- Security TWENTY
- Women in Security
New laws in the UK to protect users of smart devices are encouraging, but companies also need to ensure remote workers are fully protected, says AJ Thompson, CCO of IT firm Northdoor plc, pictured.
The Government is introducing new laws to help protect users of smart devices. The pandemic saw a huge surge in sales of smart devices as the British public looked for ways to ensure that they could continue communicating and working effectively.
Government research found that nearly half (49 percent) of British households purchased a smart device of some kind during the lockdown period. The influx of new devices, and old ones brought back into service by those looking for an immediate resolution to their remote working issues, has offered an opportunity to cyber-criminals. There has been an increase in the number and level of sophistication of cyber-attacks, many taking advantage of users unfamiliar with their new device, or unprotected out-dated equipment.
This in turn has had an effect on the risk of organisations becoming victims of cyber-crime with criminals gaining access to infrastructure and data via users working from home.
New devices, same issues
The research also showed that six in ten people (57 percent) in the UK reported an increase in their household use of smart devices. This increased use of smart devices is likely to be a result of many things, but drilling down into the figures the age groups that have increased the most are those that are likely to be working (25-34: 65 percent; 35-44: 60 percent; 45-54: 53 percent; 55-64: 53 percent). One can therefore predict that many of these devices are being used for work purposes.
Office for National Statistics data has shown that 32 percent of the UK workforce is working remotely and in order to do so devices were needed to allow them to work effectively. Indeed, IDC found that during 2020 OC vendors shipped 302 million units across the globe, an annual increase of 13.1 percent.
Such a huge shift in working environments has inevitably meant there have been resulting issues. Bring Your Own Device (BYOD) has been a business issue impacting companies for several years. The security implications of employees bringing their own devices into the corporate environment are well documented with insecure passwords, older devices that are no longer supported or those that have not been recently patched.
This BYOD problem has been exacerbated by the pandemic. Employees are not only in many cases using their own devices but are now doing so outside the corporate network. Any measures of protection working in the office provided have now gone, but employees are still logging into sensitive networks.
One of the major issues is that older devices are no longer supported by manufacturers. This means that they are no longer automatically updated with the latest updates or security patches, leaving them vulnerable to attack. Many individuals have no idea as to when that support ended and are oblivious to the fact that as a result they are they are leaving the door open for cyber-criminals to enter. Another factor is that many of these new devices come from factories with universal default passwords such as ‘password’ or ‘admin’. Again, unless an individual changes these passwords they provide an open invitation for cyber-criminals to easily guess and gain access to whatever the individual had logged onto.
With more smart devices being used in the UK and cyber-attacks increasing in volume and sophistication all of the time, the Government has stepped in to help protect individuals. The new planned law means that customers must be informed at the point of sale the duration of time for which smart device will receive security software updates. It will also ban manufacturers using universal default passwords on devices helping to ensure criminals cannot simply guess the password to gain access to a device. There are also plans to make manufacturers provide a public point of contact to make it easier for members of the public to report vulnerabilities on devices. The legislation is intended to be introduced as soon as parliamentary time allows.
The Government’s intention here is promising. By forcing technology companies to be very clear about when devices will no longer be supported, individuals and organisations are better equipped to protect themselves and their networks as well as understanding how vulnerable they are without support. The rate at which cyber-criminals are adding layers of sophistication to their attacks means that tech firms are constantly playing catch-up with security updates and patches anyway. Those that are no longer supported are therefore at a massively increased risk of being hacked. By adding these layers of transparency that outline when devices are no longer supported and ensuring better security when the equipment leaves the factory, the Government has gone someway to lower the level of risk to home workers.
Companies need to support employees
Whilst the Government’s actions are an important step to placing some of the emphasis on manufacturers and tech companies, organisations also need to continue to support employees working outside of the corporate network. The upheaval caused by the pandemic has piled pressure on IT and security teams within organisations to ensure connections and devices are as secure as possible, whilst allowing business continuity.
Some are turning to consultancies to support IT security. Managed services gives departments and the C-suite peace of mind as it ensures a constant vigilance against cyber-attack. It also means that any patches or updates are recognised and implemented as well as an extended team to help employees work securely from home.
Such support alongside the Government’s actions will go a long way to help close vulnerabilities and the apparent ease at which cyber-criminals can gain access to devices and corporate networks. However, complacency cannot be allowed to drift in. Cyber-security is not a tick-box exercise, it is a constant and ever-changing environment in which companies have to support their employees to protect data.