World Wide Web Day, on 1st August, celebrates how the internet has transformed the way we work and communicate. But the same technologies that increase speed and efficiency can also create unseen risks – especially when it comes to the growing number of internet-connected devices in our workplaces.
Irish businesses are embracing the Internet of Things (IoT) – everyday connected devices that collect and share data – to streamline operations and improve productivity. Yet many are unknowingly expanding their digital footprint through devices that operate beyond traditional IT oversight. These useful devices can introduce cyber security risks for businesses, particularly in compliance-focused sectors such as healthcare, manufacturing, and technology. Once compromised, these devices can open the door to internal systems, moving across the network to access sensitive data, and disrupt and interfere with operations. In some cases, devices with weak security have been used as entry points for ransomware or to exfiltrate personal and financial information.
Here are six IoT devices commonly found in workplaces that could be putting your organisation at risk.
1. Smart TVs in conference rooms
Often connected to corporate Wi-Fi and used for presentations, these displays can store access tokens or auto-login details for cloud services, leaving them vulnerable if not wiped regularly.
2. Office printers and scanners
These multifunction devices may store cached scans or emails and often operate with open ports or unsecured admin panels on the network.
3. Smart building controls
HVAC, lighting, and access systems often rely on third-party cloud platforms – which may not follow your organisation’s password policies or patching schedules.
4. IP cameras and security systems
These devices often operate externally and may still use factory-set usernames and passwords. If exposed to the internet without proper controls, they can act as a direct entry point for attackers – bypassing internal protections altogether.
5. Smart assistants and voice-controlled devices
Common in meeting rooms or communal spaces, these devices may link to calendars, messaging tools, or cloud storage. If not properly isolated or monitored, they can be exploited to overhear sensitive information or issue unauthorised voice commands.
6. Connected coffee machines and vending systems
Though seemingly harmless, these devices sometimes connect via guest Wi-Fi or back-end vendor portals – often with little to no authentication. They can provide a foothold for attackers to move across the network, especially if segmentation is weak.
Fortunately, organisations don’t need to tackle these risks alone.
Managing IoT Risks with ISO 27001 and Cyber Essentials
Managing IoT risks requires more than just technical fixes – it calls for a structured, security-conscious approach across the business. As connected devices become more embedded in business operations, from smart printers to building sensors, they can introduce vulnerabilities that affect both data security and operational continuity. This is where ISO/IEC 27001 and Cyber Essentials come in.
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It sets out the requirements for establishing, implementing, maintaining and continually improving an ISMS, helping organisations manage information security risks across systems, devices, and processes, such as those introduced by many everyday IoT technologies.
The standard supports organisations in managing IoT-related risks through areas such as:
- Asset identification: Maintaining an up-to-date register of connected assets to support risk assessment and control implementation.
- Access control: Establishing and reviewing access permissions to ensure appropriate access to systems and data.
- Supplier oversight: Addressing information security within supplier relationships, particularly when third parties are involved in setting up, supporting, or operating connected devices or systems.
- Continual monitoring and improvement: Supporting the application of secure configurations, update management, and decommissioning of unmanaged or obsolete devices as part of ongoing ISMS maintenance.
To find out more, visit our ISO 27001 beginners guide.
Cyber Essentials (CE) and Cyber Essentials Plus (CE+) is a UK government-backed scheme that helps organisations implement key technical controls to protect against common cyber threats. The scheme is important for Irish businesses operating in the UK as they demonstrate a baseline level of cyber security assurance that’s often required in public sector contracts and increasingly expected across private supply chains. Achieving CE or CE+ certification can support market access, build trust, and strengthen compliance with UK procurement and data protection standards. The controls within CE and CE+ can play an important role in managing IoT-related risks by:
- Securing device connectivity: Ensuring that internet-connected devices are protected by appropriate firewall configurations and boundary controls.
- Managing access: Requiring secure user access controls, including strong authentication for devices and services.
- Keeping software up to date: Supporting patch management practices that reduce vulnerabilities in IoT firmware and associated systems.
- Reducing exposure: Promoting secure configuration of all devices, including those not traditionally covered by enterprise IT policies.
Cyber Essentials provides a self-assessment approach, helping organisations implement core technical controls such as secure configuration, access control, and malware protection to help defend against common cyber threats.
Cyber Essentials Plus involves the same self-assessment as well as a hands-on technical audit, helping organisations validate that these controls are working effectively in practice – including across IoT-enabled environments where applicable.
Strengthen your cyber security with confidence. Get in touch with our team today to learn how ISO 27001 and Cyber Essentials can help.
