• Peter Groucutt, Managing Director at Databarracks


• 16.01.2019 06:00 am
undisclosed

The content, guidelines and recommendations in the government’s recently introduced Code of Practice are excellent. It addresses the most fundamental cyber security practices in order of criticality and importance. But the scheme doesn’t prohibit non-compliance. We should take inspiration from countries such as the US and Thailand in seeking to make these requirements legally enforceable.

Expert estimates vary in total quantity, but agree we’re now seeing sharp, hockey-stick growth in the number of connected devices. A lack of diligence and care now will lead to trouble later.

Our lack of regulation means we see instances as serious as insecure children’s smartwatches. The Code of Practice will be adhered to by the diligent parties in the IoT supply chain, but it won’t prevent less committed companies favouring profit over security and pushing insecure products to market. The same company that produced these smartwatches was also found to be making insecure video baby monitors earlier last year.

The Code of Practice is currently only for consumer devices such as health trackers, smart home assistants and children’s toys and monitors. We recommend extending this reach.

IoT devices aren’t just found in the consumer world. They are used on corporate networks which are only as strong as their weakest links. For example, last year it was revealed that a casino was hacked via a thermometer in a fish tank. We advocate making the Code legally enforceable which is thankfully something the government is already considering and is an approach supported by several cyber experts.

There is the argument that government interference might limit the UK’s ability to compete with other less regulated markets. But device security is now so fundamental that better regulation could be a competitive advantage and differentiation point for our manufacturers, service providers, developers and retailers.” concludes Groucutt.