What the New Cybersecurity Rules Mean for Businesses and IoT

In the wake of new EU and UK legislation, Roddy Maccallum, Country Manager, Scotland at Check Point Software, offers advice on what business can do to increase their risk posture.

If you’re reading this article, the odds are now higher than ever that you’ll have a piece of wearable technology on you. From smartwatches and ear-worn virtual assistants, to fitness trackers that count our steps and double up as mobile heart rate monitors, technology is becoming increasingly entangled in our day-to-day lives.

According to Gartner, worldwide end-user spending on wearable technology will total £61.6 billion in 2021, a staggering 18% year-on-year increase. This surge in wearable tech, no doubt driven by heightened interest in personal well-being and the need for convenience in a hybrid working environment, means that our IoT ecosystem is now expanding at an unprecedented rate.

From smart elevators and IP cameras to tablets, laptops and mobile phones, businesses have gotten used to the convenience and capability offered by IoT devices. Throwing wearable technology into the mix, particularly during a time when the majority of employees are splitting their time between home and the office, is creating a very specific headache for CTOs, CISOs and anybody concerned with security. More devices mean more endpoints, and more endpoints mean more opportunities for cybercriminals to breach your network. In other words, the near-exponential growth of the IoT ecosystem – spurred on by the rapid adoption of wearable devices – is broadening the attack surface for bad actors, making businesses of all shapes and sizes increasingly vulnerable as their staff jump from network to network.

Of course, jumping from network-to-network is an inevitable symptom of hybrid working. The security challenges associated with remote working are well documented, but recent events have brought them into the fore. In a recent survey by Check Point Software of more than 450 global IT and security professionals, 45% agreed that organisations were now at higher risk of cyberattacks due to remote working patterns. Supporting remote access for employees’ unmanaged devices was also noted as one of the top administration challenges.

Such is the scale of this rapidly emerging challenge, the European Commission has announced new legislation for the security of wireless devices. In a similar move, the UK Government has also revealed new cyber laws to help protect so-called ‘smart devices’ from hackers. While these news measures appear to have been drafted in to help prevent the theft of personal data, they say nothing about how IoT devices are increasingly being used as a gateway into corporate networks, both in the office and at home via virtual private networks and remote desktop environments. So what do these new rules mean for the average business, and do they go far enough? First, let’s take a look at how IoT expansion is changing the threat landscape for businesses.

Are Threats Going Unnoticed as Our IoT Ecosystem Grows?

Throughout 2020, and according to Statista, browser-based attacks and the social engineering of end-users such as phishing attacks were the most common endpoint attack vectors. The more endpoints users are exposed to, the greater the risk of one of their devices becoming compromised. Network devices such as routers and desktop PCs have been around for a long time, so they tend to have more robust forms of security even with the most basic of security solutions. Newer devices, however, such as smartwatches, environmental sensors and even smart cars, tend to be less protected. Current research from Statista tells us that only half of all cloud-based endpoints are adequately protected, putting security teams on the back foot.

For instance, 63% of mobile devices such as employee-owned tablets and smartphones are deemed “of concern” and covered, but only 18% of IoT devices such as cameras and sensors are afforded the same level of attention. Alarmingly, given the information outlined above, only 9% of wearables are covered by security measures, with 50% of businesses saying they’re “not a threat of concern”.

This emerging IoT security gap is clearly a concern, so any new cybersecurity legislation around the security of wireless devices is to be welcomed. But can businesses rely on these new directives from the UK and EU alone to patch the inevitable security gaps that are likely to form within their organisations?

What Are the New Cybersecurity Rules Being Introduced by the EU and UK?

In October, the European Commission announced changes to the Radio Equipment Directive designed to guarantee the safety of wireless devices before they’re sold on the EU market. The new act contains new legal requirements for cybersecurity safeguards, forcing manufacturers to think more carefully about cybersecurity in the design and development of their products. Network resilience, consumer privacy and the risk of monetary fraud are all mentioned in the directive. However, there’s very little about endpoints being used as a breach vector for lateral attacks on corporations.

The UK, now separate from the EU, has also introduced the Product Security and Telecommunications Infrastructure Bill (PSTI). This bill will allow the UK Government to ban things like universal default passwords for manufactured devices, and force manufacturers to provide more transparent information to consumers when rolling out security updates and patches. According to the UK’s own figures, the first half of 2021 saw 1.5 billion attempted compromises of IoT devices, double the 2020 figure. Again, while this legislation is certainly welcome, passwords aren’t the only risk vector that bad actors will be looking to exploit.

What More Can Businesses Do to Increase Their IoT Risk Posture?

Legislation that aims to increase the security of wireless devices at the manufacturing stage will always be welcome, but the directives passed by the UK and EU only tell one side of the story. They’re consumer-focused, designed to prevent things like monetary fraud and preserve people’s privacy in their own homes. Preventing an attacker from gaining access to a home security camera is one thing, but what if that’s not the hacker’s intent? What if their intent is to gain backdoor access to a home network and move laterally until they find their way onto a corporate network by way of a VPN, for instance?

With that in mind, businesses need to keep their guard up. IoT discovery and real-time risk analysis will need to be ramped up in light of this new legislation, not toned down. Zero-trust segmentation controls should be put in place to prevent unauthorised access and lateral movement, as outlined above. Known zero-day vulnerabilities should be blocked automatically with virtual patching using real-time IoT threat intelligence. Only then will businesses be able to move forward with confidence as we continue to augment our personal and working lives with wearables and other devices.

By Roddy Maccallum, Country Manager, Scotland at Check Point Software.

Guest Contributor
Guest Contributor
Follow on Twitter @eWeekUK

Popular Articles