News |Cyber Security

24th November 2021

New cyber laws are welcome, but long overdue

New laws to protect people’s personal tech from cyber threats, announced by the UK government today, are a step in the right direction, but action should have been taken much sooner.

The Product Security and Telecommunications Infrastructure (PSTI) Bill, introduced to parliament today by Julia Lopez MP and the Department for Digital, Culture, Media & Sport (DCMS), will provide consumers with better protection from attacks by hackers on their phones, tablets, smart TVs, fitness trackers and other internet-connectable devices.

As Julia Lopez, Minister for Media, Data and Digital Infrastructure, notes: “every day hackers attempt to break into people’s smart devices.” Cyber criminals are targeting these products more and more often. Which? recently found that a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week (yes, 12,000 a week!). With that in mind, a move to mitigate the risk posed to consumers through legislation has been a long time coming.

In the DCMS announcement, the Minister goes on to say: “Most of us assume that if a product is for sale, it’s safe and secure. Yet, many are not [80% of connectable product manufacturers “do not implement appropriate security measures”], putting too many of us at risk of fraud and theft. [The PSTI] Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

Described by the government as “a new world-leading law”, the Bill will “prevent the sale of consumer connectable products in the UK that do not meet baseline security requirements”. Included in these new cyber laws are the following:

  • A ban on universal default passwords, with new devices required to come with unique passwords that can’t be reset to a universal factory setting.
  • A demand for greater transparency from manufacturers on their efforts to fix security flaws, with companies required to publish the minimum support time for products (i.e. for how long they’ll receive updates and patches).
  • A better vulnerabilities reporting system, including a public point of contact at each manufacturer.

The new cyber laws will apply to imported goods, as well as those manufactured in the UK. Retailers (both on the high street and online) will be subject to the same laws as the manufacturers, ensuring consumers are protected no matter where a product is produced or purchased.

And the laws will apply to all ‘connectable’ devices. From January to June this year, Internet of Things (IoT) devices were targeted by 1.5 billion attempted compromises – double the number in the whole of last year.

Technical Director of the National Cyber Security Centre (NCSC) (part of GCHQ), Dr Ian Levy is “delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security.” The Bill was developed jointly by the NCSC and DCMS.

Dr Levy admits that this change “mark[s] the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.” With so many connectable devices that don’t meet these standards already for sale and in our homes, we’re facing an uphill battle against cyber criminals. And, as the DCMS announcement points out, “just 1 vulnerable device can put a user’s network at risk.”

For advice on securing your network against cyber threats, contact Graeme McGowan, Cyber Risk & Security Consultant at graeme.mcgowan@esarisk.com, on +44 (0)843 515 8686 or via our contact form.

cyber threat landscape

Cyber threats report

Discover the key cyber security threats you need to be aware of this year in our Special Report.

What are you looking for?

Get the advice you need

Deep dive for the answers you need
Or contact us on +44 (0)843 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name it, we help them find the answers
they need. Ready to discover how we can help you?