Most small and mid-sized businesses focus on keeping people out with locked doors, cameras, and maybe an alarm system, but what happens when the threat walks in the front door, wearing a lanyard? Delivery drivers, freelancers, cleaning crews, contractors. These may be some of your most trusted service providers, but they’re also the perfect cover for someone looking to carry out a physical infiltration. These individuals are hardly ever screened, and no one’s watching them once they’re inside. That’s all the opportunity an adversary needs.
We explained in this recent post that asymmetric threats don’t rely on traditional force. They’re low-cost, irregular tactics meant to exploit your routine operations. Today, these threats can come in as gig workers, who target IoT devices that are already inside or planted in your place of business.
IoT stands for the Internet of Things, and it’s a term for physical devices that connect to the internet/local networks to collect or share data. This can include smart thermostats, security cameras, badge readers, lighting systems, door locks, even breakroom appliances. These tools are everywhere in modern workplaces because they make operations smoother, more automated, and in theory, much more efficient.
Here’s the problem with this: most IoT devices are not built with security in mind. They typically come with default passwords and offer little to no monitoring. If they’re connected to the same network as your sensitive systems, or if access isn’t locked down properly, they also become easy targets.
An attacker doesn’t need to break your firewall if they can easily tap a vulnerable smart camera. Or, remotely trigger a compromised smart lock. Or, use a Wi-Fi-enabled thermostat as a foothold to move deeper into your network. These are all physical devices that can be used for digital leverage, and most businesses aren’t tracking what’s connected to them or who’s interacting with them. That’s when a gig worker can make their move.
SMBs rely heavily on third-party workers to keep things moving. Food delivery. Equipment service. Office cleaning. Most of these workers are legitimate, but when an adversary steps into one of these roles, they might not be trying to steal something immediately. They could be trying to blend in so that they can leave something behind. That “something” is usually a small IoT device. Easy to carry in, easy to hide.
A rogue wireless access point, for example, can be stashed behind furniture or under a desk. It impersonates your Wi-Fi network, hoping an employee connects so it can grab credentials or redirect traffic out to an attacker-controlled server.
Bluetooth sniffers are another option. They’re tiny (no larger than a USB drive), discreet, and built to pick up signals from nearby devices like keyboards, phones, and anything wireless. Once in place, they can capture data or track employee movement by logging Bluetooth identifiers tied to specific people.
Then there are covert cameras, hidden inside things like smoke detectors or phone chargers, that can silently monitor activity. These devices can record keycard use, capture whiteboard notes during meetings, or show how a space is laid out. In some cases, attackers use them to track daily routines and watch which doors are opened when, or spot patterns in room occupancy that point to weak times in security.
None of these devices require advanced skill to use. They’re easy to buy, easy to plant, and hard to detect, unless you’re actively looking for them.
In early 2025, Opexus, a major software contractor for U.S. federal agencies, suffered a breach, not from outside hackers, but from two employees who had previously been convicted of cybercrimes.
The Akhter brothers were hired as engineers at Opexus, a software contractor handling sensitive records for agencies like the IRS, GSA, and Department of Defense. They were placed in roles with broad system access, despite both having federal convictions for hacking, wire fraud, and unauthorized access to government systems.
Once inside, they were given administrative-level privileges across multiple platforms, including tools used to manage audits, FOIA requests, and law enforcement investigations. There was no indication that proper background checks were performed, and their access wasn’t limited based on past offenses or current clearance status.
When the company moved to terminate them, Opexus failed to revoke access before the meeting. Their user accounts remained active during and after termination, giving them a window to:
Large organizations (like Opexus) usually have layers of screening and monitoring. They isolate networks, restrict access to high-value areas, and so on. SMBs might not. Access to networks and inventory may be more casual, less restricted. Cameras may not exist inside or outside. Someone may simply be able to walk in, plant a device, and leave without ever being noticed if the door is left open.
This leaves a big gap in security. A food delivery worker might be left alone in a breakroom. A janitor might have unsupervised access to executive offices after hours. The same keycards or PIN codes are used across departments for simplicity. Whatever the case, attackers know to use what’s already there. Your routines, your technology, and your trust.
The problem for us today isn’t just that attackers are getting in. It’s that we’re making it easy. Most SMBs are still operating 100% on trust: trust that contractors are vetted, that smart devices are safe out of the box, and that “nobody would target us.” That mindset creates security gaps.
Start by challenging the assumption that routine access is low-risk. Ask yourself:
Next, look at your technology. Your IoT devices like cameras, locks, thermostats, should not be on the same network as your business-critical systems. They should be updated regularly, default passwords changed, and network traffic should be all logged.
Most importantly, test your assumptions. Have someone attempt to enter your building with a fake badge. Drop a rogue device in your facility and see how long it takes for someone to notice. You can’t defend yourself if you aren’t sure how you’re exposed.
At Safe Haven Risk Management, we run Security Vulnerability Assessments designed to find the gaps your policies might not cover. We don’t just look at your systems, but we test them. That includes tactics like the ones above: using real-world intrusion techniques, observing how access is managed, and identifying overlooked risk created by gig workers, smart devices, or both. These aren’t theoretical threats. They’re happening now, and not just to big companies.
Want to see what an adversary sees when they walk into your facility?
Copyright 2023 SAFE HAVEN RISK MANAGEMENT LLC . All Rights Reserved. | Website Design + Development by JasonHunter Design