Anytime that you have open inbound ports on an internet facing router it presents a significant risk. Strong passwords take only time to crack and if that is your only defense to get into your network, its like walking through a screen door. With that said however, these days it's almost as important to control what goes out of your network to keep the bad guys locked in, if they get inside. Otherwise they can easily setup command and control inside the network and "phone home" through normal established traffic firewall rules outbound. Once they setup shop inside and have a clear shot out they can do literally anything, activate cameras, microphones, scrape data, use your network for hacking others, etc. Most of the time you will not even know that they are there. IoT devices that are IP based are especially low hanging fruit as a springboard to inside hacking. I do not allow ANY IP based IoT devices except hubs to help minimize that. That's what makes Z-Wave, Zigbee and Lutron ClearConnect so appealing. They are segmented and the hackers rarely use them for their work.
I have a Ubiquiti Edgerouter and have my Camera network on one physical network, IoT on another network, my computers, etc on another network (I don't allow Windows on my networks at all) and also a separate guest network. No VLANs, I use physically separated networks. VLAN hopping is fairly easy. I have specific rules that allow traffic between the networks where specifically required and only for required ports and destinations. I have intrusion detection and prevention on each network. I use a VPN with strong encryption to get in from the outside to manage everything. I block all inbound GEOs except my area to prevent unwanted guests although they are likely going to use a hacked US based host. I still block a lot of overseas attempts.
With that being said, I am not saying it's 100% bulletproof because there is no such thing. But I try to be vigilant... So far I have had good luck.
The key to good Cybersecurity is like physical security. Make yours more difficult to get in than the other guy. If a burglar is driving through the neighborhood, the house with burglar bars looks less appealing, than the one without.
Just my two cents.
