How to Secure IoT Devices on Your Business Network

The Internet of Things has moved from a futuristic concept to an everyday reality for UK businesses. Smart thermostats manage office heating. IP cameras monitor premises. Connected printers serve entire floors. Smart displays power meeting rooms. Sensors track inventory in warehouses. Even the coffee machine in the kitchen might be connected to the network. These IoT devices bring convenience and efficiency, but they also introduce significant security risks that many businesses overlook entirely.

Unlike laptops and servers, which run modern operating systems with built-in security features and regular patch cycles, many IoT devices run stripped-down firmware with minimal security capabilities. They often ship with default passwords, lack encryption, cannot be easily updated, and provide limited visibility into their network activity. Each one represents a potential entry point for attackers — and once compromised, an IoT device can be used as a launching pad to attack the rest of your network.

This guide explains the IoT security challenge facing UK businesses, the specific risks involved, and the practical steps you can take to secure IoT devices on your business network without sacrificing the convenience they provide.

Why IoT Devices Are a Security Risk

To understand why IoT devices pose such a significant threat, it helps to understand how they differ from traditional IT equipment in terms of security.

Default Credentials

Many IoT devices ship with factory-set usernames and passwords — often as simple as admin/admin or admin/password. These defaults are widely known and published online. If a device is connected to the network without changing its default credentials, anyone who can reach it can log in and take control. The Mirai botnet, which caused massive internet outages globally, was built almost entirely by exploiting IoT devices with default credentials.

Limited Patching Capability

Traditional IT equipment receives regular security updates from manufacturers. Many IoT devices, however, either cannot be updated at all, require manual firmware updates that are complex and risky, or are simply abandoned by manufacturers who have moved on to newer products. This means known vulnerabilities remain unpatched indefinitely, creating permanent security holes in your network.

Weak or No Encryption

Some IoT devices transmit data in plain text without any encryption. This means that anyone monitoring network traffic can see what the device is sending and receiving. For IP cameras, this could mean video footage. For access control systems, it could mean entry codes. For environmental sensors, it could mean information about your building operations that could be exploited by attackers.

Excessive Network Access

By default, most IoT devices are placed on the same network as everything else — laptops, servers, printers, and business-critical applications. If an IoT device is compromised, the attacker potentially has access to your entire network. This lateral movement capability is what makes IoT compromises so dangerous — the initial breach might be through a smart thermostat, but the ultimate target is your financial data or customer records.

Step 1: Discover and Inventory All IoT Devices

You cannot secure what you do not know about. The first step is to identify every IoT device connected to your business network. This is often more challenging than it sounds because IoT devices are frequently added without the knowledge of the IT department — a facilities manager installs a smart thermostat, a receptionist connects a smart display, or a team lead brings in a voice assistant for their meeting room.

Use network scanning tools to discover all connected devices. Your managed IT provider can run comprehensive network discovery scans that identify every device by its MAC address, IP address, manufacturer, and device type. The results often surprise business owners — most discover significantly more connected devices than they expected.

Create a formal IoT asset register that records every device, its purpose, its location, its manufacturer, its firmware version, who is responsible for it, and when it was last updated. This register becomes the foundation of your IoT security programme and should be reviewed and updated quarterly.

Step 2: Segment Your Network

Network segmentation is the single most effective measure you can take to contain the risk from IoT devices. By placing IoT devices on a separate network segment — typically a dedicated VLAN — you create a barrier between them and your business-critical systems. Even if an IoT device is compromised, the attacker cannot easily move laterally to reach your servers, workstations, or sensitive data.

A well-designed segmentation strategy creates several distinct network zones: a corporate network for laptops and desktops, a server network for business-critical systems, an IoT network for smart devices, a guest network for visitors, and a management network for network infrastructure. Firewall rules between these zones control what traffic is permitted, following the principle of least privilege — IoT devices should only be able to communicate with the specific services they need and nothing more.

For example, an IP camera system needs to communicate with its network video recorder (NVR) and potentially a cloud management service, but it has no legitimate need to communicate with your file server, email system, or accounting software. The firewall rules on the IoT VLAN should allow only that specific traffic and block everything else.

Step 3: Harden Device Configurations

Every IoT device should be hardened before it is connected to your network. Hardening means changing default settings to reduce the attack surface and improve security. The specific steps vary by device, but the following apply universally.

Change all default usernames and passwords to strong, unique credentials. Use a password manager to generate and store complex passwords for each device. Where devices support it, enable two-factor authentication. Disable any features, services, or protocols that are not needed — if a device supports both HTTP and HTTPS management, disable HTTP. If it has UPnP (Universal Plug and Play) enabled by default, disable it. If it supports Telnet, disable it in favour of SSH.

Update the firmware to the latest available version before deploying the device. Check the manufacturer's website for security advisories and subscribe to notifications for future updates. Establish a schedule for checking and applying firmware updates — quarterly at minimum, or immediately when critical vulnerabilities are disclosed.

Step 4: Monitor and Respond

Ongoing monitoring is essential because IoT threats evolve continuously. Your network monitoring system should track IoT device behaviour and alert on anomalies — unusual traffic volumes, connections to unexpected destinations, communication at unusual times, or changes in device behaviour that might indicate compromise.

