Daily Newsletter

30 April 2024

Daily Newsletter

30 April 2024

Analysis: Does the UK’s new smart device security law go far enough to prevent cyberattacks?

The Product Security and Telecommunications Infrastructure act places tougher security standards on UK smart device manufacturers.

Kurt Robson April 30 2024

A Which? consumer group found that a UK home filled with smart devices could be the victim of over 12,000 hacking attempts a week Credit: Getty Images / Maskot

Manufacturers will now have to follow tougher rules to sell smart devices in the UK after, what some consider, a long overdue law came into effect at the end of April.

In 2021, an investigation conducted by Which? consumer group discovered that a UK home filled with smart devices could be vulnerable to over 12,000 hacking attempts every week.  

The law, known as the Product Security and Telecommunications Infrastructure act (PSTI act), has been described as “long overdue” by experts. 

It is designed to ensure better security around devices such as smart doorbells, speakers, televisions, and other devices connected to the Internet, often called the Internet of Things (IoT).

The UK government said the “world first” law would provide “piece of mind” to consumers.

According to the Department for Science, Innovation and Technology, over half of UK households now own a smart TV, and more than half own a voice assistant, along with an average of nine other smart devices. 

These devices can include anything from toys and game consoles to fridges and ovens. 

Until recently, manufacturers had to follow security guidelines, but the new law adds three tougher requirements to meet:

  • The manufacturer must not supply devices that use default passwords, which can be easily discovered online and shared
  • The manufacturer must provide a point of contact for the reporting of security issues
  • The manufacturer must state the minimum length of time for which the device will receive important security updates

Is the new law enough to fully secure smart devices?

Cybersecurity groups and experts have welcomed the new law, but some have raised concerns about its effectiveness in combatting the mass amount of rising threats. 

Emma Christy, analyst in thematic intelligence at GlobalData, told Verdict that the law was a step in the right direction to strengthen the UK public’s resilience to cyberattacks. 

“The new requirements help firms to protect consumers by mandating minimum standards, increasing transparency about the timing of security updates, and helping consumers to make more informed decisions when buying or using smart devices,” Christy said. 

However, the question remains whether any fines are punitive enough to deter manufacturer non-compliance, Christy added. 

Tim Callan, chief experience officer at cloud security company Sectigo, told VerdIct that despite the government’s steps to improve IoT cybersecurity, it has a long way to go. 

“The UK government has taken steps to improve the security of unsafe IoT devices with the recent PISTI Act. However, while a good starting point, it’s nowhere near enough,” Callan said. 

Callan noted that the UK security law only requires devices to meet three out of thirteen standards from the European Telecommunications Standards Institute.

“That still leaves a major gap in our defences for hackers to infiltrate our smart devices,” Callan said. “If the UK wants to get truly serious about securing our devices, they must push businesses to do more.” 

The PSTI act only applies to new devices and does not address the millions of smart devices already in service.

Alan Calder, CEO of GRC International Group, a global provider of IT governance, risk management and compliance solutions, told Verdict that this means the improvement to the UK’s cybersecurity infrastructure will be gradual.

“It will certainly improve the long-term robustness of the UK’s cyber security infrastructure,” Calder said. However, that will only be gradual because it only applies to new devices.”

“It does not apply retrospectively to the millions of inadequately protected smart devices already in service – and which are replaced over decades rather than months,” he said.

What will the law mean for manufacturers?

The new security standards imposed through the PSTI Act will likely impact manufacturers and IoT companies immediately.

Rick Jones, CEO of cybersecurity company DigitalXRAID, believes the new security expectations could extend the development cycle of new smart products.

Manufacturers will be forced to make time for application security and more quality assessment in production, Jones said.

However, by putting these standards into law, the Government are ensuring that manufacturers prioritising security are not penalised by losing time-to-market, he added.

“Security and speed of production are no longer at odds: this law is raising industry standards across the board and forcing all manufacturers to take note,” Jones told Verdict.

Uncover your next opportunity with expert reports

Steer your business strategy with key data and insights from our latest market research reports and company profiles. Not ready to buy? Start small by downloading a sample report first.

Browse reports

Newsletters by sectors

Pharmaceutical Technology open-new-tab

Just Auto open-new-tab

Leasing Life open-new-tab

View more newsletters

Signup to the newsletter

Your corporate email address *
First name *
Last name *
Company name *
Job title *

I consent to Verdict Media Limited collecting my details provided via this form in accordance with Privacy Policy

close

Sign up to the newsletter: In Brief

Your corporate email address *
First name *
Last name *
Company name *
Job title *
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Thank you for subscribing

View all newsletters from across the GlobalData Media network.

close