Skip to content
4
4UIT / OPS · OTTAWA Take a brief
Home/Blog/IoT security for Ottawa SMBs
// CYBERSECURITY By Amanjot Singh September 10, 2025 7 min read

IoT security: small devices, real risk.

Every smart camera, smart printer, smart thermostat is a small computer on your network — usually with a default password, an outdated OS, and a manufacturer who stopped patching it three years ago.

The "Internet of Things" sounds like a marketing category. The actual security problem is concrete: every IoT device is a small Linux computer on your network, often with weaker hardening than the laptop sitting next to it.

The typical SMB IoT inventory

An average 25-person Ottawa office has more IoT than its leadership thinks:

  • 4–8 IP cameras (front door, parking, server room).
  • 2–4 networked printers, often with hard drives.
  • Smart thermostat, sometimes a building-management system.
  • VOIP phones (yes, those are IoT too).
  • Smart TV in the boardroom.
  • POS terminals if there is a retail front.
  • Industry-specific: dental imaging, retail signage, lab equipment, manufacturing controllers.

Each of those runs an embedded operating system. Each has a network stack with potential bugs. Each is a foothold if compromised.

The realistic threats

  • Botnet conscription. Mirai-style malware infects vulnerable cameras and DVRs and uses them for DDoS or crypto-mining. Your bandwidth bill spikes; your liability is messy.
  • Lateral pivot. An attacker compromises a printer (printers have notoriously weak hardening) and uses it as a beachhead to attack the corporate network.
  • Privacy exposure. An IP camera with default credentials is publicly viewable on the internet via Shodan or similar tools.
  • Supply-chain compromise. The vendor's cloud platform gets breached; every device that called home is now under unknown control.

What actually works

1. Network segmentation

The single highest-leverage control. IoT devices on a dedicated VLAN with internet access for cloud sync, but no access to corporate file shares, printers, or workstations. If a camera is owned, the blast radius is one VLAN.

2. Inventory

You cannot secure what you do not know about. A periodic network scan to identify every connected device, mapped to an owner. Most SMBs find 20–40% more devices than they expected.

3. Default credentials, gone

Change every default password. Document the new ones in your password manager. This single step would have prevented Mirai entirely.

4. Firmware updates

Where the vendor still publishes them, applied on a documented cadence. Where they do not, the device is on a replacement timeline.

5. Vendor end-of-life policy

When you buy IoT, ask: how long will you publish firmware updates? Devices with no published EOL commitment are riskier than they look.

6. Egress filtering

Your firewall should be watching IoT VLAN outbound traffic. A camera that suddenly starts contacting an IP in Eastern Europe at 3 AM is a signal — provided someone is looking.

What 4UIT does

For managed customers we deploy network segmentation as part of onboarding (IoT VLAN, guest VLAN, corporate VLAN minimum), inventory devices monthly, default-credential audit annually, and watch egress traffic continuously through the firewall. The goal is not "no IoT" — it is "IoT that cannot hurt you when it goes wrong."

More on our firewall service or talk to us.

// Frequently asked questions

What is IoT?

Internet of Things — the broad category of network-connected devices that are not traditional computers. Includes IP cameras, smart printers, networked thermostats, building-management systems, dental imaging equipment, point-of-sale terminals, smart TVs, and many more. Each is a small computer on your network.

What is the biggest IoT security risk?

Default credentials and unpatched firmware. Most IoT devices ship with weak defaults that customers never change, and many manufacturers stop publishing firmware updates within a few years of launch. Attackers scan for these systematically.

What is network segmentation?

Splitting your network into isolated zones so a compromise in one area does not give attackers access to the whole environment. For SMBs the typical split is: corporate workstations, IoT/cameras, guest WiFi, and (where applicable) a clinical or operational network.

Should IoT devices be on a separate VLAN?

Yes. The standard practice is a dedicated IoT VLAN that has internet access for the device's cloud service but no access to corporate file shares, printers, or workstations. Even if a camera is compromised, it cannot pivot into the rest of the network.

What is the Mirai botnet?

A 2016 botnet that infected hundreds of thousands of poorly-secured IoT devices (mostly cameras and DVRs with default passwords) and used them to launch some of the largest DDoS attacks ever recorded. Mirai-derived malware remains active today, scanning the internet for vulnerable IoT devices.

// Related at 4UIT

Want IT that is quietly excellent?

20-minute call. No deck, no pressure. We listen, then propose.

Take a brief →
// FIELD NOTES NEWSLETTER

One email a month.

Field notes from the operator floor — Ottawa IT, cybersecurity, what's actually working. No filler, no listicles, no AI nonsense. Reply with anything you want us to write about.