New cybersecurity standards come into effect for smart technology

Manufacturers of smart devices now must comply with new standards to minimise the cybersecurity risk to businesses’ and individuals’ data from internet-enabled technology.

The UK is the first country in the world to set minimum security standards in law aimed at making it harder for cyber criminals to access networks through basic vulnerabilities in other devices connected to the internet, such as smartphones, TVs, games consoles, household appliances and office technology. Rules include a ban on easily guessable default passwords, a requirement to publish contact details to report bugs and issues, and transparency on the minimum length of time a product will be supported with security updates.

Action on cybersecurity vulnerabilities on smart products aims to prevent threats like the damaging Mirai attack in 2016, which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services on US East Coast. Since then, similar attacks have occurred on UK banks including Lloyds and RBS leading to disruption to customers. 

Recent figures show 99% of UK adults own at least one smart device and UK households own an average of nine connected devices, with an investigation by Which? finding a total of 2,684 attempts were needed to guess weak default passwords on just five devices.

Minister for Cyber, Viscount Camrose said:

“As every-day life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater.

“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe.

“We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world.”

Data and Digital Infrastructure Minister, Julia Lopez, said:

“Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected.

“Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.“

OPSS Chief Executive, Graham Russell said:

“The use and ownership of consumer products that can connect to the internet or a network is growing rapidly. UK consumers should be able to trust that these products are designed and built with security in mind, protecting them from the increasing cyber threats to connectable devices.

“As the UK’s product regulator, OPSS will be ensuring consumers can have that confidence by working with the industry to encourage innovation and compliance with these new laws.“

NCSC Deputy Director for Economy and Society, Sarah Lyons said:

“Smart devices have become an important part of our daily lives, improving our connectivity at home and at work; however, we know this dependency also presents an opportunity for cyber criminals.

“Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks and this landmark Act will help consumers to make informed decisions about the security of products they buy.

“I encourage all businesses and consumers to read the NCSC’s point of sale leaflet, which explains how the new Product Security and Telecommunications Infrastructure (PSTI) regulation affects them and how smart devices can be used securely.“