IoT Security Action Plan & Network Guide

7-step action plan and network segmentation guide — sourced from CISA, NIST SP 800-213, and FCC Cyber Planner 2.0.

Priority-ordered steps — start at Step 1 and work down
1
Change Every Default Password Immediately
Critical · Today
Every IoT device ships with a default password — "admin," "12345," "password," or the serial number. Attackers have published these online and scan for them constantly. Change every device password to a unique strong password. Use Bitwarden (free) to store them.
CISA formally issued an alert calling default passwords one of the top exploited vulnerabilities in SMB environments.
Source: CISA Alert — Eliminate Default Passwords · NIST SP 800-213
2
Update Firmware on All Devices
Critical · This Week
Firmware is the software built into your device. Log into each device's admin page, find the firmware update section, and apply any updates. Hikvision, Dahua, and D-Link cameras appear constantly in the CISA Known Exploited Vulnerabilities catalog — most attacks succeed because firmware wasn't updated. Patch this week, then set a monthly calendar reminder.
Source: CISA KEV Catalog · NIST SP 800-213
3
Put IoT Devices on a Separate Network (VLAN)
Critical · This Month
This is the single most effective thing you can do. If your cameras, printers, and smart TV share a network with your computers and POS, a hacked camera can attack your financial data. A separate IoT VLAN means a compromised device stays isolated. See the Network Segmentation tab for a visual guide.
Source: CISA Cyber Guidance for SMBs · FCC Cyber Planner 2.0
4
Disable Remote Access You Don't Use
High · This Month
Many IoT devices enable remote access by default — meaning anyone on the internet can try to log in. Unless you need to access a device remotely, disable UPnP, remote management, and unused ports in your router settings. Shodan (a search engine for internet-connected devices) indexes millions of exposed small business devices — yours may already be on it.
Source: CISA Edge Device Guidance · NIST IoT Program
5
Build a Complete IoT Device Inventory
High · This Month
You cannot protect what you don't know exists. Walk through your business and document every networked device — manufacturer, model, IP address, who manages it. Most businesses discover 3–5 forgotten devices doing this — old printers, a previous alarm system, a smart TV in the break room. Use the Device Inventory tab as your starting point.
Source: NIST IR 8228 — IoT Risk Considerations
6
Enable Automatic Updates Where Available
Medium · Ongoing
For devices that support auto-updates (many newer routers, Ring, Nest), enable them. For devices requiring manual updates, set a calendar reminder for the 1st of every month. The most common IoT attacks exploit vulnerabilities with patches available for months — they succeed only because no one applied the update.
Source: CISA Secure by Design
7
Register Devices and Subscribe to Security Alerts
Medium · Ongoing
Register every device on the manufacturer's website — they send email alerts when critical vulnerabilities are found. Also subscribe to CISA email alerts (free) — they publish advisories when IoT devices are being actively exploited with specific remediation steps.
Source: CISA Email Subscriptions · NIST NVD — Search Your Device
Want Andrew to walk through these steps with you in person? Book a free IoT security assessment at Swamp Fox Cyber Defense — he comes to your business, no cost, no obligation. Chambersburg & Franklin County, PA.
Why network segmentation is the #1 IoT recommendation from CISA and NIST
The problem: All devices on one network means a hacked camera can reach your accounting software and POS. The fix: Separate your network into zones. A compromised IoT device stays isolated from your business data. Called VLANs — Virtual Local Area Networks.
⚠️ BEFORE — One Flat Network (Dangerous)
Router / Modem
↓ everything shares one network ↓
Single Network — Everything Mixed
💻 Computers & laptops
💳 POS terminal & card reader
📷 Security cameras & DVR
🖨️ Network printer & smart TV
📱 Employee & guest phones
🌡️ Smart thermostat
❌ Hacked camera can reach POS
❌ Guest WiFi sees your computers
❌ One breach spreads everywhere
✅ AFTER — Segmented Network (Safe)
Router / Firewall
↓ each zone is isolated ↓
Business Network (VLAN 1)
💻 Computers · servers · laptops
Payment Network (VLAN 2)
💳 POS terminals · card readers
IoT Network (VLAN 3)
📷 Cameras · 🖨️ Printer · 📺 TV · 🌡️ Thermostat
Guest WiFi (VLAN 4)
📱 Customer phones · visitor devices
✅ Hacked camera cannot reach POS
✅ Guest WiFi cannot see computers
✅ Breach stays contained to one zone
Q
Can my current router do this?
Business-grade routers and access points support VLANs — Ubiquiti UniFi, Cisco Meraki, Netgear Business, TP-Link Omada. Basic consumer routers often support a "Guest Network" which provides partial separation. A full VLAN setup requires a managed switch. Andrew can assess your current equipment during a free visit.
Q
How much does this cost?
If you already have business-grade equipment, it's free — just settings changes. If you need new equipment, a Ubiquiti UniFi setup starts around $200–$400 and supports full segmentation. Significantly less than the average $200K+ cost of a breach caused by an unsegmented network. Andrew can recommend the most cost-effective setup for your specific business size.
Source: CISA Cyber Guidance for SMBs · NIST SP 800-213 · FCC Small Biz Cyber Planner 2.0