Most organizations think about device security in terms of protection. Is this device secure? Is it patched? Can it safely connect to the network? But recent events highlight how this thinking needs to change. In March 2026, law enforcement agencies across the U.S., Canada, and Europe disrupted multiple massive IoT botnets responsible for some of the largest distributed denial-of-service (DDoS) attacks ever recorded. Millions of devices—routers, cameras, DVRs—had been quietly compromised and woven into global attack infrastructure. These weren’t just vulnerable devices. They were recruited.
From Devices to Weapons
A botnet is a network of compromised devices controlled by an attacker. Once infected, those devices can be used to launch attacks, spread malware, or provide access to other systems. What makes IoT devices especially dangerous in this context is how perfectly they fit the attacker’s needs:
- Always on
- Rarely monitored
- Infrequently patched
- Often configured with weak or default credentials
Unlike traditional endpoints, IoT devices tend to operate in the background—out of sight and, too often, out of mind. That makes them ideal candidates for recruitment.
The IoT Problem No One Owns
Most organizations don’t have a clear answer to a simple question: How many IoT devices are actually on the network? Beyond laptops and phones, networks are filled with:
- Security cameras
- Printers
- Smart TVs
- Badge readers
- Conference room audio systems
Many of these devices are installed by facilities or operations teams, and managed outside of IT. They also get connected without formal onboarding or security validation, which creates a massive blind spot. If you don’t know a device exists, you can’t secure it. If you can’t secure it, you can’t trust it.
When “At Risk” Becomes “Part of the Attack”
The traditional way of thinking about device risk is defensive: A compromised device puts your organization at risk. Botnets flip that idea on its head – a compromised device doesn’t just create risk, it becomes an active participant in someone else’s attack. That means your organization could be launching DDoS attacks against external targets, hosting malicious traffic, or otherwise supporting cybercrime operations without even realizing it. In other words, the problem isn’t just exposure, it’s participation. Legacy approaches to device security were built for a different era—one where devices were managed and known and networks were clearly defined. That’s not the world we operate in today. IoT devices don’t behave like traditional endpoints.
They:
- Don’t support agents
- Don’t support traditional monitoring protocols like SNMP & WMI
- Don’t follow standard patch cycles
- Often lack strong authentication mechanisms
As a result, many organizations fall back on assumptions: If it’s on the network, it’s trusted If it’s internal, it’s safe. Attackers are counting on those assumptions.
What Needs to Change
To address the reality of IoT risk, organizations need to shift from implicit trust to continuous verification, which has to start with visibility. You can’t secure what you can’t see. Every device—managed or unmanaged—must be:
- Discovered automatically
- Identified and profiled
- Evaluated for trust
But visibility alone isn’t enough. Organizations also need to enforce access policies that reflect the actual risk of each device:
- Limiting what devices can access
- Segmenting traffic appropriately
- Continuously validating behavior and posture
And critically, this needs to happen without manual intervention. Because in environments with thousands—or millions—of devices, manual control simply doesn’t scale. For years, security strategies have focused heavily on users: identity, authentication, access control. But devices now play an equally important role – If users represent one half of the access equation, devices represent the other and both must be trusted. Modern, cloud-based access control platforms make this possible by:
- Accurately profiling all devices on the network
- Providing unified visibility across all environments
- Applying consistent policies to users and devices alike
- Enforcing trust dynamically, not just at the point of connection
This approach ensures that even unmanaged or IoT devices are not given implicit access—and cannot operate unchecked. The biggest risk isn’t just that your IoT devices get compromised. It’s that once they are, they don’t work for you anymore, they work for someone else. And in today’s threat landscape, that means your organization may not just be defending against attacks—it may be helping power them.