The Vulnerable Devices in Your Business

By /

When business owners think about cybersecurity, they typically think about their computers. They install antivirus software on laptops, configure a firewall on the server, maybe set up multi-factor authentication on the email system — and consider the job reasonably done. What they overlook, consistently and at significant cost, is the much broader universe of networked devices in their business environment that are just as connected to the internet as their computers, just as scannable by automated attacker tools, and in most cases far less protected. This article maps that overlooked attack surface in detail — because you cannot defend what you haven’t identified.

The Expanding Attack Surface Most Businesses Don’t See

Every device connected to a network with a public IP address, or connected to an internal network that has any path to the internet, is potentially reachable by an attacker. The number of such devices in a typical business environment has grown dramatically over the past decade — not primarily because businesses have bought more computers, but because an ever-expanding range of non-computer devices now require network connectivity to function.

Security researchers who study corporate network environments consistently find that the number of networked devices in a typical small or medium business significantly exceeds what the IT team or business owner believes to be present. Devices added by individual departments, devices installed by service contractors, devices that came with the building, devices whose original purpose has been forgotten — all of them sitting on the network, running software that may not have been updated in years, accessible from the internet through firewall rules that no one remembers creating.

The attackers know this. Automated scanning tools that probe every internet-connected IP address can identify the device type, manufacturer, and often the firmware version of any networked device that responds to probes — without the device owner having any awareness that the scan occurred. When those scans identify a device running software with a known vulnerability, that vulnerability is catalogued, and exploitation attempts follow — automatically, immediately, and regardless of how small, obscure, or seemingly unimportant the business is.

What follows is a category-by-category examination of the device types most consistently overlooked in business security programs — and the specific vulnerabilities that make each category attractive to attackers.

Network Routers and Switches

The router sitting at the edge of your network is the most direct path between the internet and every device on your internal network. It processes every inbound and outbound packet, and in most small business environments it also functions as the primary firewall, the wireless access point, and the DHCP server. Its compromise gives an attacker effectively unrestricted visibility into and control over network traffic — the ability to intercept credentials, redirect web traffic, install persistent backdoors, and pivot to every other device on the network.

Yet routers are among the most neglected devices in business environments. Firmware updates are often applied only by businesses with managed service providers or dedicated IT staff — and even then, the update cycles are often measured in months rather than the days or weeks that represent best practice for internet-facing devices with known vulnerabilities. Default administrative credentials — the username and password combination documented in the manufacturer’s manual and available on any internet search — are left unchanged at a concerning proportion of small business deployments, providing attackers who reach the management interface with immediate administrative access.

The management interface itself is frequently the problem. Many business routers ship with remote management enabled by default — accessible from any IP address on the internet on a standard port. Automated scanners identify these management interfaces routinely, and combination credential attacks using documented default passwords can compromise devices in seconds when the management interface is publicly exposed and default credentials haven’t been changed.

Managed switches — the Layer 2 devices that connect devices within your network — carry similar risks. Web-based management interfaces on managed switches, accessible with default credentials, allow an attacker who reaches them to reconfigure VLANs, enable port mirroring to intercept traffic, and alter network architecture in ways that are difficult to detect and can persist indefinitely. The majority of small business switch deployments have never had their default administrative credentials changed.

What to do: Change default credentials on all routers and switches immediately. Disable remote management interfaces unless specifically required, and if required, restrict access to specific IP addresses rather than permitting access from any source. Enable automatic firmware update notifications and apply security patches promptly. Conduct a regular audit of your firewall rules to identify any ports that provide internet access to management interfaces that should be internal-only.

IP Cameras and Physical Security Systems

IP cameras — network-connected surveillance cameras — are one of the most widely exploited device categories in business cybersecurity, for reasons that are both understandable and entirely preventable. They are deployed by the tens of millions across businesses of every size, they typically run embedded Linux with a web interface and default credentials, they are almost never updated after installation, and they are frequently configured to be accessible from the internet to allow remote monitoring. The combination of these characteristics makes them among the most reliable targets in the attacker’s automated scanning toolkit.

The consequences of IP camera compromise extend far beyond the cameras themselves. A compromised camera provides the attacker with a device that is on the internal network, running 24 hours a day, with persistent outbound internet connectivity that is unlikely to trigger security alerts — an ideal persistent foothold from which to conduct reconnaissance of other internal systems, launch attacks against other devices on the same network segment, or establish a command-and-control channel that will survive even if other points of compromise are detected and remediated.

