More than 10 million smart devices in Western European capitals are vulnerable to attack, according to a new report from Trend Micro.

Exposed Internet of Things (IoT) devices–or those that are discoverable and accessible via network scanners or search engines–are a prime target for cybercriminals seeking vulnerabilities, the report stated.

“Since an exposed cyber asset is accessible and visible to the public, attackers can take advantage of the available information about the machine,” the report stated. “Whether by searching on internet scanners or directly profiling the machine using a variety of network tools such as Nmap, attackers can collect information on the device (including its potential vulnerabilities) and use that to mount an attack.”

For example, a criminal might check if the associated software of a device is vulnerable, or if the administration console password is easy to crack.

SEE: Enterprise IoT Research 2017: Benefits, Trends, and Security Concerns (Tech Pro Research)

Trend Micro used internet scanner Shodan to find smart devices and systems such as webcams, baby monitors, medical equipment, industrial control systems, home appliances, and databases in Western European capital cities.

Here are the five Western European cities with the highest number of exposed systems:

1. Berlin

2.8 million exposed systems

2. London

2.5 million exposed systems

3. Madrid

1.4 million exposed systems

4. Amsterdam

949,000 exposed systems

5. Athens

543,000 exposed systems

The most common exposed device types were wireless access points, firewalls, webcams, routers, and security devices, the report found.

SEE: Cybersecurity in an IoT and mobile world (free PDF) (ZDNet/TechRepublic special report)

Tips to keep your business safe

Enterprises in any nation should have a security checklist that includes securing the network infrastructure by segmenting a network according to function, department, geographic location, and level of security. They should also implement log analysis for threat detection and remediation, and properly configure user access profiles, workstations, and servers, including internet-connected devices, using the least-privilege model, the report stated.

Businesses can also protect sensitive data by establishing different access guidelines, implementing identity-based and cloud encryption, and building a data protection infrastructure with multi-tiered access, according to the report.

“Ultimately, no defense is impregnable against determined adversaries,” the report stated. “Having effective alert, containment, and mitigation processes is critical.”