IoT security best practices: 7 ways to protect your connected devices

Connected devices are everywhere. They track shipments across continents and monitor critical infrastructure in real time, while healthcare systems use them to handle sensitive patient data. With billions of IoT devices now operating worldwide, security is foundational.

The good news: IoT security has matured significantly. The tools, protocols, and platform capabilities available today make it possible to build layered defenses that scale with your fleet, no matter how many devices you manage or where they operate. This guide walks through seven best practices that engineering leaders and executives should treat as non-negotiable.

1. Secure devices at the hardware level

Security starts before a single byte of data is transmitted. Hardware-level protections form the root of trust for every device in your fleet.

Use Trusted Platform Modules (TPMs) or Hardware Security Modules (HSMs) to embed cryptographic keys directly in the device hardware. This makes it possible to verify device identity during boot and block unauthorized firmware from executing. Tamper-resistant enclosures add a physical layer of defense for devices deployed in exposed or remote environments.

What this looks like in practice:

• Cryptographic keys stored in hardware, not software, so they cannot be extracted or duplicated
• Secure boot processes that verify firmware integrity before the device powers on
• Tamper detection that triggers alerts or wipes sensitive data if a device enclosure is breached

For fleets operating across 190+ countries, as many Hologram customers do, hardware-level security is especially critical. Devices deployed in remote locations may go months without physical inspection. Hardware root of trust means those devices remain verifiable even when no one is on-site.

2. Encrypt data across all layers

Encryption protects data at rest on the device, in transit over the network, and at rest again in storage. Each layer needs its own protection because a gap at any point creates an opening.

Use AES-256 for data at rest and TLS 1.3 or DTLS for data in transit. Under a shared security model, your organization encrypts the data your devices generate, and your connectivity provider protects the routing infrastructure.

Where teams often miss a step:

• Encrypting data in transit but leaving local device storage unprotected
• Using outdated TLS versions that are vulnerable to known exploits
• Failing to rotate encryption keys on a regular schedule

Cross-border encryption and data sovereignty

For global IoT fleets, encryption is not just a technical decision. It is a compliance one. Regulations like the European Union's General Data Protection Regulation (GDPR) and the Network and Information Systems Directive 2 (NIS2) impose specific obligations on how data is encrypted, where it is stored, and how it moves across borders.

Multi-jurisdiction deployments introduce real complexity. A fleet operating in the EU, North America, and Asia Pacific may need to comply with three or more distinct regulatory frameworks simultaneously. That means encryption standards, key management practices, and data residency choices must account for the strictest applicable regulation.

Hologram's global connectivity management platform operates across 190+ countries and 550+ carriers. This carrier diversity gives teams flexibility to route data through compliant paths without building separate infrastructure for each region. Combined with private access point names (APNs) that isolate your fleet's traffic from the public internet, you can maintain encrypted, segmented data flows across jurisdictions.

3. Strengthen authentication and access control

Weak or default credentials remain one of the most common entry points for unauthorized access. Multi-factor authentication (MFA) and role-based access control (RBAC) are the baseline, not the ceiling.

Start with these fundamentals:

• Replace default credentials on every device before deployment, without exception
• Enforce MFA for all platform and dashboard access
• Use RBAC to limit what each user, team, and API key can see and do

For fleets with hundreds or thousands of devices, manual credential management breaks down fast. Automated provisioning that assigns unique credentials per device at manufacturing or activation is far more reliable.

Hologram's platform supports MFA for dashboard accounts and granular API key permissions. For teams managing large fleets, this means you can give field technicians visibility into device status without exposing billing, SIM management, or network configuration controls.

4. Keep firmware and software current

Outdated firmware is one of the most exploited weaknesses in IoT deployments. Every unpatched device is a potential entry point.

Build a firmware update strategy that scales:

• Enable over-the-air (OTA) updates so you can push patches without physical device access
• Automate patch compliance monitoring to flag devices running outdated versions
• Test firmware updates in a staging environment before fleet-wide rollout
• Maintain a rollback plan in case an update introduces unexpected behavior

For IoT cellular fleets with devices across dozens of countries, coordinating firmware updates gets complex. Stagger rollouts by region or device group to limit the blast radius of any issues. Track compliance rates in your device management dashboard so you can identify stragglers before they become liabilities.

Hologram's platform tracks device connectivity status, making it straightforward to identify which devices have reconnected after a firmware push and which may need attention.

5. Secure the network layer

Network segmentation is one of the highest-impact security measures you can implement. Isolating IoT traffic from your standard IT network limits what an attacker can reach if a single device is compromised.

Core network security controls:

• Private APNs to create a dedicated, isolated network path for your IoT traffic, separate from the public internet
• Firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and filter traffic at network boundaries
• VPN tunnels for encrypted communication between devices and your backend systems
• Port management to close unnecessary ports and reduce attack surface

Why private APNs matter for fleet security

A private APN creates a direct, isolated connection between your devices and your cloud infrastructure. Traffic never touches the public internet, which eliminates an entire category of attack vectors.

Hologram offers private APNs as part of its connectivity platform. For fleets transmitting sensitive operational data, financial transactions, or health information, this isolation is often a compliance requirement, not just a best practice. Combined with Hologram's multi-carrier architecture spanning 550+ carriers, you get network redundancy without sacrificing isolation.

