23 May 2022

In May 2022, the UK Government published the first part of its Product Security and Telecommunications Infrastructure Bill (“the Bill”). The Bill was published in light of the government’s National Cyber Strategy aiming to strengthen the UK’s cyber ecosystem and minimize security risks, allowing it take the lead in global cyber power. These aims might sound abstract, however, in an increasingly digital world it is essential that every business properly considers its cyber security.

Cyber security is increasingly threatened by internet connected devices, or Internet of Things (IoT), being technologies that connect a device to a single network (such as smart devices or connected security systems). It is a growing norm for IoT to be used by organisations and Covid-19 acted as a catalyst through homeworking practices, which as a matter of necessity were rushed in places. Now only 10% of businesses in the UK have not adopted IoT technology and do not have immediate plans to do so.[1]

What are the risks?

The Department for Culture, Media and Sport recently published research[2] identifying a number of risks which we consider can be used as a learning point for businesses.

The key findings were that IT professionals have serious concerns about device safety, however, the use of IoT by businesses continues to grow. Vulnerabilities were regularly found on business devices putting organisations at risk. In addition, businesses appear unsure on how to monitor and protect themselves.

Using the research we suggest three points to take away for businesses:

Three top tips

Devices have different grades of security depending on the use they were built for. Many businesses have deployed devices with consumer grade technologies, which are generally more vulnerable. The studies suggest using search-engines created specifically for IoT networks to check for vulnerabilities.

1. Make sure password policies are up to scratch, checks are placed on the third party apps that can be installed on devices, and software updates are provided when required.

Connected devices are used by businesses and consumers which leads to overlap. Businesses may permit their employees to connect to the network with their personal device, or an employee may do so regardless. 

2. Encourage employees only to use business devices on the business network and promote a conversation around the importance of cyber-security.

Devices could connect to the network without an organisation’s knowledge. This may include employee devices without permission, or devices that the IT department is not aware known as “shadow devices”. Some studies have found as many as 50 unknown devices connecting to an organisation’s network each day.[3]

3. Organisations should continually check the number of devices connected to their networks to ensure it knows every device.

A comment on data protection

The UK GDPR places a legal requirement on businesses to implement data protection by design and by default. Businesses should have data protection in mind before they begin processing personal data, and integrate it throughout their practices; it cannot be slapped on as an afterthought. There must also be appropriate technical and organisational procedures in place to implement the data protection principles, such as accuracy and security.

With a growing focus on cyber security, businesses should consider the risks that presents to its personal data processes, and build the cures into their devices. This will in turn assist in with data protection compliance.

The developing digital landscape

While cyber-security might sound light years away, we are already living in a digital world whether we realise it or not. For example, while Facebook’s announcement of its developing 3D augmented reality Metaverse may seem futuristic, augmented reality has been a part of our lives for a number of years, such as with the use of immersive sat-nav and map services.

The research points out that cyber-threats threaten the world’s digital environment overall, thus the government sees good cyber-security practices as a “public need and a public good.”

The illusion of not understanding these technologies can lead to hesitancy to engage in them while  ignorance can lead to poor security. We consider it important to encourage collaborative conversations so that businesses are cyber-literate and participate in the developing digital world while following the obligations placed upon them.

If you require legal advice on cyber-security please don’t hesitate to get in touch.