gettyAs more devices, platforms and everyday services become connected, the potential attack surface for cybercriminals continues to grow. Smart home products, workplace tools, cloud platforms and AI-powered services can all create new entry points when they’re misconfigured, poorly secured or connected to other systems without enough oversight.For organizations and consumers alike, staying secure isn’t just about defending against sophisticated attacks; it’s also about recognizing the everyday risks that can build up across connected environments. Below, members of Forbes Technology Council discuss cyber risk areas that may be easy to overlook and share practical steps for reducing exposure.Verify Whether Security Controls Still WorkOne underestimated risk is assuming security controls stay operational. Agents fail silently, patches don’t deploy and configurations drift, even without an attack. As AI speeds up attacks, organizations need more than backups. They need continuous verification that critical controls are healthy and self-healing automation to restore them when they break. - Christy Wyatt, AbsoluteFind And Secure Shadow APIsThe most underestimated risk is shadow APIs connecting legacy systems to new AI agents. While we focus on device hardware, these interfaces often lack the same rigor as public endpoints. Implement automated API discovery and schema validation at the edge, treating internal connectivity with zero trust. Ensure that even a compromised device cannot pivot laterally through an unmonitored API. - Anil Pantangi, Capgemini America Inc.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?Speed Patch Management For AI-Enabled ThreatsWith Mythos-like frontier models, it’s going to be extremely easy for bad actors to exploit devices connected to the internet. Both businesses and consumers are extremely unprepared and, in most cases, ignorant of these emerging risks. The industry will need both user education and the ability to speed up patches that can be automatically deployed once such an exposure is confirmed. - Seemant Sehgal, BreachLock Inc.Limit Data Collection From Smart DevicesOne hidden risk is that smart devices can collect too much personal data. A TV, car or fitness app may track more than people realize. To reduce the risk, turn off data sharing you do not need and delete accounts for devices you no longer use. - Margarita Simonova, ILoveMyQAAuthenticate Machine-To-Machine ConnectionsEveryone secures the device. Almost no one secures what happens between devices. Machine-to-machine API calls now shadow human traffic operating on inherited trust with zero oversight. One compromised handshake cascades everywhere. The fix: Extend zero trust to the device layer. If it connects, it authenticates. Every single time. - Kiran Bhujle, SVAM International Inc.Extend Governance To Messaging PlatformsAs more devices connect, work is moving into apps like WhatsApp, Signal and WeChat, often replacing email but without the same enterprise protections. This creates an overlooked attack surface. A practical fix is to extend governance, monitoring and capture to these channels. - Dima Gutzeit, LeapXpertReplace Default Credentials Before Devices ConnectDefault credentials on connected devices are still the most underestimated Internet of Things risk. Most devices ship with insecure defaults, can’t be patched, and become botnet infrastructure or lateral movement vectors. The fix is simple but rarely done: Mandate credential rotation and firmware validation before any device joins the network. Treat every connected device as untrusted until proven otherwise. - Diptamay Sanyal, CrowdstrikeUpdate And Isolate Device FirmwareA commonly underestimated risk is unsecured firmware in IoT devices, which can be exploited silently at scale. Unlike apps, firmware often goes unpatched. Enforcing automatic firmware updates and network-level isolation can significantly reduce exposure and prevent compromised devices from becoming entry points into larger systems. - Govinda Rao Banothu, Cognizant Technology SolutionsManage Identity Sprawl Across Connected EnvironmentsI see identity sprawl as an underestimated risk as more devices and services connect. Each integration expands access paths that are rarely governed consistently. Enforcing centralized identity management and continuous access review reduces exposure and helps maintain control as environments scale. - Natasha Bryan, AlphaRidgeStrengthen Access Controls Against AI-Driven Social EngineeringSocial engineering has become more sophisticated, especially with the introduction of AI. Without proper access controls and permission structures within the environment, threat actors have more exposure to sensitive and business-critical data each time their social engineering efforts are successful. - Kathleen Erickson, Holland America LineLimit AI Agent PermissionsEnterprises using agentic AI in digital workflows must consider how they delegate agency from humans to systems. Autonomy enhances execution, but as threat actors use AI tools to exploit vulnerabilities at machine speed, agents become high-value targets. If compromised, broad permissions can amplify breaches. Assign distinct identities and limit access to required systems to reduce the attack surface. - Fletcher Keister, GTT Communications, Inc.Separate IoT Devices From Core NetworksIoT devices like office printers, cameras, smart speakers and TVs are cyber risks. Most are built without security in mind and rarely receive updates, making them easy targets. The fix is keeping them isolated. At work, put them on a dedicated VLAN, and use a designated guest Wi-Fi at home. - Matthew Polega, Mark43Treat Cybersecurity As An Ongoing ProcessOne underestimated risk is the “set it and forget it” mindset around security. As systems evolve and new integrations are added, controls that were once effective can quietly become outdated. A practical way to reduce this risk is to treat security as an ongoing process, with regular reviews of configurations, access controls and connected systems to ensure nothing slips through the cracks. - Judit Sharon, OnPage CorporationClose The Remediation GapThe most underestimated risk is the speed gap. AI attackers exploit vulnerabilities in hours, while organizations take weeks to respond. The real danger isn’t detection—it’s the delay in remediation. Teams must shift from reporting to action: Prioritize high-risk exposures and automate fixes. It’s no longer human versus machine—it’s machine versus machine. - Steve Carter, Nucleus SecurityMap Hidden Third-Party DependenciesMost organizations lack a full understanding of where third-party services are embedded in their processes and systems. A practical step is to move beyond single-point-in-time vendor assessments and continuously map how third parties support critical business operations. This will uncover hidden dependencies and ensure response efforts are aligned to business priorities before disruptions spread. - Michael Campbell, Fusion Risk ManagementRemove Forgotten Connected DevicesThe cyber risk too many people underestimate is the forgotten connected device: an old router, smart camera, printer, thermostat or IoT sensor that quietly sits on the network with weak security. The practical fix is blunt but effective: Change default passwords, update firmware, isolate IoT devices on a separate network, and remove anything you no longer use. - Mark Vena, SmartTech ResearchRecognize That Everyone Is A Cyber TargetOne underestimated risk is the general public’s belief that only large organizations or high-profile people are targets. In reality, connected devices, email, social accounts and home networks are often attacked opportunistically. A practical way to reduce risk is to enable multifactor authentication, keep devices updated and remove unused apps or accounts. - Craig Hamill, Chicago Metropolitan Agency for PlanningAudit Stale Access And Unsafe Network PracticesA volunteer logged into a nonprofit’s fundraising CRM from public Wi-Fi on a personal laptop with admin access she stopped needing two years ago. Nobody noticed. That is the risk. Not sophisticated hacking: forgotten access, open networks and zero boundaries. The fix? Audit who has access to what, revoke what is stale, and make public Wi-Fi a policy conversation, not an IT footnote. - Tal Frankfurt, Cloud for GoodMinimize Autonomous Permissions Across Connected SystemsThe most underestimated risk is over-connected autonomy—devices and services acting on behalf of users with broad, persistent permissions. One compromised node can trigger cascading actions. A practical fix: Enforce “permission minimization by default” and regularly audit what systems can do autonomously, not just what they can access. - Mateusz Przepiorkowski, Appsfactory International