IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
DDoS
#
IoT
#
Advanced Persistent Threat Protection

UK's new Act boosts security of digital devices & telecom infrastructure

Fri, 3rd May 2024
Author image
By Catherine Knowles, Journalist

The United Kingdom's new legislation, the Product Security and Telecommunications Infrastructure Act (PTSI), has been enacted today to enhance the security of connected devices in response to the escalating threat posed by insecure digital devices. This Act necessitates that manufacturers, importers, and distributors ensure that minimum cybersecurity necessities are satisfied for any digitally connected product or telecommunication infrastructure within the UK.

David Emm, Principal Security Researcher at Kaspersky, acknowledges the PSTI Act as a significant development that strengthens the 2018 Code of Conduct for consumer IoT. The code presented 13 recommendations for IoT device manufacturers, including those manufacturing routers, cameras, and smart home devices. Interestingly, these items are anticipated to surpass 29 billion by 2030, as per Statista's predictions. "The recommendations clearly haven't provided enough incentive for manufacturers to secure these devices, and for that reason, the Act is welcome. However, it is a shame that not all 13 have found their way into the legislation, with only 3 being given legal force," explained Emm.

With escalating numbers of connected devices, the need for defence against threats has also amplified. These threats often pursue two main infection routes: brute-forcing weak passwords and exploiting vulnerabilities in network services. The Act calls for retailers to enhance password complexity and provide relevant information on reporting security issues. However, Emm considers that these measures need to be expanded.

Kaspersky's recent study revealed that Distributed Denial of Service Attacks (DDoS) performed via IoT botnets were highly sought-after by hackers. In the first half of 2023, Kaspersky analysts saw more than 700 ads for DDoS attack services on numerous dark web forums, with these services' cost ranging from £15 per day to £8,000 per month. Concurrently, Kaspersky honeypots showed that approximately 97.91% of password brute-force attempts targeted Telnet, the widely used unencrypted IoT text protocol.

"It is positive that the Act is requiring manufacturers to say how long they will support the product for," Emm argued. "However, as it stands, this could be hidden away on their websites, which could easily be missed by consumers. This is something that should be available at the point-of-sale. We urge legislators to think through the implications of this in the context of a complex threat landscape."

Emphasising the need for personal responsibility in protecting against cyber threats, Emm highlighted, "Do not presume the new legislation is enough to guard your connected activities. We advise all customers to utilise two-factor authentication where feasible on their connected devices, in addition to enabling encryption on their home routers. These are merely two instances of how individuals can shield against cyber risk."

Enacted on 6 December 2022, the PSTI Act was fully effective from 29 April 2024, signifying a new phase of digital accountability and protection.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UK consumers concerned as mobile fraud & attacks rise
AI's role in cybersecurity: balancing power & risks
Okta's redrawing its cybersecurity boundaries, says CSO
Pax8 adds Commvault to cloud commerce marketplace for SMBs
Sectigo launches SiteLock 2.0 to enhance SMB security
Top stories
Auctane appoints Ciubotariu as CTO & Lombardi as CFO
SentinelOne & AWS expand collaboration for AI security
Cyber Awareness Month: Tips on leveraging DSPM to improve your security posture
Zscaler report reveals rise in global ransomware attacks
Businesses hindered by inadequate data strategies for AI