There’s a device in your meeting room that hasn’t been updated since it was installed. It’s connected to the same network as your accounting software, your file server, and your Microsoft 365 environment. Nobody thinks about it because it just works — and that’s precisely the problem.
It’s the smart TV.
Not a dramatic entry point. Not the kind of vulnerability that makes headlines. But in the world of IoT security, the unglamorous, forgotten device is almost always the one that causes trouble — because it sits permanently connected, permanently ignored, and permanently unpatched.
IoT Is Already in Your Business — You Just Haven’t Mapped It
When most people hear “Internet of Things” they picture futuristic smart factories or industrial sensors. For the average Auckland business, the reality is far more ordinary — and far more widespread than most owners realise.
Walk through a typical ten to thirty-person office, and you’ll find: a smart TV or two in meeting rooms, an IP-based security camera system, a network-connected printer that also scans to email, a modern HVAC or building management system, contactless payment terminals, smart door access controls, perhaps a NAS device someone set up years ago for shared storage.
None of these feels like IT infrastructure. All of them are. Every single one runs software, holds credentials, communicates over your network, and, in most cases, receives security updates on a schedule ranging from infrequent to never.
The IoT problem isn’t complexity — it’s invisibility. These devices exist in a blind spot between “office equipment” and “IT systems.” Facilities manages the building controls. Reception manages the front door access. Nobody manages the security posture of any of it.
Why These Devices Are Disproportionately Risky
A standard computer in your business gets attention. It runs endpoint protection. It gets Windows updates. Someone notices when something looks wrong.
An IP camera or a smart TV gets none of that. It runs a stripped-down embedded operating system that the manufacturer updates occasionally — if at all. Many IoT devices ship with default credentials that are publicly documented and never changed during installation. Some communicate with manufacturer servers overseas using protocols your firewall wasn’t configured to inspect.
Here’s the insight that doesn’t get discussed enough: attackers don’t need your IoT device to be the destination. They need it to be the doorway.
A compromised smart TV doesn’t give an attacker direct access to your Xero data. It gives them a foothold on your internal network — a trusted position from which they can move laterally toward the systems that actually matter. In security, this is called a pivot point, and IoT devices are among the most reliable pivot points available because they’re so consistently overlooked.
This isn’t theoretical. Security researchers have demonstrated network intrusions using everything from smart printers to building management systems. The sophistication required is surprisingly low when the device hasn’t been patched in two years and is sitting on a flat network with no segmentation.
The Network Segmentation Conversation Most Businesses Haven’t Had
Here’s the most practical insight in this entire article: your IoT devices should not be on the same network as your business data.
Most small business networks are flat — one network, everything connected to everything else. It’s simpler to set up and perfectly adequate when every device on it is managed and monitored. The moment you add unmanaged IoT devices to a flat network, you’ve created a situation where the weakest device has a direct path to your most sensitive systems.
Network segmentation solves this. It means creating separate network zones — one for your business computers and servers, one for IoT and building devices, perhaps one for guest Wi-Fi — with controlled, audited traffic between them. A compromised smart TV on an isolated IoT network can’t reach your file server because there’s no direct path to it.
This is standard practice in enterprise environments and genuinely achievable for SMBs. It requires a managed switch, a properly configured router or firewall, and someone who knows what they’re doing. It is not a weekend project for a non-technical person, but it is absolutely within scope for a managed IT engagement.
Four Practical Steps Worth Taking Now
Inventory every device connected to your network. Not just computers — everything. Most managed routers and network switches can display all devices currently connected. If you’ve never done this, the list will surprise you. You cannot manage what you haven’t mapped.
Change default credentials on every IoT device immediately. This takes 20 minutes and closes one of the most commonly exploited vulnerabilities in small-business networks. Default usernames and passwords for popular devices are freely searchable online. If your IP cameras or smart TV still use factory credentials, they are effectively unlocked.
Ask your IT provider about network segmentation. If the answer is “that’s too complex for a business your size” — that’s the wrong answer. Segmentation is a fundamental security control, not an enterprise luxury. It should be part of any serious conversation about managed IT.
Check whether your IoT devices have available firmware updates. Log in to the admin panel of your smart TV, cameras, and printer. Check the firmware version. Check whether a newer version exists. Apply it. Then set a calendar reminder to do this again in six months — because unlike computers, these devices rarely update themselves automatically.
The Bigger Picture
The reason IoT security matters specifically for MSP clients is that it represents the kind of invisible, persistent risk that internal staff don’t have the time or training to manage — but a managed IT provider should actively monitor.
A properly managed network doesn’t just cover your computers. It covers your entire connected environment — what’s on it, what version it’s running, what it’s communicating with, and whether anything unusual is happening. That’s the difference between IT support and IT management.
One is reactive. The other is what actually keeps your business protected.
