Protecting Personal Data in the Era of IoT: Best Practices for Businesses and Consumers

Written By Noel Bradford

Welcome to the wonderful world of the Internet of Things (IoT), where your fridge knows when you’re out of milk, your smart speaker answers life’s most important questions (“What’s the weather?” and “Who sang that song?”), and your doorbell knows who’s nicked your Amazon delivery. It’s all very clever, until you remember that every one of these devices is also a data vacuum cleaner, hoovering up personal information and, if you’re not careful, handing it over to cyber criminals on a silver platter.

In 2025, the number of connected devices has skyrocketed, making life easier and security much harder. Businesses and consumers alike are now custodians of vast amounts of personal data that flows through these devices. And when one smart plug can become the gateway to your entire network, getting IoT security right is no longer optional — it’s survival.

The Data Deluge: What IoT Devices Actually Collect

The sheer amount of data collected by IoT devices would make even the nosiest data broker blush. Smart thermostats track your comings and goings, fitness trackers know your heart rate (and when you skipped the gym), and connected cars know everywhere you’ve been. Every device is a potential privacy disaster waiting to happen.

For businesses deploying IoT solutions, the risks multiply. Sensors in smart offices collect environmental and employee data, supply chain trackers log location and performance, and smart CCTV captures everything that moves. All of this data is valuable — to you, to hackers, and to anyone looking to exploit a weakly secured device.

Best Practices for Businesses: How Not to Become an IoT Horror Story

  1. Know What You’re Connecting Start with a complete inventory of every connected device in your organisation. If you don’t know it’s there, you can’t secure it.

  2. Update Like Your Business Depends On It (Because It Does) Outdated firmware is one of the easiest ways into your network. Manufacturers release updates to patch vulnerabilities, so install them. Automatically, if possible.

  3. Network Segmentation is Your Friend Never, ever connect IoT devices directly to your main business network. Keep them on isolated networks where they can’t access sensitive data even if compromised.

  4. Default Credentials Are the Devil If your smart cameras are still using the username “admin” and password “password”, congratulations — you’re already compromised. Change default credentials the moment a device is installed.

  5. Encrypt Everything Data in transit, data at rest, data everywhere — encrypt the lot. That way, even if someone does get access, they get garbled nonsense rather than valuable information.

  6. Data Minimisation Matters Don’t collect more data than you actually need. The less data you hold, the less data can be stolen. Simple.

  7. Plan for the Worst Assume a breach will happen and have an incident response plan ready for when it does. The faster you can isolate and contain a compromised device, the better.

Best Practices for Consumers: Because Your Smart Fridge Doesn’t Need Your Bank Details

  1. Buy Smart, Not Cheap Cheap IoT devices often come with abysmal security. Choose reputable brands that actually bother to patch vulnerabilities.

  2. Change Every Default Password If you can’t change the password on a device, reconsider buying it.

  3. Turn Off What You Don’t Use If your smart speaker has 17 features you’ll never use, disable them. Every unnecessary connection is a potential entry point.

  4. Separate Your Wi-Fi Put IoT devices on a guest network separate from your computers and phones. That way, if your smart lightbulb gets hacked, your bank account stays safe.

  5. Update Devices Religiously If the manufacturer doesn’t provide regular updates, rethink your purchase.

  6. Limit Data Sharing Check device privacy settings and opt out of unnecessary data collection. Does your fridge really need your location data? Probably not.

  7. Use a Firewall and Monitor Traffic Even at home, monitoring what devices are doing on your network can be eye-opening. If your baby monitor is chatting with servers in Eastern Europe, you’ve got a problem.

The Regulatory Landscape: IoT Security is Everyone’s Problem

Governments have started waking up to the IoT security crisis. In the UK, the Product Security and Telecommunications Infrastructure Act mandates minimum security standards for connected devices. Manufacturers must ship devices with unique passwords, provide clear update policies, and publish a point of contact for security issues.

For businesses, compliance with regulations like GDPR means securing personal data collected by IoT devices isn’t optional — it’s legally required. Failing to protect data doesn’t just damage trust; it brings fines that can cripple small businesses.

The Future of IoT Security

The number of connected devices will keep growing, and so will the threats. AI-driven attacks, supply chain compromises, and device hijacking will become more sophisticated. The businesses and consumers who treat IoT security as an ongoing process — rather than a one-time setup task — will fare best.

As with all things cyber security, vigilance, common sense, and a healthy dose of paranoia go a long way. Whether you’re running a smart factory or just trying to stop your doorbell spying on you, securing your IoT devices is no longer optional.

Sources

NCSC - Smart Devices Guidance https://www.ncsc.gov.uk/guidance/smart-devices-guidance
UK Government - Product Security and Telecommunications Act https://www.gov.uk/government/publications/product-security-and-telecommunications-infrastructure-bill-factsheet
Forbes - IoT Security Best Practices https://www.forbes.com/sites/forbestechcouncil/2023/10/04/securing-the-internet-of-things-best-practices-for-businesses/
TechRadar - IoT and Data Privacy https://www.techradar.com/news/internet-of-things-devices-are-leaking-data-everywhere-and-its-a-serious-issue
Cyber Essentials - IoT Security Recommendations https://www.cyberessentials.org/iot-security-best-practices/

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Teams & Quick Assist: Microsoft’s New Gift to Cybercriminals Everywhere
Next

Snail Mail Ransomware – When Hackers Go Full 1950s and Post You a Demand Letter