Skip to main content
Umay AI Logo
Back to Blog
Cybersecurity
2026-06-01
9 min read

IoT Security: The Smart Devices Quietly Putting Your Business at Risk

Goktug Onyer

Cybersecurity Lead

Smart connected devices

That smart lock on your back door. The Wi-Fi camera watching the stockroom. The thermostat the facilities company installed. The TV in the lobby. Each one is a small computer connected to your network — and each one is a door an attacker can try.

IoT (Internet of Things) devices are now everywhere in hotels, gyms, shops, and offices. They're convenient, cheap, and — almost universally — insecure. Here's why they're a real risk, and what to actually do about it.

Why IoT devices are such easy targets

Unlike laptops and phones, IoT devices are built to be cheap and forgotten. The security problems are structural:

  • Default passwords. A huge proportion ship with admin / admin or a password printed on a sticker, and nobody ever changes it. Whole botnets (Mirai being the famous one) were built by simply trying default credentials at scale.
  • No updates. Many devices never receive a firmware update. A vulnerability found in 2023 is still exploitable in 2026 because no patch exists or nobody installs it.
  • They're invisible. Whoever manages your IT often doesn't even know these devices exist. You can't protect what you don't know is there.
  • They're always on, always connected. A 24/7 device on your network is a 24/7 opportunity.

How a €30 sensor becomes a full breach

The danger isn't usually the device itself — it's what the device is connected to. The typical attack path:

  1. Attacker scans the internet for exposed devices (Shodan makes this trivial) or gets onto your guest Wi-Fi.
  2. They find a camera or sensor with default credentials or a known vulnerability and take it over.
  3. Because that device sits on the same flat network as your point-of-sale system, your booking database, and the back-office PCs, the attacker now has a foothold inside your network — past the firewall.
  4. From there they move laterally: sniff traffic, harvest credentials, reach the systems that actually hold money and customer data.

The camera was worthless to them. The flat network it was plugged into was the prize.

The fix: segment, default-deny, and inventory

1. Put IoT on its own network (the single biggest win)

Your smart devices should live on a separate VLAN or a dedicated guest network that cannot reach your business-critical systems. If the lobby TV is compromised, the blast radius is the lobby TV — not your booking database. Most business-grade routers and access points support this; it's a configuration job, not new hardware.

2. Change every default password

Sounds obvious. Almost nobody does it for the camera or the thermostat. Use a password manager, set a unique strong password on every device, and disable any default admin accounts you can't rename.

3. Turn off what you don't use

Disable UPnP, remote-management, and cloud features you don't actually need — especially any that expose the device to the public internet. If a camera doesn't need to be reachable from outside, make sure it isn't.

4. Keep an inventory and patch what you can

You can't secure what you haven't listed. Keep a simple inventory of every connected device, who installed it, and whether it gets updates. Apply firmware updates when they exist. Retire devices that are abandoned by their manufacturer.

5. Vet vendors before you plug anything in

When the security company installs cameras or the facilities team adds smart HVAC, ask: does it get security updates? Can we change the default password? Does it need internet access? "We don't know" is an answer that should make you nervous.

A note on smart buildings

The upside of IoT is real — occupancy-based heating and lighting, predictive maintenance, energy savings, keyless access. We build these systems and they're genuinely valuable. But the right way to deploy them is secure-by-design from day one: segmented networks, authenticated device identity, encrypted communication, and a plan for updates. Bolting security on afterward is far more expensive than building it in.

The bottom line

Every connected device you add is a small expansion of your attack surface. That's not a reason to avoid IoT — it's a reason to deploy it deliberately. Segment the network, kill default passwords, keep an inventory, and treat every cheap sensor as what it is: a computer on your network.

If you're running connected hardware and aren't sure how exposed you are, an IoT-focused security review maps every device, flags the dangerous ones, and gives you a prioritised fix list. It's usually a day or two of work and frequently finds at least one device nobody knew was reachable from the internet.

Related Articles

The Vulnerability Classes Defining 2026

The Vulnerability Classes Defining 2026

Identity bypasses, supply chain, prompt injection, SSRF — what attackers actually exploit.

Read More
Secure Coding in the AI Era

Secure Coding in the AI Era

New attack surface, same old discipline — writing secure software with an LLM pair programmer.

Read More
What Does Custom Software Actually Cost?

What Does Custom Software Actually Cost?

Honest ranges for MVPs, apps, AI automations, and IoT rollouts.

Read More