Many managed IT providers offer IoT-specific monitoring as part of their service. They use network detection and response (NDR) tools that learn the normal behaviour patterns of each device and flag deviations automatically. For UK businesses pursuing Cyber Essentials Plus certification, demonstrating that IoT devices are monitored and managed strengthens your overall security posture.

Incident response procedures should specifically address IoT compromise scenarios. If an IoT device is suspected of being compromised, the immediate action should be to isolate it from the network — disconnecting it entirely or blocking its traffic at the switch or firewall. Then investigate the scope of the compromise: did the attacker move laterally to other devices? Was any data exfiltrated? How was the device compromised in the first place? Document the incident thoroughly, both for internal learning and for any regulatory reporting obligations under UK GDPR if personal data may have been affected.

Regular vulnerability assessments should include IoT devices. Schedule quarterly scans of your IoT network segment to identify devices with known vulnerabilities, outdated firmware, or insecure configurations. Your IT provider can use network vulnerability scanners that specifically test for common IoT weaknesses, providing a prioritised list of issues to address before they are exploited by attackers.

IoT Procurement: Buying Secure Devices

Prevention is always better than cure. When purchasing new IoT devices, make security a key selection criterion alongside functionality and price. Choose devices from reputable manufacturers that provide regular firmware updates, have a published vulnerability disclosure policy, support strong authentication, use encrypted communications, and provide clear documentation about the device's security features.

Ask vendors specific security questions before purchasing: How long will you provide security updates for this product? Does the device support encrypted communications? Can default credentials be changed? Does it support network segmentation and VLAN tagging? What data does the device collect and where is it stored? For UK businesses, choosing products that comply with the PSTI Act's security requirements is a sensible baseline.

Creating an IoT Security Policy

Every UK business that uses IoT devices should have a formal IoT security policy. This document sets the standards for how IoT devices are selected, deployed, configured, monitored, and eventually decommissioned within your organisation. Without a policy, IoT security is left to individual decisions, and the result is an inconsistent, ungoverned environment.

Your IoT security policy should cover several key areas. First, procurement standards: define the minimum security requirements that any IoT device must meet before it can be connected to your network. This should include support for changing default credentials, encrypted communications, regular firmware updates from the manufacturer, and compliance with the PSTI Act. Devices that cannot meet these baseline requirements should not be purchased, regardless of their functionality or price.

Second, the policy should define deployment procedures: who is authorised to connect IoT devices to the network, what approval process must be followed, what configuration hardening steps must be completed before connection, and which network segment the device must be placed on. A simple approval form that requires IT sign-off before any IoT device is connected prevents shadow IoT from accumulating.

Third, define ongoing management responsibilities: who is responsible for monitoring each device, how often firmware updates are checked and applied, what constitutes an IoT security incident, and how incidents should be reported and handled. Assign clear ownership — whether to your internal IT team, your managed IT provider, or the facilities management team — so that no device falls through the governance cracks.

IoT and Cyber Essentials Certification

For UK businesses pursuing Cyber Essentials or Cyber Essentials Plus certification, IoT devices present specific challenges. The Cyber Essentials scheme requires that all devices connected to the network are included in scope, have their default passwords changed, run up-to-date software, and are protected by firewalls. Many IoT devices struggle to meet these requirements without careful management.

Network segmentation is the key enabler. By placing IoT devices on a separate, firewalled VLAN, you can demonstrate to Cyber Essentials assessors that these devices are isolated from your corporate network and that traffic between the IoT segment and the corporate network is controlled. This segmentation, combined with evidence of credential management and firmware patching, provides the documentation needed for certification.

For businesses that supply goods or services to the UK government, Cyber Essentials certification is mandatory for contracts involving the handling of certain sensitive information. Ensuring your IoT devices do not become the weak link that prevents certification is therefore a commercial necessity, not just a security best practice.

The Future of Business IoT Security

The IoT landscape is evolving rapidly. The number of connected devices in UK businesses is projected to double within the next three years, driven by smart building technologies, environmental monitoring, asset tracking, and operational automation. As the number of devices grows, so does the attack surface, making the security measures described in this guide increasingly critical.

Emerging technologies such as network-based IoT security platforms — which use artificial intelligence to profile device behaviour and automatically quarantine compromised devices — will become mainstream for businesses of all sizes. Zero-trust network architectures, which treat every device as potentially compromised and require continuous verification, are the direction of travel for enterprise security and will increasingly apply to IoT environments.

The businesses that invest in IoT security now — implementing segmentation, hardening, monitoring, and governance — will be well positioned for this evolution. Those that continue to ignore IoT security will find themselves increasingly exposed as attackers become more sophisticated and as regulatory expectations tighten.

Decommissioning IoT Devices Securely

When IoT devices reach the end of their useful life, they must be decommissioned securely. Many IoT devices store configuration data, network credentials, Wi-Fi passwords, and potentially sensitive operational data in their firmware or local storage. Simply unplugging a device and discarding it could expose this information to anyone who finds it.

Before disposing of any IoT device, perform a factory reset to clear stored data, remove the device from your network management systems and asset register, revoke any certificates or API keys associated with the device, and update your firewall rules to remove any access permissions that were specific to that device. For devices that cannot be adequately wiped — some older IoT equipment has no factory reset function — physical destruction of the device is the only secure option.