Your £15,000 Security Investment Just Got Defeated by a £300 Printer
All right, quick question. What if I told you the biggest cyber threat to your business is not some hacker in a hoodie? It is your office printer. That friendly box in the corner that you barely think about.
Here's the reality that's going to make you uncomfortable: whilst you've been securing laptops, rolling out multi-factor authentication, and congratulating yourself on passing security audits, your office printer has been sitting there with full network access, storing copies of every contract and payslip you've printed this year, protected by a password an attacker can guess in about three tries.
Admin. Admin. Done.
Let me tell you about a real case study that landed in our emails last week. A 30-person marketing agency, mature business, listening to our podcast episodes on ransomware and authentication. They actually took action. £15,000 investment in proper security: new firewalls, proper endpoint protection, hardware keys for every single member of staff. They even had a security audit done. Came back clean. They were feeling quite pleased with themselves.
Two months later? Someone had been accessing their client files for weeks through their HP printer that still used factory default credentials. The printer had full network access and stored copies of everything printed. Nobody had changed the password. Nobody had checked it during the audit. Nobody even thought about it.
This is not theoretical paranoia. This is happening right now to businesses that think they've got security sorted.
The Devices You Forgot Were Computers
Modern offices are full of computers disguised as other things. Every printer. Every CCTV camera. Every smart thermostat. Every networked door lock. These are all computers connected to your network.
Most businesses secure their obvious computers whilst completely forgetting about these devices, creating perfect entry points for attackers who aren't bothering with sophisticated social engineering when they can just log in with admin/admin.
I've spent 40 years in IT across Intel, Disney, BBC, and countless enterprise environments. I've seen FTSE 100 companies with pristine compliance certificates get absolutely destroyed because someone forgot about the printer.
Here's what's currently connected to your network that you're probably not securing:
Printers and Multifunction Devices:
Store complete copies of every document printed, scanned, or faxed
Usually ship with administrative interfaces accessible from the network
Default credentials available in public databases maintained by attackers
Full network access to file servers and workstations
Rarely included in security audits or patch management
CCTV Systems and Network Video Recorders:
Often accessible directly from the internet with port forwarding enabled
Default passwords never changed during installation
Firmware updates forgotten entirely
Potential to livestream your premises to anyone who looks
Perfect reconnaissance tool for physical security bypass
Smart Thermostats and Building Management:
Network connected for convenience and cost savings
Administrative access rarely restricted
Can provide persistent network access for attackers
Nobody thinks about firmware updates for heating controls
Networked Door Locks and Access Control:
Physical security systems with digital vulnerabilities
Integration with main business network for management
Default credentials providing building access and network access simultaneously
VoIP Phones and Conference Systems:
Full computers running Linux or embedded operating systems
Network connected with access to internal resources
Rarely patched or managed
Can be used to eavesdrop on conversations
Every single one of these devices is a potential entry point. Every one stores sensitive data or provides network access. And every single one is probably still using the password it shipped with.
The Default Credentials Epidemic
Attackers maintain databases of default passwords for thousands of devices. They don't need to crack complex passwords when they can try admin/admin or admin/password and gain access to printers, cameras, or thermostats within seconds.
These devices often ship with administrative interfaces accessible from the network, and most businesses never change the defaults because they don't think of these devices as security concerns.
Here's the brutal reality: changing default passwords is the absolute minimum standard for device security, yet it's skipped more often than not.
During installations, technicians focus on getting devices working rather than securing them. Printers get configured for printing. CCTV systems get configured for recording. Thermostats get configured for heating. Security is someone else's problem.
Except security becomes everyone's problem when the breach happens.
I've seen this pattern repeatedly across decades: businesses invest heavily in firewalls and endpoint protection whilst leaving IoT devices completely exposed. The marketing agency case study? Classic example. They did everything right on the obvious security measures, then got breached through a device nobody considered a computer.
What Network Segmentation Actually Means
Network segmentation sounds enterprise-level complicated, but the basic concept is simple: not everything on your network should be able to access everything else.
Your printer doesn't need access to your accounting server. Your CCTV system doesn't need to reach your customer database. Your smart thermostat has no business communicating with your file servers.
Creating separate network zones for different device types means a compromised printer can't become a stepping stone to your sensitive data.
For small businesses, basic network segmentation can start with simple VLAN separation:
Core Business Network:
Workstations and laptops
File servers and business applications
Controlled access to internet and internal resources
IoT Device Network:
Printers, CCTV, thermostats, door locks
Isolated from core business resources
Restricted internet access where possible
No access to sensitive data storage
Guest Network:
Visitor WiFi access
Completely isolated from all business resources
No internal network access whatsoever
This isn't theoretical complexity. Modern business-grade routers and switches support VLAN configuration without enterprise pricing. The investment in basic network segmentation is minimal compared to breach recovery costs.
But segmentation only works if you know what's connected to your network in the first place.
The Device Inventory Challenge
Most small businesses have no accurate list of what's actually connected to their network. They know about the laptops and servers but often forget about:
The smart coffee machine someone plugged in last year
Wireless access points in meeting rooms
The networked thermostat facilities installed
That old network printer in the back office nobody uses
CCTV systems installed years ago by external contractors
VoIP phones connected to the network
Without knowing what's connected, you can't secure it.
Here's the practical approach for discovering and documenting every device:
Network Scanning: Use free tools like Fing or Advanced IP Scanner to discover every device with an IP address on your network. Document everything discovered, not just the obvious computers.
