software is frequently the weak spot. Developers must embed strict authentication controls, and IoT software must incorporate fraud detection and prevention mechanisms to shield both device and data.

Network‑level vulnerabilities arise wherever devices reach the Internet—via cellular, Wi‑Fi, Bluetooth, LPWAN, or satellite. Cellular already offers a baseline of security with global standards, ciphering keys, and SIM‑based encryption, and it can segregate device traffic into private networks. Other wireless protocols require additional safeguards.

Cloud platform providers—such as IBM, Microsoft and Salesforce—play a pivotal role. They secure data stored in the cloud and manage, monitor, and protect device connectivity.

Securing the Device

Risk varies with use‑case. Protecting devices demands layers: authentication, user and application access control, lifecycle management, and data encryption. Cost‑benefit trade‑offs become pronounced when deploying thousands of units, and data sensitivity levels differ. Knowing what devices are in use and what data they collect is the first step toward a tailored security strategy.

Network and Data Protection

When devices act as gateways, the network becomes the highway that carries data to cloud services. Protecting this channel is as vital as securing the endpoints, because each network layer introduces entry points for attackers. The choice of wireless (Wi‑Fi, cellular) or wired connectivity dictates the required security protocols. Encrypt data in transit, isolate it within private networks, and enforce network authentication to verify and authorize devices and applications.

Cloud Coverage

IoT’s core relies on secure links to the cloud, so robust cloud security is non‑negotiable. Organizations should combine digital controls with physical safeguards and adhere to standards such as ISO/IEC 27001 to form a solid information‑security foundation.

Beyond the environment, granular controls—role‑based access and anomaly detection—are essential for IoT applications. Identity management and access control lists must grant the right people the right permissions, while anomaly detection allows the platform to spot suspicious behavior and automate remediation.

The IoT Security Checklist

IoT growth is massive, and with opportunity comes risk. A holistic, village‑style approach is essential, though challenging. To sharpen your strategy, focus on:

• End‑to‑end identification and authentication for every entity in the IoT service (gateways, endpoint devices, home networks, roaming networks, service platforms).
• Encryption of all user data exchanged between devices and backend servers.
• Compliance with local privacy and data‑protection legislation when handling personal or regulated data.
• Deployment of an IoT connectivity‑management platform with rules‑based security policies that trigger instant action on anomalous behavior.
• A holistic, network‑level security posture.

The author of this blog is Sanjay Khatri, global director of product marketing, Cisco IoT.