New Rules for IoT Devices:
Your IoT device has to be able to receive regular security updates without user intervention.
If your IoT device is capable of functioning by connecting to the internet only as needed to transmit data, it should absolutely behave that way. i.e. Don’t make your IoT device run a listening service unless it absolutely has to (and it doesn’t. Poll your service, don’t have your service poll devices)
Your IoT device should always use TLS, and never ignore certificate errors.
Stop making IoT devices if your first priority isn’t security. i.e. stop making IoT devices.