I have been warning businesses about this for over a decade. Every conference talk, every client meeting, every risk assessment — I have said the same thing: your biggest cyber security risk is not your servers or your laptops. It is the devices you have forgotten about. And now, once again, reality has proved me right.
A story recently published by The Register describes a corporate breach investigation where a digital forensics team spent days combing through servers, firewalls and endpoint protection looking for the source of a significant data breach. They found nothing wrong with the traditional IT infrastructure. The breach vector? An internet-connected coffee machine sitting in the breakroom, happily brewing lattes and exfiltrating sensitive company data to attackers overseas.
What Actually Happened
The company in question believed their server room had been physically compromised by a competitor. They called in a forensics team who, after several days of investigation, discovered the truth was far stranger. The coffee machine — a smart, internet-connected appliance on the corporate network — had been compromised. It shipped with a default password, ran an outdated operating system, and had no firewall protection whatsoever.
Every time an employee brewed a cup, the machine was silently sending packets of data to malicious actors outside the country. The forensic investigator described having to explain to a room full of executives that their highly sensitive data had been compromised by a cappuccino.
This Is Not New — I Have Been Saying This for Years
This is not the first time a business has been breached through a forgotten connected device, and it will not be the last. In 2017, attackers famously compromised a North American casino through an internet-connected fish tank thermometer in the lobby. Despite the casino having set up a separate VPN for the fish tank, attackers still managed to move laterally through the network and exfiltrate the high-roller database — roughly 10GB of data — sending it to a server in Finland.
I have investigated cases like these myself. In one engagement for a UK healthcare provider, attackers compromised smart televisions in meeting rooms using an over-the-air broadcast attack. They exploited the TVs' built-in web browsers, gained root access, installed network bridging tools, connected the TVs to consumer Wi-Fi hotspots, and used them to exfiltrate 94GB of data — including nearly 10,000 payment records and over 4,000 personal records containing sensitive patient information. The entire attack bypassed every firewall, IPS and SIEM in the building because the data left through the TV's own wireless card, not the corporate network.
The pattern is always the same: a device that nobody considers a computer turns out to be exactly that, and it becomes the weakest link in the chain.
Why Small Businesses Are Especially Vulnerable
If you are running a small business in the UK, you might be thinking this only happens to big corporations. That is dangerously wrong. Small businesses are often more vulnerable to IoT attacks for several reasons.
First, smaller businesses tend to have flat networks. Everything sits on one network segment — the till, the office PCs, the printer, the smart thermostat, and yes, the coffee machine. There is no separation between critical business systems and convenience appliances. If an attacker compromises the coffee machine, they are already on the same network as your accounting software and customer database.
Second, small businesses rarely have dedicated IT security staff. Nobody is monitoring what the smart TV in reception is doing at three o'clock in the morning. Nobody is checking whether the connected alarm system has had a firmware update in the last three years.
Third, small business owners often buy consumer-grade smart devices and plug them straight into the business network without changing default passwords, updating firmware, or considering the security implications at all.
The Devices You Need to Worry About
Take a walk around your business premises and count the connected devices. You will almost certainly find more than you expected. Common culprits include smart thermostats and HVAC controllers, internet-connected CCTV cameras, smart TVs and digital signage screens, connected printers and multifunction devices, smart lighting systems, connected alarm and access control systems, point-of-sale terminals, and of course, smart kitchen appliances like coffee machines, fridges and microwaves.
Every single one of these devices is a computer. Every single one runs software that can contain vulnerabilities. And every single one is a potential doorway into your business network.
What the Law Says
The UK Government recognised this problem and introduced the Product Security and Telecommunications Infrastructure (PSTI) Act, which came into force on 29 April 2024. This legislation requires manufacturers, importers and distributors of consumer IoT devices sold in the UK to meet three baseline security requirements: no default universal passwords, a published point of contact for reporting security vulnerabilities, and transparency about how long the device will receive security updates.
Non-compliance can result in fines of up to £10 million or 4% of global annual revenue. However, the PSTI Act only covers new devices coming to market. It does nothing about the millions of existing devices already deployed in businesses across the country — devices that may have been sitting on your network with default passwords for years.
What You Should Do Right Now
Protecting your business from IoT-based attacks does not require a massive budget or specialist expertise. It requires discipline and a change in mindset. Here is what I recommend for every small business owner.
Audit your connected devices. Walk your premises and make a list of every device connected to your network. If you do not know it is there, you cannot protect it.
Change every default password. This is the single most important step. If a device still has the password it came with from the factory, change it immediately. Use a strong, unique password for each device.
Segment your network. Put IoT devices on a separate network segment from your business-critical systems. Most modern business routers support VLANs or guest networks. Your coffee machine does not need to be on the same network as your accounts system.
Update firmware regularly. Check each connected device for available firmware updates at least monthly. If a device no longer receives security updates from its manufacturer, replace it.
Disable features you do not use. If your smart TV does not need Wi-Fi to do its job, disable the wireless card. If your printer does not need to be accessible from the internet, block its external connectivity. Reduce the attack surface wherever possible.
Monitor your network. Even basic network monitoring can help you spot unusual traffic patterns. If your coffee machine is sending data to an IP address in Eastern Europe at two in the morning, you want to know about it.
The Bottom Line
Your cyber security is only as strong as the weakest device on your network. It does not matter how much you spend on firewalls and antivirus if you have left the back door open by plugging an unpatched, default-password smart appliance into your business network.
The coffee machine breach is not a freak occurrence. It is the natural consequence of businesses treating IoT devices as harmless appliances rather than the networked computers they actually are. I have been saying this for more than ten years. Now perhaps more people will listen.
If you are unsure about the security of your connected devices, get in touch. A simple IoT security assessment could be the difference between running your business and explaining to your customers why their data ended up overseas.
Worried About IoT Security in Your Business?
Our IoT security assessment identifies every connected device on your network and flags the risks before attackers find them.
Book a free consultation