Physical Audit: Walk through your premises. Look for anything with a network cable or WiFi connection. Include devices in server rooms, storage areas, and forgotten corners.
Installation Records: Review purchase orders and installation documentation. What devices did contractors install? What equipment came with your office fit-out?
Regular Reviews: Device inventories become outdated quickly. Schedule quarterly reviews to catch new devices and remove decommissioned equipment.
Ownership Assignment: Every device needs someone responsible for its security, updates, and maintenance. Don't let devices become "nobody's problem" because that's when they become everyone's problem.
The marketing agency in our case study? They had a detailed inventory of computers, servers, and mobile devices. The printer wasn't on it. Neither were the CCTV cameras. Or the smart thermostat. Or the VoIP phones.
Your security is only as strong as your weakest link, and IoT devices are often the weakest links because they're forgotten.
Practical IoT Security Steps
Right, enough doom and gloom. Here's what you actually do about this, starting this week:
This Week:
Find your printer's admin interface. Log in. If you can't remember the password, that's probably because it's still set to admin. Change it. Now. Use a unique, strong password stored in your password manager.
List five connected devices that aren't computers or phones. These are your starting inventory. Include printers, CCTV cameras, thermostats, access points, anything with network connectivity.
Check one device's firmware. Is it up to date? When was it last updated? Who's responsible for keeping it current? If the answer is "nobody," you've just identified a problem.
This Month:
Complete device inventory. Use network scanning tools to discover everything connected to your network. Document every device with make, model, IP address, location, and responsible owner.
Change all default passwords. Every printer, camera, thermostat, and access point needs unique, strong credentials. Yes, every single one. No exceptions. Store credentials securely in password management.
Assess your network segmentation. Can your printer access your file server? It shouldn't. Start planning basic network separation even if full implementation takes time.
Assign device ownership. Every device needs someone responsible for its security, updates, and maintenance. Write it down. Make it explicit.
This Quarter:
Implement basic network segmentation. Even simple VLAN separation is better than everything on one network. Work with your IT provider or MSP to design appropriate zones.
Create update schedules. IoT devices need regular firmware updates just like computers. Quarterly review minimum, monthly for high-risk devices.
Review and test. Verify your device inventory is accurate. Check that passwords actually changed. Confirm segmentation works as designed. Test, don't trust.
When Security Audits Miss Everything Important
That marketing agency had a security audit that came back clean. The auditors checked firewalls, reviewed endpoint protection, validated multi-factor authentication implementation. They ticked every compliance box.
They never looked at the printer.
Standard security assessments often focus on servers and workstations whilst completely overlooking printers, cameras, and other IoT equipment.
When commissioning security audits or assessments, explicitly require IoT device review:
Inventory of all network-connected devices
Credential security verification for non-standard equipment
Firmware version checks and update status
Network segmentation assessment
Access control review for administrative interfaces
Don't assume auditors will check IoT devices. Make it explicit in the scope. If they push back or claim it's not standard, find different auditors who understand modern threat landscapes.
The Uncomfortable Reality
We've covered passwords, multi-factor authentication, ransomware, supply chain attacks, shadow IT, and social engineering across 30 episodes of this podcast. We've discussed major breaches at household names and examined what it takes to protect heads of state.
But we've deliberately avoided IoT security until now because we knew it would make people uncomfortable, possibly angry, and definitely worried.
The uncomfortable truth is that whilst you've been securing laptops and servers, your office printer has had full network access, stores every document you print, and still uses the password it shipped with.
The CCTV system protecting your premises might be livestreaming to the internet because nobody changed the default settings. The smart thermostat saving you money on heating is potentially giving attackers a way into your network.
This isn't theoretical paranoia. We're seeing breaches through IoT devices happen to businesses that have otherwise invested properly in cybersecurity.
That £15,000 the marketing agency spent on security? Completely valid investment that addressed real risks. Firewalls matter. Endpoint protection matters. Hardware authentication absolutely matters.
But security is only as strong as your weakest link, and IoT devices are often the weakest links because they're forgotten.
Stop Ignoring the Obvious
Right, here's the bottom line: every connected device is a computer. If it has an IP address, it's a potential security risk that needs management and protection.
Default passwords are attackers' best friends. The first thing to do with any new device is change the administrative password. Never assume factory defaults are acceptable.
Network segmentation isn't optional anymore. IoT devices should be isolated from your main business network, even if that means starting with basic VLAN separation.
Device inventory is fundamental. You can't secure what you don't know exists. Conduct regular network scans to discover forgotten devices.
Ownership matters. Every device needs someone responsible for its security. Don't let devices become "nobody's problem."
And for God's sake, check your bloody printer.
The marketing agency learned this lesson the expensive way. Don't follow their example. Start securing your IoT devices this week, not after the breach.
Your £15,000 security investment can be defeated by a £300 printer. Don't let it be.
| Source | Article |
| NCSC | IoT Device Security Guidance |
| HP Security Bulletin | Printer Security Best Practices |
| UK Government | Secure by Design: IoT Code of Practice |
| Shodan Database | Default Password Statistics |
| SANS Institute | IoT Security: Protecting the Internet of Things |
| Verizon DBIR | 2025 Data Breach Investigations Report |
| Episode 30 Podcast | The Devices You Forgot Were Computers |
