The internet of things (IoT) has evolved beyond a hyped buzzword into commercially available technologies that can significantly improve customer outcomes and deliver business benefits. However, the interlinked set of hardware, software, and ubiquitous connectivity of the IoT ecosystem creates new security challenges and exacerbates legacy security problems. This report summarizes the current IoT attack surface and provides guidance for security and risk (S&R) professionals on how to protect and defend against IoT-based threats.