Friday 22 Jan 2021
The UK to embrace Security Labelling of smart devices
The number of IoT devices in UK homes is increasing at a rapid rate. According to a new study from Aviva, the average home in the UK now has 10.3 connected devices which are more than 286 million nationally.
The average UK household will contain 50 connected devices by 2023 as the Smart Home sub-sector booms, according to British Telecom (BT) Consumer Division. Scary stats when you consider this is now also the same environment where remote workers are carrying out their business duties as we continue to operate within the ‘new norm’.
By 2025, reports estimate that there will be 75 billion Internet-connected devices worldwide – a five-fold increase in ten years.
But it appears that there are major concerns surrounding privacy and security exposure risks with the explosion of IoTs as far as cybersecurity design protocols are concerned. It leaves a lot to be desired. Many if not most of the IoT devices are designed to optimise general functionality and cost above inbuilt security features. This could leave the customer’s privacy and sensitive data vulnerable or compromised.
With this rapid growth in connected devices, the UK Government has created plans to ensure that millions of household items that are connected to the internet are better protected from cyberattacks.
Many of the internet-connected devices currently on the market still lack even the most basic cybersecurity provisions. Over 90% of 331 manufacturers supplying the UK market in 2018 did not possess a comprehensive vulnerability disclosure programme up to the level the UK Government would expect.
To address this, the UK Government has looked at a much-needed initiative into a new labelling scheme. The labelling scheme initiative may be similar to energy labels, with a tiered reference to cybersecurity rating levels that can guide customers into making informed decisions. The security label is intended to instil confidence in customers that their device is safe and secure according to standards.
Manufacturers and Retailers:
Although the current preference is a voluntary initiative to help educate and raise awareness to customers, Governments will need to take a harder stance with regulatory measures if this is really going to take off. Companies may be unwilling to display a label that indicates that a product has poor security if the scheme were voluntary.
A mandatory scheme will force manufacturers and retailers to follow the ‘Secure by Design’ principle and ensure that basic cybersecurity features are built into products. These include:
- IoT device passwords must be unique and not resettable to any universal factory setting.
- Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
- Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
Once enforced retailers will only able to sell smart devices with an IoT security label while adhering to the 3 key points above.
The labelling scheme will be welcome news for customers and industry watchdog bodies, as it will empower them to make more informed choices when it comes to purchasing and relying on the technology they are using at home or for accessing services.
However, the onus now shifts on the customer to ensure that they stay secure online.
In a similar way the food labelling industry regulations have helped customers make the right decisions for them with the Red, Amber and Green coded labelling system and nutritional detail upfront on products, the new labelling system will need to ensure that it can optimise this customer experience to help expedite the take up of this initiative to aid customers understanding of colours/symbols at each of the different tiers.
Without customers being alert, they could find their personal data easily accessible by popular search engines, casual browsing or more determined attackers who could then use their connected devices to mount attacks on others or even steal personal data to commit identity fraud.
To mitigate against these loopholes, customers should:
- Research the security of a product before buying – rely on the labelling system to make an informed decision once launched.
- Ensure that their router is secure – protect the ‘gateway’ to all connected devices.
- Change any passwords and usernames from the default factory settings.
- Access their online account securely.
- Always use two-factor authentication where possible.
- Ensure their software and apps are kept updated.
- Visit the manufacturer’s website to look for the latest updates or follow Government advisories if security breaches for your manufacturer are confirmed.
It is great to see that UK and Singapore leading the scheme hoping that the industry itself will find and join forces with regards to best practise for the labelling.
And it is off to a great start as Amazon, Philips, Panasonic, Samsung, Miele, Yale and Legrand affirmed their commitment to taking steps to ensure that effective security solutions are being implemented across IoT devices on the market.
Being in the security industry, I welcome this initiative and believe this cannot come soon enough.
However, I am also wary of the impact this will have on the customers purchasing behaviour. How keen will a customer be to pay for extra levels of security if manufacturers pass this cost onto customers? I’ve been reliably informed that one great thing about this scheme is that unlike other cybersecurity certifications, the price of the certifications is indeed more competitive. One to watch as this unfolds.
There is a real disparity between what the customer actually thinks they are buying and what they are actually buying. A disconnect between how secure the customer thinks their IoT device is and how secure it actually is.
The pace of innovation, competition and IoT race often means manufacturers and developers are rushing to get devices to customers as fast as possible.
Security may not be on top of their minds. We need all the stakeholders – Government, IoT industry and customers to come together to make our digital world a secure place.
It comes at a price – the question is will the manufacturers, retailers and customers play ball together before they are forced to? Time will tell – let the game begin.
BlockAPT as your security partner
If you are a small and medium business looking for a 24/7 fully comprehensive, automated and managed security, we can help.
Visit our link to find out about our latest solution: BEST – Business security pack, email us here for queries: [email protected]m or alternatively submit your question on our webform below.