The larger network video recorders (NVRs) and digital video recorders (DVRs) that store camera footage represent an even more significant vulnerability. These devices often run older versions of embedded Linux with web interfaces that have well-documented vulnerabilities — many of which were never patched because the manufacturer had no update process or the device reached end-of-life without patches being developed. They typically sit on business networks with the same level of network access as any other device, connected to the internet for remote management, and configured with default credentials that the installing technician never changed.

What to do: Segment all IP cameras and NVRs onto a dedicated network VLAN with firewall rules that allow the camera VLAN to record to the NVR and allow authorized users to access the management interface, but do not allow camera devices to initiate connections to the corporate network or to arbitrary internet addresses. Change all default credentials on cameras, NVRs, and DVRs. Apply firmware updates when available. If a device has reached end-of-life with no available security patches, prioritize replacement — a camera on your network that cannot be patched is a permanent, unfixable vulnerability.

Printers and Multifunction Devices

Modern printers and multifunction devices (print/scan/fax/copy devices) are not peripheral output devices — they are full networked computers running embedded operating systems, web servers, email clients, and file storage. Enterprise printers store copies of every document printed, scanned, and faxed on internal hard drives that are rarely encrypted and almost never properly wiped when the device is retired or returned at the end of a lease. The print server running on the device has a web interface with administrative functions — and in the majority of business deployments, default credentials.

From a network access perspective, a compromised printer is a compromised server. It has full access to the corporate network segment it is connected to, it can initiate outbound connections to the internet, it can receive and transmit documents containing sensitive information, and it runs continuously without the same user behavior monitoring that makes anomalous activity on employee workstations detectable. Attackers who compromise printers have used them to harvest credentials from print jobs, exfiltrate copies of scanned documents, establish persistent network access, and pivot to other internal systems.

The Printer Exploitation Toolkit (PRET) and similar purpose-built printer attack tools demonstrate that printer exploitation is not an obscure, theoretical risk — it is a documented, automated attack category with tools specifically designed to exploit common vulnerabilities in major printer manufacturers’ devices. The devices most frequently targeted are those that are internet-accessible, running outdated firmware, and configured with default credentials — a description that matches the majority of business printer deployments.

What to do: Change default administrative credentials on all printers and multifunction devices immediately. Disable all printer services and protocols not in active use — many printers ship with FTP, Telnet, and other legacy protocols enabled by default. Apply firmware updates regularly. Restrict internet connectivity for printers to specific permitted destinations required for cloud printing functionality, if used. When retiring or returning leased printers, perform a full hard drive wipe or confirm with the vendor that a cryptographic disk sanitization has been completed — the documents stored on printer hard drives can contain years of sensitive business and customer information.

Smart Devices and IoT Equipment

The Internet of Things has introduced an enormous range of networked devices into business environments — smart thermostats, connected HVAC systems, smart lighting controllers, building management systems, networked access control systems, smart TVs and displays, coffee machines with network connectivity, and dozens of other devices that have acquired network interfaces in the past decade. Each of these devices represents an entry point into your network, a potential lateral movement platform, and a persistent presence that is rarely included in security assessments.

IoT devices share a set of characteristics that make them disproportionately risky relative to their perceived importance: they typically run stripped-down embedded operating systems with limited or no update mechanisms; they are frequently manufactured by companies with minimal security investment in their firmware development; they are often deployed on corporate networks without any involvement from IT, by departments that don’t consider the security implications; and they are almost never monitored for unusual network behavior in the way that workstations and servers are.

The Target data breach — the 2013 incident in which attackers stole payment card data from 40 million Target customers — was initiated through the HVAC vendor’s network credentials, providing access to a network segment that was insufficiently isolated from the payment systems. This is not an ancient case study — it is the documented template for how IoT and operational technology devices become the entry point for attacks targeting much more valuable data and systems on the same or adjacent network segments.

Smart building systems — HVAC, lighting, access control, elevators — deserve particular attention because they are typically installed and maintained by facilities or building management contractors who have remote access credentials to the systems they support. These contractor credentials represent an additional attack surface: a compromise of the facilities contractor’s own systems can provide access to the building management systems of every client whose infrastructure they manage. This supply chain risk extends the effective attack surface well beyond the devices themselves.

