IoT devices have long been a cyber security elephant in the room. Arguably the recently announced Product Security & Telecommunications Infrastructure Act (PSTI Act), to mandate connected device manufacturers to apply new minimum security standards to their products, has been needed for some time.
Some of the draft regulations submitted to the UK Government include:
- An end to the days of manufacturers applying simple default passwords to connected products (we’ve all received a home router or phone with a predictable password)
- Clear transparency for how long product security updates will be available
- Stating compliance to regulations like EN 303 645, ISO/IEC 29147, without which, devices won’t be eligible for selling in the UK
Fines for non-compliance can reach £10m, or 4% of turnover, so it will definitely be taken seriously by manufacturers, as of course should be the brand harm of a vulnerability exploit leading to a highly-publicised breach.
But whilst these new measures are designed to protect us, there is a danger they could have an adverse effect with complacency from the wrong assumption that devices will now be secure by default.
The reality is there is no shift in ultimate responsibility for the security of connected devices. If we choose to use them, both as consumers and employers, we must accept the dangers they bring, as well as the responsibility to address them and the consequences of a breach.
This means that when we receive new devices, we should still change the password. We should still ensure our users constantly remain ‘cyber aware’ of the latest attack methods, and we should still protect the devices themselves.
Granted, applications and the operator networks we use to access them have their own security measures in place, but the onus is still on us to be vigilant and well prepared.
On a practical level for employers, protecting the connected device, the applications, and data our people access should include:
- Changing passwords on new devices, even if shipped with an advanced password
- Accepting device software updates as soon as they emerge
- Using device endpoint detection software to spot malware and incursions
- Consider replacing dated access tech like VPN, with Zero Trust Network Access (ZTNA)
And it goes without saying that you need to ensure you train your workforce to be aware of the latest attack techniques, especially things like phishing and spoofing emails that many security tools were not designed to see or stop. This just reinforces the need for good spoofing protection and email protection to prevent malicious attacks.
The PSTI Act is much needed and should be celebrated. But it should never be viewed as a transfer of security responsibility to device manufacturers – this is something that will always remain with us as consumers and employers.