Walk through any small office today and count the things plugged in that are not a laptop. The smart TV in the conference room. The video doorbell on the front entrance. The network printer that scans straight to email. The IP phones, the wireless cameras, the smart thermostat, the badge reader, the WiFi-connected coffee machine that orders its own pods. None of these were on the network ten years ago, and almost none of them are part of the security plan today either.
That gap is the problem. Every one of those devices runs software, talks to the internet, holds a tiny piece of business data, and lives on the same network as the computers and servers that hold the rest. When attackers look for an easy way into a small business, the laptops are usually patched and the firewall is usually configured. The forgotten smart devices are not. This is the part of the security conversation that most owners skip, and it is where a quiet, expensive incident usually begins.
What Counts As A Smart Device At Work?
The category is broader than most owners realize. Anything that connects to the office network and is not a computer, server, or phone with a person actively typing on it counts. That sweeps in a lot more than smart speakers. It includes the network-attached printer copier, the conference room display, the security camera DVR, the video doorbell, the smart thermostat or HVAC controller, the badge reader, the alarm panel, the building access controller, the smart lock on the back door, the WiFi-connected scale at the shipping station, the smart power strip, the connected refrigerator in the break room, and the dozen wireless sensors that the alarm vendor installed without leaving an inventory.
Why these devices look harmless
A camera or a thermostat does not look like a computer, so it does not get treated like one. There is no login screen waiting for a person, no antivirus dashboard reporting up to IT, and no clear owner inside the company. The vendor who installed it usually owns the support relationship and the password, and that information is rarely written down where IT can find it. From a security standpoint, every one of these devices is a small computer with a network port, running a stripped-down version of Linux or some embedded operating system that nobody is patching on any regular schedule.
How they got on the office network
Almost none of them were added by IT in a formal project. The thermostat was installed during a heating system replacement. The cameras came in with a separate security vendor. The conference room display was bought off a retailer site and plugged in by an office manager. The doorbell was a quick fix after a missed delivery. Each device joined the office WiFi or grabbed an Ethernet port without ever showing up on an inventory, and most of them are now sitting on the same flat network as the file server. The shared backbone they all live on is the office WiFi network these devices all share, and that is also where the laptops and the accounting system live. For context on the network layer that connects everything in the office, see how the office network usually gets wired together at a small business.
How Do Attackers Actually Reach These Devices?
The attack patterns against smart office devices are not theoretical. They are mature, well documented, and constantly automated. Three of them show up over and over in small business breaches that started with a forgotten device rather than a phishing email.
Default credentials that never got changed
Most cameras, DVRs, network printers, and small business firewalls ship with a default username and password printed on a sticker. Many of them never get changed during installation because the technician who set them up was being paid to make the camera record, not to harden it. Automated scanners crawl the public internet looking for these devices around the clock. The moment a camera DVR ends up reachable from the outside, often because someone forwarded a port to make remote viewing work, a credential-stuffing script can be logged in within minutes. Once the attacker is inside the camera system, they can pivot to the same internal network the cameras are connected to.
Unpatched firmware that the vendor abandoned
Smart device firmware ages badly. The phone system that was installed four years ago is running firmware the vendor stopped updating three years ago. The wireless camera that has worked perfectly since the office moved in is running a kernel with publicly known vulnerabilities. The thermostat is calling a cloud service that has been deprecated for two years and still has hardcoded credentials in its update path. None of this is the kind of risk that makes a device stop working, so nobody flags it. It is the kind of risk that lets a remote attacker take over the device next Tuesday afternoon and use it as a quiet beachhead inside the office network. A firewall that watches outbound traffic from every device on the LAN can catch some of this behavior, which is why a properly configured perimeter device is part of every IoT story, not just a server-room concern.
The network printer as a pivot point
Office printers are the most commonly compromised IoT device in small business environments because they are the most overlooked. A modern multi-function printer holds scanned documents, address books, saved email credentials for the scan-to-email feature, and a full Linux operating system that runs services on the network. Once a printer is owned, the attacker can read scans of contracts and W-2s, harvest the saved SMTP credentials to send phishing emails from inside the company domain, and use the printer as a quiet hop point to reach the accounting workstation that prints checks. The remediation is rarely complicated. The problem is that nobody was watching the printer to begin with.
