Black box assessments can be conducted for a relatively low cost. These assessments are aimed at attempting to break into a device, with no a priori knowledge of the technology that the device implements.
As funding permits, have third parties perform black box tests against devices, as well as the infrastructure that supports the devices. Perform these assessments at least yearly for each IoT system and more often if systems change more frequently (for example, through updates).
If your systems wholly or partially reside in the cloud, at least perform application penetration testing against representative VMs that you have deployed in cloud containers. Even better, if you have a test infrastructure mockup of the deployed ...