The Register's new 'Pwned' column documents a critical vulnerability pattern: companies spend millions on firewalls and VPNs while leaving internet-connected devices in break rooms completely unpatched and unmonitored. These devices, including smart coffee makers, vending machines, and badge readers, operate on default credentials and rarely receive security updates. Once compromised, they become pivot points into supposedly secured internal networks because IT teams typically isolate them from corporate device management systems.

This isn't theoretical. Researchers have repeatedly demonstrated that compromised IoT devices can map internal networks, capture traffic, and provide lateral movement pathways to systems with actual data. The problem compounds because procurement teams buy these devices without security review, facilities staff plug them in without IT oversight, and nobody claims responsibility for patching. A single connected device running exploitable firmware becomes the perimeter's weakest link.

The breakroom vulnerability exposes a fundamental organizational failure: security is treated as a network problem rather than a supply chain problem. Companies segment networks by sensitivity but fail at the harder task of inventory management and lifecycle tracking for thousands of minor devices. This creates the security equivalent of leaving a corporate credit card in an unlocked drawer because 'it has a low limit.' The attacker doesn't need to crack the vault. They just need one careless employee's badge reader or one unpatched smart lock.

Second order: this drives the entire IoT security market. Device makers face zero pressure to patch because customers never update. IT teams can't scale patching across thousands of heterogeneous devices. The only real solution is architectural: either buy IoT devices with a five-year patch commitment (expensive), isolate them on separate networks (operationally painful), or treat them as consumable disposables replaced every 18 months (wasteful). None are happening at scale.

Winners: Device makers maintaining the status quo (no expensive support costs), penetration testers (recurring revenue), IoT security startups (emerging market). Losers: Enterprise IT teams blamed for breaches they didn't control, companies facing regulatory fines when a coffee maker becomes breach vector, ordinary employees whose badge data leaks through vending machine firmware.

Watch whether enterprises adopt 'untrusted network' architecture by default, isolating all IoT on air-gapped networks. Monitor if regulators (CISA, EU) start mandating minimum SBOMs and patch timelines for commercial IoT. Track whether underwriters begin denying coverage for breaches involving unpatched devices. The real pressure point is insurance, not technology.