Hire us for Website Design & Development and get 1 month of FREE SEO, worth £499 Contact us

Follow Us:

Let’s Connect
The UK’s IoT Security Move

Do you know which is the most popular compromise point for cyberattackers? They are routers, an IoT device that’s in everyone’s home or office today. That’s why IoT security is a must for this interconnected world.

You don’t believe us? Hear us out!

According to a survey by the UK-based company Broadband Genie, which is also cited by IBM, 86% of respondents say that they have never changed their router admin password. Plus, 52% say that they have never adjusted any factory settings in the router.

This makes it easier for bad actors to access these devices and attack the server or the network.

That’s why seeking secure IoT solutions from an IoT development company in London is a must.

While customers may be unaware of the consequences, the UK government and businesses should make them aware of the dangers that come with not changing the default passwords or keeping the same password for everything (password fatigue).

In 2024, the UK became the first country to ban IoT devices with default passwords under the PSTI Act. The law enforces stricter security rules like unique passwords, regular updates, and vulnerability reporting, applying even to imported devices. Non-compliance can lead to heavy fines, reputational damage, and bans on selling products in the UK.

Do you want to learn more about the IoT security law and its implications on businesses?

You’ve landed on the right blog!

Before diving deep into the Act, let’s explore why IoT security came into the picture in the first place.

What was the UK’s IoT Security Move?

Do you remember the 2016 Mirai Botnet Attacks?

The Botnet attacks took down the majority of the American internet. It was basically a DDoS (Distributed Denial-of-Service) attack, as stated by the Department of Homeland Security, reported the Guardian.

(Source: Thales)

This figure shows all the locations of Mirai-infected devices discovered so far!

What is a DDoS attack?

It is a cyber-attack that crowds the targeted server, network, or service with a lot of traffic from various compromised sources. These compromised sources can be botnets. This is done to prevent real users from accessing the server, service, or network.

Didn’t get it?

Imagine this. You have a store that has one entry and exit. Customers come through that door to buy whatever you sell.

Now, suddenly, a lot of fake customers (in thousands) try to come through that door. So, the door gets jammed due to the crowd. In the process, your real customers can’t buy your products because they can’t come through that door.

The DDoS attack is similar to fake customers. Hackers send in so many requests and messages that your website gets too busy to let the real messages and requests (from real customers) in.

The 2016 Mirai Botnet attack was one such DDoS attack. However, this was not the first time the Mirai Botnet was used to infect servers.

This attack was so powerful that it affected some of the big sites like Spotify, Twitter (now X), Netflix, CNN, The Guardian, The NY Times, the Wall Street Journal, and so on. However, the primary target was Dyn’s servers that control the DNS infrastructure of websites.

What does the 2016 Mirai Botnet attack have to do with IoT security?

Previously, botnets were made of computers. But, in the case of Mirai, instead of computers, IoT devices were used. These devices included DVR players and digital cameras.

As there are a lot of devices (botnets) to choose from, Mirai attacks are larger and more dangerous than other DDoS attacks. In the 2016 attack, Dyn (the target) identified more than 100,000 malicious endpoints.

Infected IOT device

This made the attack twice as powerful and dangerous as any recorded DDoS attack.

“I couldn’t recall a DDoS attack even half as big as the one that hit Dyn”— David Fidler, Adjunct Senior Fellow for Cybersecurity, Council on Foreign Relations.

This shows how IoT devices can be used by bad actors to attack systems, networks, or servers. Hence, IoT security is a must for businesses and products.

This Mirai Botnet attack was just an example of it. The IoT devices can be used for malware infections, MitM (Man in the Middle) attacks, firmware attacks, and so on.

What was the 2024 UK Government’s Move on IoT Security?

In 2024, the UK became the first country to ban the sale of IoT devices that have default passwords.

This is a major step in hardening IoT security in the UK.

The mentioned provision comes under the UK law “Product Security and Telecommunications Infrastructure” or “PSTI”. This will force the manufacturers and vendors to adopt a security standard.

This law covers the majority of IoT devices that are being sold in the UK.

According to the NCSC (National Cyber Security Centre), IoT devices with default passwords can be easily discovered and shared online.

