There is no such thing as “100%-Secure” on the Internet. This would mean we need to disconnect all of our devices for complete security. But, as with all electronic devices, such as computers or smartphones, the same rules apply here: install updates!
If manufacturer updates are available, install them as quickly as possible. While it is laborious to schedule and perform updates for all devices at different intervals, at different times, only this helps to close vulnerabilities. Otherwise, those open vulnerabilities can be exploited by attackers.
A prerequisite for this step, however, is that a manufacturer provides updates. Unfortunately, for many manufacturers, this is not always the case. I therefore recommend that potential buyers closely consider aspect such as software and hardware support and it’s quality before buying the first product they see.
In addition to the installation of updates, the same principles apply to IoT devices as to any other devices: Secure passwords!! One of the main ways the previously mentioned Mirai botnet was able to spread so dramatically was due to abusing default accounts and default passwords that users never changed. Default accounts include "admin" or "administrator". Consequently, the “usual” recommendation applies here as well: "Use strong passwords!” What are strong passwords? Ideally, they should consist of a combination of at least 12-14 letters, numbers and special characters, and they have to be unique for each device and account.