What to do: Segment all IoT devices onto dedicated network zones with firewall rules that permit only the specific connectivity required for the device to function — and nothing else. IoT devices should not be able to initiate connections to corporate systems, access internal file shares, or communicate freely with other devices on the network. Maintain an inventory of all IoT devices, including devices installed by contractors and vendors. Review remote access credentials provided to third-party contractors regularly and revoke access when it is no longer required. Research the firmware update status and end-of-life schedule for all IoT devices before deployment and at regular intervals thereafter.

VoIP Phone Systems

Voice over IP (VoIP) telephone systems convert voice calls into data transmitted over IP networks — the same networks that carry all other business data traffic. The servers and devices that compose a VoIP system are full network participants: they have IP addresses, they run software with documented vulnerabilities, and they communicate over the internet with carriers and remote offices. They are also among the most consistently under-secured networked systems in business environments.

VoIP systems face two primary attack categories. The first is toll fraud — unauthorized use of the business’s telephone account to make calls to premium-rate numbers or international destinations, generating fraudulent charges that can accumulate to thousands or tens of thousands of dollars before detection. Toll fraud attacks exploit weak or default credentials on the VoIP management interface or the SIP (Session Initiation Protocol) credentials used for carrier authentication — the same default credential problem that affects every other device category on this list.

The second attack category is network-based: using the VoIP system as a pivot point to access other devices on the network. VoIP servers typically run on the same network segment as other business systems, with the level of access required to reach the phones throughout the office. A compromised VoIP server is a compromised server with network-level access to a potentially broad range of internal systems — and with the added capability of enabling real-time audio interception of business phone calls.

What to do: Place VoIP systems on a dedicated VLAN with firewall rules restricting access to the VoIP server to authorized devices and the carrier’s SIP trunking infrastructure. Change all default credentials — both on the administration interface and on individual phone accounts. Disable SIP authentication from geographic regions with no legitimate business purpose. Apply firmware updates to all phones and server software. Implement call anomaly detection to alert on unusual call volumes or international calls to unexpected destinations that may indicate toll fraud in progress.

Point-of-Sale Systems

Point-of-sale (POS) systems are among the highest-value targets in retail and hospitality business environments — not because the devices themselves are valuable, but because they process payment card data that can be immediately monetized. POS malware specifically designed to scrape card data from the memory of POS terminals during transaction processing has been responsible for some of the largest data breaches in retail history, consistently targeting the same vulnerability: POS systems that are internet-accessible, running outdated software, and insufficiently isolated from the broader corporate network.

Many small business POS deployments connect the POS terminal to the same network as the guest WiFi, the office computers, and every other device in the building — with no segmentation limiting what the POS terminal can communicate with or what can communicate with it. This flat network architecture means that a compromise of any other device on the network potentially provides access to the POS system, and a compromise of the POS system provides access to the corporate network. PCI DSS — the Payment Card Industry Data Security Standard — exists specifically to mandate the security controls required to protect cardholder data, including network segmentation requirements that most small businesses are not meeting.

What to do: Isolate POS systems on a dedicated network segment with strict firewall rules permitting only the specific connections required for payment processing — to the payment gateway and necessary management systems only. Apply all POS software and operating system updates promptly. Use point-to-point encryption (P2PE) for payment card processing to ensure that card data is never present in cleartext on the POS terminal where it could be scraped. Regularly review PCI DSS compliance requirements and assess your POS environment against them — the standard exists specifically to prevent the attacks that target payment card data.

Employee Personal Devices (BYOD)

Bring Your Own Device (BYOD) policies — allowing employees to use personal smartphones, tablets, and laptops for business purposes — introduce a category of device that is among the most difficult to secure because the business has minimal control over how it is configured, what other software is installed on it, and how it is used outside working hours. A personal device that is also used for personal email, personal social media, personal app installations, and connection to consumer networks presents a fundamentally different risk profile from a managed corporate device under IT’s control.

Personal devices may be running outdated operating system versions, may have security settings disabled for personal convenience, may have third-party apps installed that contain malware or request excessive permissions, and may connect to unsecured networks that expose their traffic to interception. When those same devices connect to corporate email, corporate cloud services, or the corporate WiFi network, they bring their entire risk profile into the business environment.

The specific risks from BYOD are: data loss if a personal device containing business data is lost or stolen without device encryption; network-level exposure if a compromised personal device connects to the corporate WiFi and enables an attacker already on the device to reach internal network resources; credential theft if malware on the personal device captures credentials used to access corporate systems; and shadow IT, where employees use personal devices to access unofficial cloud services for business data storage, creating data that the business doesn’t know exists and cannot protect.