6. Automated SIM behavior monitoring and alerts

The faster you detect unusual SIM behavior, the faster you can contain it. Manual monitoring does not scale past a few dozen devices. At fleet scale, you need automated systems that flag anomalies and trigger responses without waiting for someone to check a dashboard.

What to monitor

• Data usage spikes: A device that normally sends 50 MB per month suddenly consuming 2 GB could indicate a compromised device being used for data exfiltration, a firmware bug causing runaway transmissions, or unauthorized use of the SIM
• Unauthorized location changes: If a SIM registered to a stationary asset in Chicago starts connecting from a tower in another country, that is a strong signal of SIM theft or cloning
• SIM swap events: Unauthorized SIM swaps, where someone moves your SIM to a different device, can indicate physical tampering or social engineering attacks against your carrier account
• Abnormal connection patterns: Devices connecting and disconnecting rapidly, connecting to unexpected networks, or failing authentication repeatedly all warrant investigation

Setting up automated alerts

Hologram's Dashboard lets you configure usage thresholds and alerts at the individual SIM or fleet level. When a device exceeds a data threshold, changes location unexpectedly, or exhibits other anomalous behavior, the system sends alerts through your configured channels.

For more granular control, Hologram's API lets you pull real-time usage and status data into your own monitoring stack. You can build custom alerting rules that match your specific threat model. Set up webhooks to push events to your SIEM or incident response system so SIM anomalies feed into your existing security workflows.

Geofencing and usage controls

Geofencing restricts where your SIMs can operate. If a device should only function within the continental US, you can set geographic boundaries so any connection attempt from outside that zone gets flagged or blocked. Combined with usage caps that automatically pause a SIM when it exceeds expected data consumption, these controls limit the blast radius if a device is compromised.

7. Secure the entire solution lifecycle

Security is not a one-time setup. It is a practice that spans the full device lifecycle, from initial design through active operation to end-of-life decommissioning.

Design phase: Build security into device architecture from day one. Define encryption requirements, authentication mechanisms, and update pathways before hardware selection, not after.

Deployment phase: Validate that every device meets your security baseline before it goes live. Automated provisioning and activation workflows help make sure no device enters production with default credentials or outdated firmware.

Operational phase: Continuously monitor, patch, and audit. The practices in sections one through six apply here. Treat security as an ongoing operational discipline, not a project with a finish line.

Decommissioning phase: When a device reaches end of life, wipe all stored data, revoke its credentials and certificates, and deactivate its SIM. Proper decommissioning prevents retired devices from becoming an unmonitored entry point into your network.

Data protection and compliance for global IoT fleets

Deploying IoT devices across multiple countries means navigating overlapping data protection regulations. The connectivity layer, meaning how your devices transmit data and where that data flows, is a critical part of your compliance posture.

GDPR considerations for IoT connectivity

The General Data Protection Regulation (GDPR) applies whenever your devices collect or transmit data involving EU residents, even if your company is based elsewhere. For IoT connectivity, the key requirements are:

• Data minimization: Transmit only the data your application needs. Configure your devices to filter or aggregate data at the edge before sending it over cellular
• Lawful basis for processing: If your devices collect data that could identify individuals (location data, biometric readings, usage patterns), you need a documented legal basis for processing that data
• Data processing agreements: Your connectivity provider is a data processor under GDPR. Make sure your agreement with them covers data handling, breach notification timelines, and subprocessor management

NIS2 and critical infrastructure

The EU's NIS2 directive expands cybersecurity requirements to critical sectors including energy, transport, healthcare, and digital infrastructure. If your IoT deployment falls within these sectors, your connectivity infrastructure may be in scope. Consult your legal team for specific obligations, but in general, expect supply chain security assessments, incident reporting requirements, and documented risk management practices to cover your connectivity layer.

HIPAA and healthcare IoT

Connected medical devices and remote patient monitoring systems must protect health information in transit. This means encrypted connections (which cellular networks give by default), access controls on your connectivity management platform, and audit trails showing who accessed device data and when.

Private APNs for traffic isolation

A private APN creates a dedicated pathway between your IoT devices and your backend systems, isolating your traffic from the public internet. This is one of the most effective steps for compliance-sensitive deployments because it:

• Keeps device data off the public internet entirely
• Gives you control over DNS, IP addressing, and routing
• Creates a clear network boundary for audit and compliance purposes
• Simplifies firewall rules since all device traffic enters through a known endpoint

Hologram supports private APNs across its multi-carrier network, so your devices get traffic isolation regardless of which carrier they are connected to in a given location.

Audit trails and access controls

Compliance frameworks universally need you to answer: who accessed what, when, and what did they change? Your connectivity management platform should log every SIM activation, deactivation, plan change, and configuration update with timestamps and user attribution. Hologram's dashboard and API give you this visibility across your fleet.

Build security into every layer of your IoT stack

IoT security is a team effort across hardware, software, network, and operational disciplines. No single practice covers everything, but together these seven layers create a defense-in-depth approach that scales with your fleet.

The most effective security strategies share a common thread: they are built into the architecture from the start, automated wherever possible, and monitored continuously. With the right connectivity platform supporting your fleet, security becomes an enabler of growth rather than a constraint on it.

Hologram's global IoT connectivity management platform (CMP) s built to support security at every layer, with private APNs, real-time device monitoring, and multi-carrier redundancy across 550+ carriers in 190+ countries. Whether you are deploying your first hundred devices or managing a fleet of millions, security and connectivity work together.

Talk with an IoT expert.