What Should A Small Business Do To Lock Them Down?
The honest version of this answer is that there is no clever trick. There is a short list of unglamorous steps that work, and a longer list of things that do not. The list below is the work that consistently moves the risk down without turning the office into a fortress that nobody can use.
Build a real inventory first
Before any hardening, the team needs a written list of every smart device on the network, with the make, model, firmware version, install date, vendor contact, default credentials, and current credentials. This is the deliverable that owners always think exists and almost never does. A quick scan of the office WiFi DHCP table usually surfaces five to fifteen devices that nobody on staff can identify by sight, and those are exactly the ones to look at first.
Change every default password, then store them properly
Every device on the inventory should have a unique, strong, randomly generated password, stored in a password manager that the business actually controls. Not the vendor. Not the office manager’s notebook. Not a shared spreadsheet. The credential for the camera DVR is a business credential, and the moment the vendor relationship ends, the password should be rotated as part of the same offboarding process the business already runs for employees.
Segment smart devices off the main network
Most small business firewalls and modern WiFi access points support virtual networks, often labeled VLANs or simply guest networks. Cameras, thermostats, smart TVs, doorbells, and any device that does not need to talk to the file server should sit on a separate IoT network that is firewalled off from the laptops, servers, and accounting systems. This single step is the highest-impact thing on the list. If the compromised camera cannot reach the accounting workstation, the worst case is a hijacked camera, not a ransomware event.
Extend the same monitoring that protects laptops
The same managed approach that watches laptops for unusual behavior can be extended to the rest of the office. Watching outbound DNS, flagging devices that suddenly talk to overseas IPs, alerting on a printer that decides to start sending email at 2 AM, and logging every device that joins the network. The tooling already exists for the workstations because of the endpoint protection that small businesses already use to catch ransomware on laptops, and most of the same telemetry can be pulled from the network side for the devices that cannot run an agent themselves.
Set a quarterly firmware review
Four times a year, walk the inventory and check the firmware version on every smart device against what the vendor currently ships. Update what is behind. Replace what is no longer supported. A camera that the vendor stopped issuing patches for two years ago is not a working security camera. It is an open door with a recording light on it. This is also the cadence where decommissioned devices get found and removed from the network, which closes a surprising number of forgotten holes.
How Should You Handle The Devices Already In The Office?
The hardening list above is what to do going forward. The harder question, the one that costs most small businesses real money when they finally take it seriously, is what to do about the smart devices that have already been sitting on the office network for months or years with nobody watching them. Three triage tiers usually cover the situation.
Tier one: keep, harden, monitor
Devices that are still on a supported firmware track, are still actively used, and come from a vendor that responds to support requests are worth keeping. They get added to the inventory, get a new password, get a current firmware update, and get moved to the segmented IoT network. The badge reader from a major access control vendor, a current-generation network printer with vendor support, and the conference room display from a known manufacturer all usually fall in this tier.
Tier two: replace on a planned schedule
Devices that are still working but are running unsupported firmware, or that came from a vendor who has gone quiet, fall into a slow replacement plan. The old wireless camera that has not received a firmware update in three years still records, but it is one disclosed vulnerability away from becoming an entry point. Most small businesses can absorb a replacement on a six-to-twelve-month timeline rather than ripping it out the same week. The planning step is to budget the replacement now, schedule the install, and accept the residual risk in the meantime.
Tier three: pull it off the network today
Some devices need to come off the network the same week they get discovered. A consumer-grade smart speaker someone brought from home and plugged into the office WiFi. A WiFi-connected toy or novelty item. A device from a vendor that has stopped existing, with firmware from before the pandemic, sitting on a directly accessible port from outside the office. These are unrecoverable on any reasonable timeline. Disconnecting them is the cheapest and fastest way to lower the risk.
When something does get compromised
Even with the hardening above, the assumption has to be that one of these devices will eventually misbehave. A camera will start talking to a strange IP. A printer will start sending mail it should not be sending. The response in that moment is not to debug the device in isolation. It is to treat it as a potential breach and walk the written incident response steps the same way the business would for any other compromised endpoint. A documented response plan that covers IoT devices, not just laptops is what turns a five-minute reaction into a contained event instead of a forty-eight-hour scramble.
