Changing the default credentials is the best initial step for securing new devices. Attackers often use known default usernames and passwords to gain unauthorized access to new system installations. Resetting these credentials to unique and strong username/password combinations significantly reduces the risk of simple but effective attacks. Updating firmware, while important, is generally focused on addressing functional and security issues rather than preventing unauthorized access due to default credentials. Enforcing account lockout policies is more about responding to attack attempts rather than preemptively mitigating the risk. Scanning for vulnerabilities is an ongoing security practice but does not directly address the specific risk of default password use.