Evidence clearly shows that a huge number of IDP systems have been breached.

The multitude of attacks continue and virtually all are automated, so it's not a question of why someone would bother with your system.

It's financially sensible to set up effective safety mechanisms. Because that's always far less expensive than cleaning up the mess caused by a system breach.

Data travelling over insufficiently protected radio links (LoRa, cellular, and many WiFi) gets AES-encrypted and HMAC-signed by IWAS software. Each such client system has unique AES and HMAC keys.

For data travelling over wired networks or the Internet we use authenticated end-to-end-encrypted tunnels.

For remote access to IWAS client systems we have 4FA, via two independent layers of encryption and authentication :

For the VPN, a client has a either a unique private+public key pair or a unique certificate that's signed by the IWAS system.

Our hardened IWAS VPN server allows connections only from clients that present either a valid public key or a valid certificate.

By default IWAS client systems are not directly exposed to the Internet.

By default no direct inbound network connections from upstream are allowed.

The remote support VPN tunnel is established by the client.

To thwart MITM attacks, the client verifies that it's talking to our VPN server.

The server has multiple defensive layers. Including Mandatory Access Control (MAC), which restricts what the various applications and services can access and do, and which defeats unknown threats.

The prominent 'Malware Magnet' IT family is nowhere to be found in our systems. Meaning that Indo / IWAS is naturally immune to virtually all malware.