New IoT Laws: Boosting Your Business's Cybersecurity
Earlier this year, the BBC sent shockwaves reverberating around the tech landscape by informing the industry of the impending rules and regulations regarding manufacturing technologically enabled devices in the UK. They drew attention to the fact that the UK government was clamping down on manufacturers with a stringent set of rules and regulations with the introduction of the UK's consumer connectable product security scheme, which came into effect on April 29, 2024.
This recent revelation means that tech manufacturers must follow a stringent set of rules and regulations if they wish to continue selling in the future. Failure to follow these new regulations could result in fines and other potential penalties.
From a Netitude point of view, it will make it easier to achieve Cyber Essentials Plus in the long term. When we detect vulnerabilities as part of our Managed Cyber Security service, devices are more likely to be updated rather than needing replacement. It also raises default security across the board for businesses and home users.
What Does IoT Mean, and What Sort of Devices Count as IoT?
IoTs, or the Internet of Things, have seen significant development in the digitally driven era we live in today. The term itself refers to the idea of connecting everyday objects to the Internet so they can send and receive data.
Think of IoTs as an interconnected network of technologically enabled devices (thermostat, refrigerator) that you’d typically find in most modern homes and businesses. These tech appliances can communicate with each other and with you via the internet – hence the name!
Understanding the New IoT Device Laws
These rules have been introduced to enhance security for the increasing number of "smart" technologies populating UK households and workplaces. In the home, these "smart" pieces of tech include things as innocuous as baby monitors, flatscreen TVs, or Bluetooth speakers that connect to the household's Wi-Fi. The most common IoTs in the workplace include smart sensors, climate control configurations, and security control systems (IoT cameras and smart locks).
These rules aim to target three primary areas of security enhancement:
- Secure Passwords: According to Kommando Tech, 'an estimated 81% of data breaches are due to poor password security'; therefore, it's no surprise that the UK government has highlighted this as an area of cybersecurity improvement.
- Manufacturers Solution: Manufacturers must resolve this by ensuring password procedures are more secure on their "smart" devices. They can do this by disabling easily guessable passwords such as "12345" or "abcde" and recommending that consumers adopt stronger passwords.
- Reporting Bugs: The government will require internet-enabled devices to be able to "report bugs." By bringing in this latest piece of legislation, regulators will leave manufacturers with no choice but to devise methods and processes to facilitate the reporting of bugs (software vulnerabilities) and other technological issues throughout their smart product or IoT lifecycle.
- Manufacturers Solution: To abide by these new rules, manufacturers must acknowledge and promptly respond to device bug reports. They should also prioritise any critical security loopholes or vulnerabilities they encounter in the product testing phase and endeavour to provide regular updates to users once the devices are rolled out.
- Support Duration: Last of all, the UK government will require manufacturers to provide technical assistance, maintenance, and software updates for a specific product once it has been released to market.
- Manufacturers Solution: Various businesses operating in the manufacturing industry will now be required to implement strategies to establish a support and maintenance infrastructure to comply with this new law. They'll also be required to define clear support policies and facilitate automated update systems throughout their product's lifecycle.
Exemptions to the New UK Consumer Connectable Product Security Scheme
These new measures, introduced earlier in the year, only apply to relevant products that can connect to the internet or a network. The following technological devices are not covered, as only internet-enabled 'smart' devices can be applied with the stringent regulations:
- Charging points for electric vehicles
- Medical devices (connected wearables / implantable devices)
- Smart meter products
- PCs, laptops and tablets that are unable to connect to the internet
The Growing Importance of IoT Security
Securing our technological devices has never been more important as we enter the fourth industrial revolution (4IR). There are some reasons to consider the growing importance of IoT security and why governments have started to take the necessary steps to regulate these smart technologies.
Addressing the Rising Adoption of IoT
The number of Internet of Things (IoT) devices has grown exponentially in recent years, and Statista reports that this trend is set to continue for the foreseeable future. According to the leading global data and business intelligence platform (Statista), 'the number of Internet of Things (IoT) devices worldwide is forecast to almost double from 15.9 billion in 2023 to more than 32.1 billion IoT devices in 2030'.
This highlights just how much of a part IoTs have to play during the 4IR as businesses across various sectors (gas, steam & A/C, water supply & waste management, retail & wholesale, transportation & storage, and government) all opt and advocate for these game-changing pieces of tech.
Outlining the Security Challenges Posed by IoT
The number one reason the UK government will have taken matters into its own hands concerning enforcing the new laws on IoT devices that we mentioned earlier is because of some of the critical security challenges that they pose.
Weak Password Protection
Many IoT devices will be released into the market with default or easily guessable passwords as standard. This encourages cyber attackers to pinpoint IoTs as vulnerabilities and weak spots within an organisation's cyber defences.
Lack of Regular Patches and Updates
It's clear that current IoT devices being manufactured lack regular patching and updates—hence why this is a security challenge that was set to be tackled in the robust measures set out in the UK's consumer connectable product security regime.
Regulations will have been proposed to tackle the negligence shown by IoT manufacturers regarding facilitating regular security updates. This negligence can prove costly, as unpatched devices can hold business-critical data and personal information while remaining vulnerable to being exploited by potential attackers.
Exploitation of the IoT Skills Gap
As technology advances, so does the need for upskilling in the people handling the devices. When the number of skilled professionals outweighs the technological advancement, you are left with a skills gap.
IoT devices require skilled technical professionals to maximise their unique and diverse capabilities. However, attaining these qualified professionals is another challenge altogether, with Forbes Advisor releasing a report in 2023 indicating that '93% of UK businesses say there is an IT skills gap'.
Without the workforce to tackle this issue, businesses leave themselves open to exploitation as they face an increased risk of cybersecurity incidents.
The Answer: Invest in Managed Cyber Security Solutions with Netitude
Knowing what course is best for your manufacturing business can be tough, especially in the modern working world, where so many technological influences bind us. By partnering with a leading Managed IT Service Provider (ranked 291st globally), you can put your worries to bed by letting us sweat the small stuff—ensuring your business remains compliant and secure—while you get to focus on making your business tick.
What is Managed Cyber Security Service and Why You Should Have It?
Our Managed Cyber Security (MCS) services provide clients with a tailored, multi-layered security solution. This comprehensive offering helps our clients manage and enhance their cybersecurity defences, focusing on providing organisations with holistic protection while concentrating on risk management.
If you would like any more information on Cyber Essentials, we recommend that you peruse our latest blog post, Breaking Down the Cyber Essentials Accreditations. For more information on our Managed Cyber Security (MCS) packages, check out our website.
If you're a business looking to improve its cybersecurity, you may be tempted to complete the Cyber Essentials and Cyber Essentials PLUS accreditations. For the latter, businesses are required to prove to an external assessor that they can pass various security-related checks, including security controls, user access control, secure configuration, and the like. All of these are covered as part of our MCS package at Netitude.