Roddy MacCallum, Country Manager, Scotland at Check Point explains what businesses need to know about UK IoT cybersecurity rules.
If you are reading this article, the odds are now higher than ever that you’ll have a piece of wearable technology on you. From smartwatches and ear-worn virtual assistants to fitness trackers that count our steps and double up as mobile heart rate monitors, technology is becoming increasingly entangled in our day-to-day lives.
The surge in wearable tech, no doubt driven by heightened interest in personal well-being and the need for convenience in a hybrid working environment, means that the UK’s IoT ecosystem is now expanding at an unprecedented rate.
Stuff once confined to the realm of science fiction, like smart elevators and IP cameras, are now becoming a commonplace as business infrastructures in the UK evolve. If that wasn’t enough of a security challenge, throwing wearable technology into the mix – particularly during a time when the majority of employees are splitting their time between home and the office – is creating a very specific headache for CTOs and CISOs.
More devices mean more endpoints and more endpoints mean more opportunities for cybercriminals to breach your network. In other words, the near-exponential growth of the IoT ecosystem – spurred on by the rapid adoption of wearable devices – is broadening the attack surface for bad actors, making businesses of all shapes and sizes increasingly vulnerable as their staff jump from network to network.
Of course, jumping from network to network is an inevitable symptom of hybrid working. The security challenges associated with remote working are well documented, but recent events have brought them into the fore. In a recent survey of more than 450 global IT and security professionals, 45% agreed that organisations were now at higher risk of cyberattacks due to remote working patterns. Supporting remote access for employees’ unmanaged devices was also noted as one of the top administration challenges.
Such is the scale of this rapidly emerging challenge, the UK Government has revealed new cyber laws designed to help protect smart devices from hackers. The Product Security and Telecommunications Infrastructure (PSTI) bill has been created with the overall objective of protecting end users from IoT threats by introducing new security standards that manufacturers are required to follow. The EU has also announced a similar bill in the form of updates to the Radio Equipment Directive, further highlighting the emerging security challenges around IoT expansion.
But while these news measures appear to have been drafted in to help prevent the theft of personal data, they say nothing about how IoT devices are increasingly being used as a gateway into corporate networks, both in the office and at home via virtual private networks and remote desktop environments. So what do these new rules mean for the average business and do they go far enough? First, let’s take a look at how IoT expansion is changing the threat landscape for businesses.
Are threats going unnoticed as our IoT ecosystem grows?
Throughout 2020, browser-based attacks and the social engineering of end users such as phishing attacks were the most common endpoint attack vectors. The more endpoints users are exposed to, the greater the risk of one of their devices becoming compromised. Network devices such as routers and desktop PCs have been around for a long time so they tend to have more robust forms of security even with the most basic of security solutions. Newer devices, however, such as smartwatches, environmental sensors and even smart cars, tend to be less protected. Current research tells us that only half of all cloud-based endpoints are adequately protected, putting security teams on the back foot.
For instance, 63% of mobile devices such as employee-owned tablets and smartphones are deemed “of concern” and covered, but only 18% of IoT devices such as cameras and sensors are afforded the same level of attention. Alarmingly, given the information outlined above, only 9% of wearables are covered by security measures, with 50% of businesses saying they’re “not a threat of concern”.
This emerging IoT security gap is clearly a concern so any new cybersecurity legislation around the security of wireless devices is to be welcomed. However, can businesses rely on these new directives from the UK and EU alone to patch the inevitable security gaps that are likely to form within their organisations?
What are the new cybersecurity rules being introduced by the UK?
The UK’s PSTI bill, as referenced above, will allow the UK Government to ban things like universal default passwords for manufactured devices and force manufacturers to provide more transparent information to consumers when rolling out security updates and patches. According to the UK’s own figures, the first half of 2021 saw 1.5 billion attempted compromises of IoT devices, double the 2020 figure. Again, while this legislation is certainly welcome, passwords aren’t the only risk vector that bad actors will be looking to exploit.
In the same quarter, the EU announced similar measures in an update to the existing Radio Equipment Directive, which exists to guarantee the safety of wireless devices before they’re sold on the EU market. The update contained new legal requirements for cybersecurity safeguards, forcing manufacturers to think more carefully about cybersecurity in the design and development of their products. Network resilience, consumer privacy and the risk of monetary fraud are all mentioned in the directive. However, in both the UK and EU’s new legislation, there’s very little about endpoints being used as a breach vector for lateral attacks on corporations. That’s a blind spot businesses are going to need to tackle on their own.
What more can businesses do to increase their IoT risk posture?
Legislation that aims to increase the security of wireless devices at the manufacturing stage will always be welcome, but the directives passed by the UK and EU only tell one side of the story. They’re consumer-focused, designed to prevent things like monetary fraud and preserve people’s privacy in their own homes.
Preventing an attacker from gaining access to a home security camera is one thing, but what if that’s not the hacker’s intent? What if their intent is to gain backdoor access to a home network and move laterally until they find their way onto a corporate network by way of a VPN, for instance?
With that in mind, businesses need to keep their guard up. IoT discovery and real time risk analysis will need to be ramped up in light of this new legislation, not toned down. Zero trust segmentation controls should be put in place to prevent unauthorised access and lateral movement, as outlined above. Known zero day vulnerabilities should be blocked automatically with virtual patching using real time IoT threat intelligence. Only then will businesses be able to move forward with confidence as we continue to augment our personal and working lives with wearables and other devices.
Find out more: https://www.checkpoint.com/
This article was originally published in the March edition of Security Journal UK. To read your FREE digital edition, click here.