The following is a list of security recommendations and ideas that have traditionally worked. Again, it is important to have a blanket of security:

• Use the most current operating system and libraries with all relevant patches
• Use hardware that incorporates security features like Trusted Execution. Environments, Trusted Platform Modules, and non-execute spaces.
• Obfuscating code in the hopes a hacker will not reverse engineer it is relatively useless. Sign, encrypt and protect your firmware and software images, especially those freely available on a company website.
• Randomize default passwords.
• Use a Root of Trust and secure boot to ensure you have a "golden" image of software running on a customer device.
• Eliminate hardcoded passwords in ROM images.
• All IP ports must remain closed by default.
• Use Address Space Layout Randomization, Stack Canaries, and Gaurd bands in memory through modern operating systems.
• Use automatic updates. Provide manufacturers with a mechanism to fix and patch bugs and vulnerabilities in the field. This requires a modular software architecture. 
• Plan for end-of-life. An IoT device may have a long usable life, but it will need to be disposed of eventually. This should include methods to securely wipe and destroy all persistent memory (flash) from the device. 
• Use bug bounties programs. Reward your customers and users for finding and reporting bugs, especially defects likely to expose a zero-day exploit.
• Subscribe and participate in US-CERT active threat management to become immediately aware of active exploits and cyber threats.
• As tempting as it is to simply build a project with MQTT, HTTP, or other insecure protocols, only ship with security and authentication enabled through TLS or DTLS. Encrypt data from the sensor to the cloud.
• Employ anti-debug fuses on the package. Blow fuses in manufacturing to securely debug channels prior to releasing a product.