Frequently Asked Questions
Do small businesses really get targeted through IoT devices?
Yes, and most of the time the small business is not the original target. Automated scanners crawl the entire internet looking for exposed cameras, DVRs, routers, and printers with known weaknesses, and small businesses are easier to find because their devices are more likely to be misconfigured. Once the device is owned, the attacker decides what to do with it. Sometimes it gets used to mine cryptocurrency, sometimes it gets rented out as part of a botnet, and sometimes the attacker realizes the camera is sitting on the same network as a payroll workstation and pivots.
Is putting cameras on a guest WiFi network enough?
It is a real step in the right direction and it is much better than leaving the cameras on the same network as the file server. A guest WiFi that is firewalled off from the main office network blocks the camera-to-laptop pivot that turns a small device compromise into a ransomware event. Cameras still need their own firmware updates, password rotation, and outbound traffic monitoring even after they are segmented, because a compromised camera can still be used against the camera vendor or against other cameras on the same segment.
What about devices the alarm or HVAC vendor installed?
Treat them like any other smart device on the office network, with the added step that the vendor relationship has to be part of the inventory. Write down which vendor owns the device, what the support contract looks like, who has admin access on the device today, and what happens to those credentials if the vendor relationship ends. Vendors who refuse to share admin credentials for a device that lives on the business network are a separate conversation worth having with the owner. Whoever has the admin password has effective control of the device and a path into the rest of the office.
How often should smart device firmware be updated?
Quarterly is a reasonable cadence for a small business with a manageable inventory. The IT partner or internal owner walks the device list, checks each vendor for new firmware releases, applies updates in a maintenance window, and flags any device whose vendor has not shipped an update in over a year. Anything that has been abandoned by its vendor moves into the replacement queue. A monthly check is better if the business has more than thirty smart devices or runs in a regulated industry.
Are smart speakers and consumer doorbells safe in a business?
Consumer-grade smart speakers, doorbells, and home assistants are designed for a single household and rarely belong on a business network without specific consideration. They tend to phone home constantly, record audio or video that the vendor can access, and lack the segmentation and management features a business needs. If a smart speaker provides a real benefit in a conference room, it should go on the segmented IoT network with the same hardening as every other device. If the business handles confidential client conversations, always-on microphones in shared spaces are worth a deliberate decision, not an accidental one.
Does cyber insurance cover damage that comes through an IoT device?
It depends on the policy and on how the device was configured. Most modern cyber insurance applications now ask whether smart devices are inventoried, segmented, and patched, and a misrepresentation on the application can void a claim. The practical answer is that having a written inventory, a documented segmentation, a password rotation log, and a quarterly firmware review is what makes the application honest and the claim defensible. Without those, a claim adjuster has every reason to dig into how the camera was set up before the breach.
How long does a real IoT cleanup take for a small office?
For a typical small office with under fifty smart devices, the first inventory and triage usually take one to two working days. The segmentation work depends on the existing firewall and WiFi gear and can run from a single evening to a small project of two to three weeks if the network needs to be re-architected. The ongoing review cadence after that takes a couple of hours each quarter. The largest cost is usually not the labor but the replacement budget for the tier-three devices that come off the network in the first pass.
Where Should You Start?
The first move is a walk-through of the office with a clipboard and a list of every device that is not a laptop, a server, or a phone someone actively types on. Twenty minutes usually produces a list of fifteen to thirty devices, and a fast read of that list tells leadership which tier each one belongs in. From there the work is straightforward, but it does not happen on its own. Most small businesses get to this stage and then stall because no one on staff owns the IoT cleanup as a project.
If running that walk-through with a partner who has done it across dozens of small offices sounds useful, a complete review of your business cybersecurity posture is what O&O Systems builds for clients on the Treasure Coast and across Florida. We inventory every connected device, document the segmentation and credential state, prioritize the tier-three risks for immediate removal, and stand up the quarterly review cadence so the smart devices in the office stop being the part of the security plan that nobody is watching.