The UK Government has unveiled new regulatory proposals for the consumer Internet of Things (IoT), forcing the IoT ecosystem to take a more rigorous and conscious approach to cybersecurity. With an estimated 75 billion internet connected devices worldwide forecasted for 2025, there is no denying that the scope of IoT is becoming a more integral part of our lives; yet with this comes the increased security risks.
Whilst the new law outlines requirements for unique passwords, no ‘factory reset’ options, vulnerability reporting functions and minimum timeframes for security updates, Paul Farrington, CTO of EMEA at Veracode believes that as some of the worst offenders when it comes to fixing flaws, the proposal should be extended to ensure manufacturers are building in software security at the early stages.
Below is a comment from Paul on the topic. Please let me know if you’re interested in running it in a story. Alternatively, we can offer you a briefing or opinion piece from Paul to discuss this issue further.
Paul Farrington, CTO of EMEA at Veracode:
“The outcome of the consultation will provide a necessary first-step in enhancing IoT device security. The Government has attempted to balance the needs of industry with those of users. Removing default passwords, coordinating vulnerability reporting and bringing clarity to technical support coverage is progress. These measures do fall well short of what is necessary to protect users. Research shows that the manufacturing is one of the worst sectors at dealing with security bugs. 83% of software apps have at least one security issue. On average, firms take 171 days to fix a security defect. Improving ways for people to report problem is really a bare minimum. What we really need is a way for IoT device manufacturers to evidence how they are building security to the process, at the earliest stages. The toy industry has had to do something similar around safety-testing for decades. The Government will need to revisit IoT security legislation again before too long.”