What to do: Implement Mobile Device Management (MDM) for all devices accessing corporate email and data — personal or corporate. MDM allows the business to enforce minimum security requirements (encryption, PIN, up-to-date OS version) on devices before granting access, and to remotely wipe business data if a device is lost or stolen. Separate corporate data from personal data using containerization features available in modern MDM platforms. Provide a separate guest WiFi network for personal devices rather than allowing them to connect to the corporate network segment. Define and communicate a clear BYOD policy that employees understand before enrolling their devices.

Legacy and Forgotten Systems

Almost every business with more than a few years of operational history has devices on its network that someone else set up, that serve a purpose that may or may not still be relevant, and that no one currently on the staff takes ownership of or monitors. A server installed five years ago to host a web application that was later replaced. A network-attached storage device installed by a previous IT contractor. A development environment that was “temporary” and never decommissioned. An old workstation left on because “we might need it someday.”

These forgotten systems are among the most attractive targets in any business environment. They run outdated software because no one is maintaining them. They have minimal monitoring because no one knows they should be monitored. They may have been configured with broad network access appropriate for their original purpose that is now entirely unnecessary. And because they are forgotten, they may be compromised and actively used by attackers for months or years before anyone notices.

End-of-life operating systems — Windows versions no longer receiving security updates — are disproportionately found on these forgotten systems. An end-of-life system will never receive patches for newly discovered vulnerabilities, meaning that every new vulnerability disclosed for that OS version becomes a permanent, unfixable vulnerability on that device. Running end-of-life systems connected to a corporate network is the equivalent of permanently propping open a door that can never be locked again.

What to do: Conduct a comprehensive network discovery scan to identify every device currently connected to your network — including devices you didn’t know were there. For every discovered device, determine its purpose, owner, and current patch status. Decommission any device that serves no current business purpose. Immediately isolate from the network any device running an end-of-life operating system and prioritize its replacement. Establish an asset inventory process that tracks every device from deployment to decommissioning, preventing future accumulation of forgotten systems.

A Practical Action Plan for the Full Device Inventory

The range of vulnerable devices covered in this article may feel overwhelming when viewed in its entirety. The practical response is not to attempt to address every device simultaneously — it is to prioritize based on the combination of exploitability and potential impact, and to work systematically through the inventory with a clear sequence.

The highest priority actions, regardless of where your business starts from, are:

  • Conduct a full network discovery scan to identify every device currently connected to your network. You cannot secure what you don’t know exists. This is the mandatory first step — before any other security action — because it defines the actual scope of the problem rather than the assumed scope.
  • Change all default credentials immediately on every discovered device. Default credentials are the single most exploited vulnerability across every device category on this list. This single action, applied systematically, eliminates an entire class of attack against your environment.
  • Segment high-risk device categories — cameras, IoT devices, POS systems, VoIP — onto dedicated network zones that restrict their ability to communicate with other devices and systems. Network segmentation limits the blast radius of any individual device compromise.
  • Identify and address end-of-life devices running operating systems or firmware versions that will never receive security patches. These represent permanent, unfixable vulnerabilities — isolation and replacement are the only effective responses.
  • Establish a patch management process that covers not just workstations and servers but all networked devices including routers, cameras, printers, and IP phones. Unpatched firmware is the most exploited vulnerability category across all device types.

The Bottom Line

The vulnerable devices in your business are not a mystery — they are a predictable, documentable, manageable set of networked assets sitting on your network right now. What makes them dangerous is not their inherent complexity but the consistent organizational failure to include them in the security planning that covers computers and servers. Attackers include them in their scanning and exploitation — your security program must include them in its protection.

Start with the inventory. Every subsequent security decision about your device landscape depends on knowing what you actually have. From there, the path forward is systematic: default credentials changed, segments created, patches applied, forgotten systems decommissioned, and personal devices managed. None of these steps requires advanced technical expertise or significant capital investment — they require the organizational discipline to treat every device on your network as a potential entry point, because automated attackers already do.

Disclaimer: This article is for educational and informational purposes only. Security requirements vary by organization size, industry, and regulatory environment. Always consult a qualified cybersecurity professional for guidance tailored to your specific environment and risk profile.

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top