Use encrypted/authenticated transport by default
Make sure that all exchanges with the device are performed by an encrypted and authenticated transport by default. This includes application data, logs, monitoring, updates.
Review all protocols and services used, document the security protocols they use. Enable security if not configured by default.
Document the eventual cases when encryption/authentication is not possible or highly impractical.