The internet of things has a bad reputation when it comes to security. Much of it is earned. For years, some device manufacturers ignored basic security practices around access control. Attackers know this and target IoT device frequently and at scale.

It’s relatively easy to scan the internet for devices known to be vulnerable. If a threat actor finds a network with devices that, say, have a password that is hardwired into the firmware and can’t be changed, they can simply log in because that password is probably available on the dark web. \

Organizations that use IoT devices share the blame as they often practice bad security hygiene when it comes to protecting them. Common missteps include over-permissioning (giving too many people administrative access), failure to implement security updates, and poor password management.

What’s the big deal if one device is compromised? Depending on how an organization has set up its network, that single entry point could escalate to full network access. This is exactly what has happened with some of the most damaging recent cyberattacks.

One of the most famous is the Mirai botnet attack in 2016. A threat actor compromised and took control of thousands of IoT devices such as digital cameras and DVR players. They then used those devices to launch a massive distributed denial of service attack (DDoS) on Dyn, which provides internet services. A DDoS attack uses compromised devices or large networks controlled by an attacker to send a rapid series of requests to servers at a scale intended to overwhelm them. The attack brought down many websites including Twitter, Netflix, and CNN in the U.S. and Europe.

The scale and severity of attacks on IoT devices has gotten the attention of governments, regulators, and industry groups. The problem has become a national security issue in the U.S., UK, and other heavily targeted countries. As a result, we are seeing the creation and adoption of security guidelines and regulations around the world.

This has the potential to create headaches for chief information security officers (CISOs), compliance professionals, legal teams, and IT staff at global organizations. How do they comply with different standards from multiple countries without impacting the business?

Fortunately, most of the standards are based on one or both of the two most well-established standards: The European Telecommunications Standards Institute’s (ETSI’s) CYBER: Cyber Security for Consumer Internet of Things: Baseline Requirements (EN 303 645) and the U.S. National Institute of Standards and Technology’s (NIST’) Cybersecurity Framework. ETSI’s EN 303 645 focuses on consumer devices while the NIST guidelines are broader.

CISOs I’ve spoken with say they look at all the regulations and guidelines for the regions in which their organizations operate. They identify the portions that are applicable to them, look for commonalities, and then do a gap analysis to find areas where they most need to focus their compliance efforts. What they typically learn is that by following the most established and well developed standards, they meet nearly all the newer standards produced by governments or industry associations.

The bottom line is that compliance for any standard or regulation is much easier for any device manufacturer or organization that follows security best practices. Targets move as governments and industry groups change definitions (not all agree on what an IoT device is, for example) and requirements. Strong security practices and policies will make it much easier to adapt to the changing security standards landscape.