So, suppose a default password is being used. In that case, a malicious actor might log into the device and use it to gain access to networks and conduct attacks.

There are other important aspects as well.

  • The manufacturers and vendors must have a PoC (Point of Contact) to whom they can report IoT security issues.
  • These makers should also specify a time for which the security of the device will be updated.

What’s more? These rules apply to imported IoT devices, too.

A failure to adhere to these rules can result in businesses being fined up to 10 million GBP or 4% of their worldwide revenue (qualifying).

Why IoT Security is Essential for Businesses?

Before understanding why IoT security is important for businesses, let’s take a brief look at what IoT is and what are the latest IoT trends related to security are.

What is IoT?

IoT, or Internet of Things, is a network of devices, appliances, vehicles, and other objects. They are embedded with software, network connectivity, and sensors, which allow them to share and collect data.

The concept of IoT is not restricted to smart home devices. IoT goes beyond that as whole cities can be transformed through this technology, known as smart cities.

The technology allows smart devices to communicate with each other and with devices connected to the internet. The interconnected nature of these devices allows them to exchange data and do autonomous tasks like:

  • Analysing the environmental conditions in a farm
  • Managing and controlling traffic with smart automobiles
  • Controlling processes and machines in factories
  • Tracking shipments and inventory in warehouses

The Impact of IoT Security

It is quite evident from the above that the IoT technology has massive potential and is extensively used in industries.

Statistics suggest that the number of interconnected IoT devices stands at around 20 billion in the world, with 4 billion in Europe alone in 2025. The total number of IoT devices exceeds the total population of the world, which is around 8.2 billion.

This number is expected to grow to 31 billion by 2030. IoT devices in Europe are expected to reach 6 billion during the same period.

That’s how interconnected this world is right now!

A single vulnerability in a smart device can give away the whole network. This smart device can act as a gateway through which attackers can access the network or server while gaining complete control over it.

So, in a business where every device is interconnected, a small vulnerability in an IoT device can compromise all the company and customer data. This can be catastrophic.

What Happens When IoT Security is Ignored

What happens when IoT security is ignored?

  • Lack of security updates: In this competitive world, every business wants its IoT devices to reach the market faster than its competitors’. This means that more often than not, the IoT security risks are ignored or overlooked. In some cases, even the security updates are not released regularly. This device security lapse can make confidential data vulnerable and can even open doors to bad actors.
  • Hacking: A majority of smart devices come with default passwords. These passwords are weak. Hence, not changing the passwords can make these devices vulnerable to brute-force attacks and other hacking attempts.
  • Ransomware and malware: As the number of IoT devices rises, the chances of ransomware and malware attacks rises with it. Cyber exploitation is bound to increase. And as expected, botnet attacks will play a major role in challenging IoT security.
  • Data compromise: The smart devices driven by IoT collect, transfer, store, and process user data. Often, hackers can break into these devices without sufficient IoT security, and they can sell this data to third parties.
  • Cyberattacks: A compromised IoT device can be used for DDoS attacks, as seen in the Mirai botnet cases. These devices are used as launch pads to initiate attacks to infect servers, networks, and machines.

By now, you probably know how important it is to focus on IoT security. So, the UK government’s IoT security move is justified.

The Effects of the 2024 IoT Security Law on Businesses in the UK

It’s important that we discuss the PSTI Act 2024 in general and try to understand its implications for businesses in the UK.

This law marks a major shift in the government’s attitude toward IoT security.

The Act isn’t a suggestion but a legal mandate with a huge impact on businesses in the IoT sector. And, ignoring it is not an option.

First and foremost, the financial penalties for non-compliance are severe. The businesses that fail to comply not only face fines but are also charged with daily penalties for any ongoing breach.

These financial penalties can impact the revenue share of the business.

Secondly, the Office for Product Safety and Standards (OPSS), which is the apex body of the PSTI Act’s enforcement, has the power to make the failures public.

So, these are not just minor deterrents but damage the reputation of the business along with its revenue.

Today, most users are very conscious about their data privacy and security.

If the OPSS publicises your business as non-compliant, the users will find it difficult to trust your business. This will impact your business’s reputation, leading to loss of leads and existing customers.

