A dental office in Draper installs smart thermostats and an IP security camera system. Both connect to the same Wi-Fi network as the computers running their patient management software. Neither device has been updated since installation, and both still use factory-default passwords.

An attacker scans the internet, finds the camera’s web interface (exposed because the installer enabled remote access), logs in with the default credentials, and uses that foothold to access the office network. From there, they reach the server containing patient records.

This isn’t a theoretical scenario. IoT devices are one of the fastest-growing attack vectors for small businesses, and Utah’s rapid adoption of smart office technology is creating risk that most owners don’t see.

Why IoT Devices Are Uniquely Vulnerable

Weak default security. Most IoT devices ship with default usernames and passwords (admin/admin, admin/password). Many owners never change them. Automated scanners constantly sweep the internet looking for these defaults.

Infrequent updates. Your laptop gets security patches every month. Your smart thermostat? Maybe once a year — if the manufacturer is still supporting it. Many IoT devices stop receiving updates within 2-3 years of release, creating permanent, unpatched vulnerabilities.

Limited security features. IoT devices often lack basic security capabilities like encryption, secure boot, or logging. You can’t install endpoint protection on a smart light switch.

Always-on connectivity. IoT devices are designed to be always connected, always accessible. That convenience also means they’re always exposed.

Common IoT Devices in Utah Businesses

You probably have more connected devices than you realize:

• Security cameras and access control systems
• Smart thermostats and HVAC controllers
• Network printers and copiers
• Smart TVs and digital signage (like BrightSign players)
• VoIP phones
• Point-of-sale terminals
• Smart locks and badge readers
• Environmental sensors (temperature, humidity, leak detection)

Each one of these is a computer connected to your network. Each one needs to be secured, monitored, and maintained.

How to Secure Your IoT Devices

1. Inventory everything. You can’t secure what you don’t know exists. Scan your network for every connected device and maintain a living inventory. Include the device type, manufacturer, firmware version, and who’s responsible for it.

2. Segment your network. This is the single most impactful step. Put all IoT devices on their own VLAN, isolated from your business network. If a camera gets compromised, the attacker can’t reach your file server, email, or financial systems.

3. Change default credentials immediately. Every IoT device should have its default password changed during installation — before it touches your network. Use unique, strong passwords for each device.

4. Update firmware regularly. Check for and apply firmware updates at least quarterly. Set calendar reminders since IoT devices don’t auto-update like your laptop does.

5. Disable unnecessary features. If you don’t need remote access to a device, turn it off. If it has UPnP (Universal Plug and Play) enabled, disable it — UPnP is a common attack vector. Disable any services, ports, or protocols you’re not actively using.

6. Monitor for anomalies. Network monitoring tools can flag unusual behavior from IoT devices — like a thermostat suddenly sending large amounts of data to an external IP address. This is a strong indicator of compromise.

Secure Your Smart Office

At Brivy IT, we help Utah businesses secure their IoT infrastructure — from network segmentation and device hardening to ongoing monitoring and firmware management. If you’re not sure what’s connected to your network or whether it’s properly secured, reach out for a free network assessment.