As weird as it sounds, an unsecured smart thermostat could let hackers into your corporate network. A connected medical device could be exploited to put lives at risk. Not to mention botnets, which can turn everyday IoT gadgets into weapons for cybercriminals. According to IBM, one in three data breaches now involves an IoT device. AI has improved cybersecurity, but it’s also used to compromise entire networks. In this scenario, how can companies protect their assets before it’s too late?
When talking about cybersecurity, you often have the impression that you’re preaching to the choir. At this point, the message is clear. And data is available everywhere: more than 50% of IoT devices have critical vulnerabilities as most aren’t built with security in mind. They’re easy targets for hackers. Particularly, healthcare IoT devices, which are a prime target, with attacks increasing by 123% year over year. In addition, unpatched firmware is responsible for 60% of IoT security breaches. Therefore, one might deduce that an unsecured IoT device is a full-fledged business risk. In fact, security failures cost businesses an average of $330,000 per incident.
And yet, despite all warnings and catchy headlines, most businesses, especially small and medium enterprises, aren’t prepared or overlook cybersecurity. Be it because they wrongly assume that hackers only target large corporations, because they consider having firewalls and antivirus software is enough or because fast-paced innovation prioritizes convenience and speed over security.
“Believe it or not, access to many devices is still unencrypted,” says Selva Orejón, CEO of OnBranding, a Barcelona-based company specializing in the protection of digital ID and online reputation.
Fortunately, AI has come to the rescue. AI-driven tools help monitor IoT networks, detect suspicious activities and prevent unauthorized access, thus enhancing cybersecurity in a way that human analysts might miss. As a result, machine learning-based anomaly detection is becoming essential for identifying unusual patterns in IoT devices, which might indicate malware infections or cyber intrusions. And this is really helpful when billions of connected devices create a massive attack surface.
But every coin has two sides. AI is a double-edged sword as it can be weaponized by criminals to exploit IoT vulnerabilities. Criminals use AI to develop adaptive malware, execute large-scale botnet attacks, and launch AI-powered phishing campaigns that can compromise entire IoT networks. Additionally, adversarial AI techniques can manipulate IoT machine learning models, causing smart security systems to overlook threats or even disable defenses.
AI vs AI
This arms race between AI-driven defense and AI-powered attacks is puzzling for many companies and institutions and raises serious concerns.
Some might think “it won’t happen to us” as their use of AI is limited to tools like ChatGPT, Gemini, Copilot, DeepSeek, etc. But still, they also need to “preserve their privacy in the face of the growing number of cyberattacks that seek to steal this type of information”, says Juan Caubet, Director of IT&OT Security at the Eurecat Technology Center.
“There are also a number of risks associated with the malicious use of these AI systems, whether to generate malware, fake news, or more credible phishing emails”, he adds.
“In this sense, companies that develop AI agents should implement strict control measures, both to access the services and to avoid malicious or unethical uses”, Caubet highlights.
“It would be good if security failures were perceived not only as a technical issue but also as a negligence, so that actions to fix leaks were mandatory”, advises the CEO of OnBranding.
Cultural shift
Overall, the solution seems to be embedding security into the design phase of IoT products (security by design), invest in ongoing training for employees, adopt Zero Trust security models -or, simply put, “never trust, always verify” models-, add AI-driven threat detection, and collaborate with regulatory bodies to push for stronger, unified standards.
Of course, this is easily said than done as all these actions are often seen as an expense rather than a business enabler and many organizations, especially startups, lack dedicated cybersecurity teams or budgets.
But, at the end of the day, companies need to shift their mindset and treat cybersecurity as a core business function, not an afterthought, because “it’s the basis of our digital identity and the shielding of a brand,” says Selva Orejón. IOT Solutions World Congress will certainly run this new mindset 13-15 May in Barcelona because, in the current scenario, “it won’t happen to us” no longer makes sense, so we’d better shift to “how prepared are we when it happens”.
Article by: Anna Solana