Today, the IoT is everywhere – it connects machinery in manufacturing, smart grids in critical energy infrastructure and remote patient monitoring devices in healthcare. Its rapid growth is undeniable, with as many as 40 billion devices forecast worldwide by 2030, but as organisations scale their massive IoT deployments they must be wise to the cyberthreats they face.
The IoT must be resilient as it scales and that means building security in at every stage to avoid damaging and costly outages caused by cyberattacks.
The IoT needs scalable resilience and security to avoid downtime
Unfortunately, the risk that companies and customers will suffer downtime from a security breach is high. Beaming’s cyberthreat report into UK businesses reveals that IoT devices were the most frequently attacked in 2024. What’s more, the daily attack average on those devices rose still further in the first quarter of 2025 to 178 times a day.
If companies expand their IoT operations and grow their installed base of devices without baking in resilience and security, they run a serious business risk. Cybercriminals increasingly target sprawling, under-monitored device networks, forcing organisations to rethink how they secure growth at scale.
Companies, and the solutions providers supplying them, must strive to stay one step ahead. Too often, resources are ploughed into cybersecurity only after a breach. By then financial, and most likely reputational, damage has already occurred. Instead, companies must maximise IoT uptime by planning proactively for security and scalability.
IoT outages risk regulatory penalties
The UK’s National Cyber Security Strategy 2016-21 stated, “poor security practice remains commonplace across parts of the (IoT) sector.” Following that, a World Economic Forum State of the Connected World report examined governance gaps in IoT and related technologies and labelled cybersecurity the “second-largest perceived governance gap”.
It was a situation that couldn’t continue. The IoT was becoming more deep-rooted in transport, energy, retail and healthcare infrastructure. Governments and authorities had to take note and began introducing more security regulations and standards to protect customer data and help prevent IoT outages. Now, scaling without protection is a major compliance, as well as operational, risk.
Compliance can sometimes seem like an inconvenient overhead but in fact regulations and standards help businesses. They provide a framework – a best practice guide if you will – to securing IoT deployments so they will be resilient. That’s what everyone wants – businesses, whose revenues and reputations depend on reliability, and customers who want products and services that work without anyone stealing their data.
Having said that, for most companies, the IoT merely supports and facilitates their core business. It isn’t their main focus. The ever-changing regulatory landscape can be a daunting place to know. Companies must work with experts in the field to understand and abide by the many rules that apply.
The regulatory environment
They include the Digital Operations Resilience Act (DORA), and other resilience mandates that cover risk management, supply chains and application and device security. There is also the EU’s Cyber Resilience Act, China’s Cyber Security Law and the Telecom Security Acts in the USA and UK.
A recent addition was EN 18031, which is of particular importance to businesses who sell or supply IoT devices in the EU. It is relevant to all connected radio devices from 1 August 2025 and is a cybersecurity add-on to the EU Radio Equipment Directive (RED), required to receive a CE mark. Non-compliant devices without the CE mark will be deemed unsafe and cannot be legally sold in the European Economic Area (EEA).
To meet IoT regulations and standards, companies must set service level targets that can only be met by high availability and rapid, automated recovery from outages. Anything less isn’t good enough because regulators and customers expect more, and companies should demand more of themselves for their reputations and bottom-lines.
Resilient and secure IoT requires real-time visibility and threat detection
Companies can scale IoT securely despite growing and ever-evolving cybersecurity threats, but only through a range of measures that all start with design. Security must thread through the end-to-end solution spanning people, process and product. The weakest link in the chain might not be the IoT device, it could be neglected security training or a user access control policy that is not fit for purpose.
A fully rounded approach to IoT security defends against, detects and reacts to incidents through the lifetime of the product or service.
It defends through technology – identity and access management, multi-factor authentication, encrypted data, endpoint protection, patch management, cloud authentication, software updates, encrypted communications and secure APNs – but also through processes – change control procedures, version control for configurations and audits carried out against regulatory standards.
It detects through real-time visibility and threat detection that monitors devices and networks to spot anything unusual, such as a change in target URLs or data usage. Detection engines can be AI-assisted to analyse data feeds and score potential threats with automated or manual action, according to business rules, to isolate threats or send them for review.
It reacts with automated threat responses, self-healing systems, fallback connectivity and the execution of detailed – and rehearsed – disaster recovery plans.
Growing the IoT without risk to infrastructure or data
An IoT solution may have one connected device, or many thousands, but it must be resilient against security threats and designed in such a way that it can grow and evolve without risk to infrastructure or data. Cyberattacks will find and exploit any security weaknesses in technology, processes or the actions of employees and suppliers.
To counteract the threat, companies must call on the right expertise and be guided by relevant regulations and standards to ensure their IoT is secure and resilient, now and in the future.
- Digital Strategy