The Riskiest Devices of 2026
This year, 11 brand-new asset types have made the list across IT, OT, IoT, and IoMT. It is the second-largest year-over-year increase on record. Two new device types enter the top five riskiest IT assets: serial-to-IP-converters and workstations.
See everything. Take control.
11 New riskiest asset types
Routers top IT risk
32 vulnerabilities per router/switch avg.
Imaging devices top IoMT risk
Riskiest Device Categories
Categories in blue are new to the list. Red indicates they moved up in the rankings compared with 2025 while green indicates they moved down but still make the list.
| IT | IoT | OT | IoMT |
|---|---|---|---|
| Router | VoIP System | Power Distribution Unit (PDU) | Medication Dispensing System |
| Serial-to-IP Converter | Printer | Physical Address Control System | Medical Image Printer |
| Workstation | Time Clock | Uninterruptible Popwer Supply (UPS) | DICOM Gateway |
| Firewall | Network Video Recorder (NVR) | I/O Module | MRI Scanner |
| Domain Controller | RFID Reader | BACnet Router | Healthcare Workstation |
Industries with the Highest Average Device Risk
In 2026, financial services has the highest average device risk, followed by government and healthcare. The gap between the top two industries and the rest is significant: average device risk in financial services is more than 3x retail. Average device risk in government is more than double manufacturing.
Special Operating Systems Have Outdated or Unsupported Firmware
This category includes embedded firmware and networking OSes – which are prevalent in government (72%), retail (61%), and healthcare (56%). Across all industries, special-purpose operating systems outnumber mobile operating systems. Special-purpose OSes create operational security challenges: version tracking is a visibility issue, patches are rarely applied automatically, and outdated or unsupported firmware is common.
Widespread Legacy Windows Operating Systems
Retail has the highest percentage of legacy Windows at 39%, followed by healthcare at 35%, and financial services at 29%. These percentages increased across industries following the end of support for Windows 10. In all five industries, more than half of non-legacy Windows devices previously operated on Windows 10. Organizations can enroll in the Extended Security Updates (ESU) program.
Open Ports by Industry
This year, SSH is the second most common protocol. Every industry except retail increased its SSH exposure. Telnet is the most concerning finding in this analysis: its usage increased in financial services, healthcare, and manufacturing, and decreased slightly in government and retail. This follows last year’s increase across all five industries. The biggest increase was in financial services where Telnet exposure rose from 3% to 12%. Manufacturing exposure increased from 5% to 12%, and healthcare from 6% to 8%.
Risk Scoring Methodology
We assess device cybersecurity risk using a multifactor risk scoring methodology based on three factors:
- Configuration: Evaluates the number and severity of vulnerabilities, the number and criticality of open ports, and other configuration findings such as default credentials or insecure protocol versions.
- Function: Measures the potential organizational impact if a device is compromised.
- Behavior: Assesses a device’s exposure to the internet. Each device receives a risk score from 1 to 10.
After scoring individual devices, we calculate the average risk score per device type to determine which categories pose the greatest risk.
How Forescout Helps
Discover. Assess. Control. Govern.
Your journey to Universal Zero Trust Network Access starts with the Forescout 4D platform™: the only platform for UZTNA powered by agentic AI. Continuously identify, protect, and ensure the compliance of all assets – IT, IoT, IoMT and OT – regardless of location, automatically. Deliver cloud-native network security intelligence boosted by agentic workflows from the pioneer of traditional NAC.
Shift from reactive firefighting to proactive risk management. Get continuous visibility into what’s actually exposed across every connected asset — managed or not, physical or virtual. The result? Priorities managed. Peace of mind.