The modern office is filled with connected devices — smart TVs, IP cameras, wireless printers, badge readers, HVAC controllers, coffee machines with companion apps, and conference room systems. Each of these devices is a computer connected to the corporate network. And most of them have the security profile of a 2005 consumer gadget.

IoT (Internet of Things) security is one of the most neglected areas of enterprise cybersecurity. Devices are deployed for operational convenience and then forgotten. Firmware never gets updated. Default credentials remain unchanged. And these devices sit silently on corporate networks, often with broad access, waiting to be discovered and exploited.

15.9B
IoT devices connected globally in 2025 — many with no security patches ever applied
57%
of IoT devices are vulnerable to medium or high severity attacks
98%
of IoT device traffic is unencrypted, exposing data on the network
AdvertisementGoogle AdSense

Why IoT Devices Are Such a Rich Target

IoT devices present a unique combination of characteristics that make them exceptionally attractive to attackers.

Weak Default Credentials

Many IoT devices ship with default usernames and passwords — "admin/admin", "admin/password", or the device's serial number — that are never changed after deployment. Attackers maintain databases of default credentials for thousands of device models and use automated tools to scan for and exploit them. The Mirai botnet, which launched some of the largest DDoS attacks in history, was built almost entirely by compromising devices with unchanged default credentials.

Infrequent or No Patching

Unlike laptops and servers, IoT devices rarely have automated update mechanisms. Manufacturers often discontinue security support after a few years — or sometimes never provide it at all. Devices deployed in 2019 may still be running firmware from that year, carrying vulnerabilities that have been publicly known and exploited for half a decade.

Network Placement

Many IoT devices are deployed on the same network segments as sensitive servers and user workstations. A compromised printer or camera provides an attacker with a foothold inside the corporate network — bypassing perimeter defences entirely.

"The printer in the corner of the conference room may be the most vulnerable device in your organisation — and the last one anyone thinks to include in a security review."

Network devices and security infrastructure
IoT devices must be inventoried, segmented, and monitored with the same rigour as any other network asset
AdvertisementIn-Article · Google AdSense

IoT Security Checklist for Australian Organisations

✓ IoT Security Controls
  • Complete device inventory: You cannot protect what you cannot see. Use network scanning tools to discover every connected device, including those added without IT approval
  • Change all default credentials: Before any IoT device is connected to the network, change the default username and password to a strong, unique credential stored in a password manager
  • Network segmentation: Place IoT devices on a dedicated VLAN with firewall rules that prevent them from communicating with servers, workstations, or sensitive data stores
  • Firmware update policy: Assign ownership of firmware updates for each device category and schedule quarterly checks for available patches
  • Disable unused features: Most IoT devices enable every feature by default. Disable UPnP, remote management interfaces, unused ports, and cloud connectivity that is not operationally required
  • Monitor IoT traffic: Deploy network traffic analysis tools to detect anomalous IoT behaviour — unexpected connections, data exfiltration, or communication with known malicious IP addresses
  • End-of-life device retirement: Establish and enforce a policy for replacing devices that no longer receive manufacturer security support
⚠ High-Risk IoT Devices in Australian Workplaces
  • Network-connected printers and multifunction devices — often storing document images in internal memory
  • IP cameras and NVR systems — frequently running outdated firmware with known remote code execution vulnerabilities
  • Smart building systems: HVAC, access control, elevator management, and lighting controllers
  • Conference room AV systems with wireless connectivity and remote management enabled
  • Medical devices in healthcare settings — increasingly targeted for ransomware deployment

The Regulatory Direction for IoT Security

Australia is moving toward regulatory requirements for IoT security. The Department of Home Affairs has published a voluntary IoT Code of Practice based on international standards, and mandatory requirements are expected to follow. Organisations purchasing IoT equipment for critical infrastructure sectors should already be applying the code's 13 principles as minimum baseline requirements.

Procurement teams play a critical role: requiring manufacturers to demonstrate security capabilities before purchase — including patch support timelines, default credential policies, and vulnerability disclosure programmes — creates market incentives for better IoT security across the industry.

IoT SecurityNetwork SegmentationSmart OfficeFirmwareAustraliaOT Security
S
SISTMR Editorial Team
Cybersecurity Researchers · SISTMR Australia

Our certified professionals produce practical, expert-reviewed content for students and practitioners across Australia.