What’s there to mention about the market access?

The Act directly bans the products of the businesses that fail to comply with its regulations. This means the businesses can’t sell their products in the UK legally.

Hence, businesses need to adhere to these rules for their existing inventory of IoT devices and their future products.

The Act is aimed at enhancing product security. PSTI Act mandates:

  • Unique passwords
  • VDP (Vulnerability Disclosure Policies)
  • Commitments to regular security updates

This Act pushes businesses towards something called the “Security-by-Design” approach.

How does the 2024 PSTI Act help businesses in the UK?

  • Reduce the chances of expensive data breaches
  • Protection against cyber attacks
  • Reduce the burden on customer support

The PSTI Act is in line with a popular trend: IoT security.

Even the EU enacted something similar called the EU Cyber Resilience Act in 2024.

Benefits of Implementing IoT Security in Products

If you want to boost your business growth in the UK, you’re bound to comply with the provisions of the Act. It is not optional, and for pretty good reasons.

This Act isn’t only for the users of these smart devices, but it has a great deal of benefits for the businesses that comply. So, IoT security is highly beneficial for businesses in the UK and worldwide.

Let’s discuss how IoT security can help businesses.

Benefits of Implementing IoT Security in Products

1. Builds Trust and Loyalty

Secure devices give customers the assurance that their data is in safe hands and that the devices are protected. One way, it increases IoT adoption, and on the other, it fosters loyalty among the users when it comes to your business. Also, these loyal customers will be your brand advocates who’ll say things about you that build your reputation.

2. Makes Sure User Data is Secure

Strong encryption protects the customer data from malicious actors. As these devices gather sensitive data, making sure it remains private is one of the top priorities of IoT security. This way, the users will know that their data is safe.

3. Helps your Business Stand Out

IoT security makes sure that the product will not fail, even in the hands of expert cybercriminals. This assures your customers that your business follows the best practices and prioritises their safety, leading to an exceptional user experience. This can be a deciding factor for someone who wants to buy a product that you sell.

The IoT Security Law was the Need of the Hour: Are you Keeping Up?

The smart device adoption rate is increasing day by day, and it’s not going to stop anytime soon. As the adoption rate skyrockets, malicious actors will prey on ignorance and vulnerabilities. Hence, IoT security is the need of the hour.

The Mirai botnet attacks were instances that showed the extent of damage bad actors can inflict by simply using insecure IoT devices.

Acts like the 2020 IoT Cybersecurity Improvement Act in the US and the EU Cyber Resilience Act of the EU tell us how critical IoT security is.

So, the UK’s PSTI Act (2024) and the consequent ban on IoT devices show that the UK government is following the footsteps of the aforementioned acts to strengthen the IoT security landscape in the country.

Do you want to learn more about how to implement IoT security for business or your products? Book a call with Webskitters Ltd. and boost your security strategy with us.

FAQs

What is the 2024 UK IoT security law (PSTI Act)?

It’s a law that bans IoT devices with default passwords and enforces stricter security standards.

Why did the UK ban IoT devices with default passwords?

It is because default passwords make devices easy targets for hackers and cyberattacks.

What happens if businesses don’t comply with the PSTI Act?

They can face fines up to £10 million, reputational damage, and sales bans in the UK.

How does IoT security benefit businesses?

It protects customer data, builds trust, and reduces risks of costly cyber breaches.

Do imported IoT devices also need to follow this IoT security law?

Yes, the PSTI Act applies to both UK-made and imported IoT devices.

Picture of Atanu Sarkar

Atanu Sarkar

Atanu Sarkar, the Founder and Chief Executive Officer of Webskitters LTD. and Webskitters Technology Solutions Pvt. Ltd, has strong data analytics, business development and entrepreneurship skills. He keeps himself updated about latest technological innovations in his past time and encourages his team to incorporate new technologies and move beyond the defined boundaries of design, development and digital marketing. His inquisitive nature constrains him from flattering any limits and that’s made him a successful entrepreneur, a great leader for his team and a wonderful human being.
Facebook-f Twitter Linkedin
Webskitters
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.