One practical thing that could help (beyond the usual patching and setting passwords) would be to seperate your networks -- client devices on one subnet, IOT on another, servers/nas etc on another. Ensure that private IPs are disjointed (say 10.65.34.128/28, 172.29.34.0/27, 192.168.14.208/29 etc). That adds layers of obscurity.<p>Enable multicast between them, pretty tricky for a XSS to know which networks your IOT devices are on.<p>Other things you can do (like only allowing control of IOT devices from a separate admin network for instance) is a matter of security vs convenience.