Walk around your office and count the devices connected to your network. Your laptop and phone are obvious. But what about the printer in the corner? The security camera above the door? The smart TV in the conference room? The VoIP phone on every desk? That thermostat on the wall?
These are all IoT devices, and in most small offices, nobody is managing them. They sit on the same network as your financial data, customer records, and email. They run outdated firmware. They still have their factory-default passwords. And attackers know it.
Why IoT Devices Are Such Easy Targets
IoT devices are built to be functional, not secure. Manufacturers prioritize ease of setup and low cost. Security is an afterthought, if it's a thought at all. Here's what makes them so vulnerable:
- Default credentials: Most office printers, cameras, and routers ship with usernames like
adminand passwords likeadminor1234. Botnets like Mirai exploited exactly this to compromise hundreds of thousands of devices. - Rare firmware updates: When was the last time you updated your printer's firmware? For most offices, the answer is never. Known vulnerabilities pile up over years.
- Flat network access: IoT devices usually sit on the same network as workstations and servers. A compromised camera becomes a pivot point into your entire environment.
- No endpoint protection: You can't install antivirus on a thermostat. These devices have minimal operating systems with no room for security agents.
- Long lifespans: Office printers and cameras often run for 5 to 10 years. The manufacturer may stop releasing patches long before you stop using the device.
"The most dangerous devices on your network are the ones nobody thinks about. They don't show up in your security tools, they don't get patched, and they have full network access."
Real-World IoT Attacks on Small Offices
This is not theoretical. Attackers actively target IoT devices in small business environments:
- In 2019, Microsoft discovered that Russian state hackers were using compromised VoIP phones, office printers, and video decoders as entry points into corporate networks.
- Unsecured security cameras have been used to spy on businesses, with live feeds indexed on sites like Shodan for anyone to watch.
- Network printers have been exploited to intercept print jobs containing sensitive documents, financial records, and employee information.
If it's on your network and it has an IP address, it's a potential entry point.
Step 1: Find Every Device on Your Network
You can't secure what you don't know about. The first step is building an inventory of every IoT device on your network. Nmap is a free, open-source tool that makes this straightforward.
Scan your local network for active devices
Run a ping scan to discover what's alive on your subnet:
nmap -sn 192.168.1.0/24
This sends a simple ping to every address on the subnet and lists everything that responds. You'll see IP addresses, MAC addresses, and sometimes device manufacturers.
Identify what those devices are running
Once you have a list of IPs, dig deeper with a service scan:
nmap -sV -O 192.168.1.0/24
The -sV flag detects service versions, and -O tries to identify the operating system. You'll start seeing things like "HP LaserJet" or "Hikvision camera" or "Cisco SPA phone" in the results.
Check for common vulnerable ports
Many IoT devices expose web interfaces, telnet, or other services that should not be accessible:
nmap -p 23,80,443,8080,554 192.168.1.0/24
Port 23 is Telnet (almost always insecure). Port 554 is RTSP, commonly used by cameras. Ports 80, 443, and 8080 are web interfaces. If your thermostat is running a web server, that's something you need to know about.
Step 2: Build a Device Inventory
Once you've identified everything, document it. A simple spreadsheet works. For each device, track:
- Device name and type (e.g., "Break room printer," "Front door camera")
- Manufacturer and model
- IP address and MAC address
- Current firmware version
- Date of last firmware update
- Default credentials changed? (Yes/No)
- Network segment (main network, IoT VLAN, guest network)
- End-of-life date (when the vendor stops providing updates)
This inventory becomes your baseline. Review it quarterly. Any device that can't be updated or has reached end-of-life needs a plan: isolate it, replace it, or accept the risk and document that decision.
Step 3: Segment Your Network with VLANs
This is the single most impactful thing you can do. Network segmentation means putting your IoT devices on a separate VLAN so they can't directly communicate with your workstations, servers, or sensitive data.
Why this matters
If a camera gets compromised on a flat network, the attacker can scan and reach every other device, including your file server and domain controller. On a segmented network, the compromised camera can only see other devices on the IoT VLAN. The blast radius shrinks dramatically.
How to set it up
Most managed switches and business-grade routers support VLANs. A typical setup looks like this:
- VLAN 10: Workstations and servers (your trusted devices)
- VLAN 20: IoT devices (printers, cameras, smart TVs, thermostats)
- VLAN 30: Guest Wi-Fi (completely isolated)
Configure firewall rules between VLANs so that workstations can send print jobs to the printer VLAN, but IoT devices cannot initiate connections back to the workstation VLAN. This gives you functionality without giving IoT devices free rein on your network.
Step 4: Change Every Default Password
This sounds basic because it is. But it's still one of the most common findings in penetration tests. Log into every IoT device's management interface and change the default credentials. Use strong, unique passwords for each device. Store them in a password manager.
While you're in there, disable any services you don't need. If your printer has Telnet enabled, turn it off. If your camera has UPnP enabled, turn it off. If there's a cloud management feature you're not using, disable it. Every open port and running service is additional attack surface.
Step 5: Create a Firmware Update Schedule
Firmware updates for IoT devices don't happen automatically in most cases. You need to check for them manually. Set a recurring calendar reminder, monthly or quarterly, to:
- Check each manufacturer's website for firmware updates
- Read the release notes for security fixes
- Download and apply updates during a maintenance window
- Update your device inventory spreadsheet with the new firmware version and date
Yes, this is tedious. But a single unpatched vulnerability in a network-connected camera can be the foothold an attacker needs. If you're upgrading office equipment this summer, make firmware updates part of the setup process from day one.
Step 6: Monitor IoT Traffic
Once your devices are segmented, monitor what they're doing. IoT devices should have predictable network behavior. A printer talks to workstations on the print port. A camera streams to your NVR. A thermostat checks in with its cloud service periodically.
If a device suddenly starts making DNS queries to unusual domains, or sending traffic to IP addresses in countries you don't do business with, that's a red flag. Even basic DNS monitoring through a protective DNS service can catch this kind of activity early.
A Practical Starting Point
You don't need to do everything at once. If you're looking for a starting point, here's a priority order:
- Run an Nmap scan and find out what's on your network. You'll probably be surprised.
- Change default passwords on every device you find. This takes an afternoon and eliminates the lowest-hanging fruit.
- Set up VLAN segmentation to isolate IoT devices from your critical systems.
- Build your inventory spreadsheet and commit to quarterly reviews.
- Establish a firmware update schedule and stick to it.
IoT devices are not going away. Every year, offices add more of them. The key is treating them as what they are: network-connected computers that need the same security attention as your laptops and servers. The difference is that nobody is managing them by default. That has to change, and it starts with knowing what's on your network.