Executive summary

The UK Government has released new legislation to protect consumers from cyber criminals. 

The regime comprises of two pieces of legislation: 

• Part 1 of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022; and 

• The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.

Now that this new legislation is in force, the UK’s consumer connectable product security regime will be enforced, aiming to protect consumers against hacking and cyber attacks. This regulation sets out the minimum-security standards that all IoT (Internet of Things) devices are now legally obliged to meet.

What are the security requirements?

The regulations set out specific requirements that the relevant people, manufacturer, importer and distributor of the products have to follow:

1.      Passwords must be unique per the product. This includes banning common and easily guessable passwords for example admin or 12345 to prevent vulnerabilities and hacking.

2.      The manufacturer must provide clear and transparent information on how to report security issues about their product.  Manufacturers are also obligated to provide information on timescales of acknowledging, reporting and updating the status of security issues to the consumer until they have been resolved.

3.      The manufacturers and retailers must publish to consumers in a clear and accessible way, the minimum time they can expect to receive important security updates. This information should be available without prior request in English and free of charge.

While these security requirements demonstrate the seriousness in which the Government regards cyber security, they should not be relied upon alone and organisations ensure they are employing their own controls such as changing default passwords, performing vulnerability scanning and conducting timely patch management. Effective cyber security requires multiple layers of defence

The official UK Government legislation can be found below:

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

We receive consistently positive feedback on our cyber security senior leadership risk and governance workshops. Our events are designed for business leaders with no knowledge of cyber risk management: we demystify and explain the key concepts, with an open conversation for you to ask any questions of our cyber security experts. We share insights from our cyber security threat intelligence research, and we go under the skin of recent incidents across the world to help you understand how to avoid being a victim. This is our flagship senior executive education, turning a challenging topic into an enjoyable learning experience.

Until the end of April 2024, we are offering a 15% discount on our workshops for new customers. Events must be delivered by end July 2024; contact us for details on training@blackarrowcyber.com

Executive Summary

The latest UK Government cyber security breaches survey has found that over half of businesses (50%) and a third of charities (32%) have suffered a cyber breach within the last 12 months. This rises to 70% for medium businesses and 66% for charities with over £500,000 in annual income. Phishing held the crown for the most predominant, impacting a significant 84% of businesses, followed by impersonation of organisations in emails or online (35% of businesses and 37% of charities). Despite the likelihood of an attack occurring, 78% of organisations remained without a formal incident response plan.

What’s the risk?

The largest impacts from being breached included: added staff time, staff prevented from carrying out daily work, repair or recovery costs, complaints from customers and loss of revenue or share value. When it came to reporting such breaches, a concerningly low 5% of businesses had informed clients and customers. Organisations must consider this, as this could mean that their supply chain has been breached without them even knowing.

The survey found that of those who had been impacted by a breach, 59% of businesses and 70% of charities reported taking action to prevent further breaches. The most common action taken to prevent further breaches for both was additional staff training. The findings highlight the importance and crucial role of staff in your organisation’s cyber security efforts.

Worryingly, despite finding that overall findings showing 80% of business run training consistently, 52% of medium businesses and only 18% of charities overall had run training sessions in the last 12 months. This figure rose to 74% for large businesses. Clearly, with the two highest causes of breaches targeting the human factor, effective and regular training to keep up to date with emerging tactics must be a top concern for organisations.

What can I do?

It is one thing to regularly run training, but it is another to make sure that training is engaging and beneficial for staff, including those at a senior level. Our training sessions are run by our cyber experts, who work with firms day in and day out to help businesses protect themselves against the latest threats. We demystify cyber security and help your employees and your leadership team to understand the risks they face in their working lives and how to protect your company.

Cyber is a matter of when, not if, and you need to have a plan. No-one wants to be improvising their security response in the event of a real cyber incident. Black Arrow works with organisations of all sizes and sectors to design and prepare for managing a cyber security incident; this can include an Incident Response Plan and an educational tabletop exercise for the leadership team that highlights the proportionate controls to help the organisation prevent and mitigate an incident.

The UK Government Cyber Breaches Survey 2024 can be found below:

https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Although the new EU Digital Operational Resilience Act (DORA) applies to regulated financial services organisations in the EU from January, the effects will be felt in the Channel Islands.

For example, if you are a fund or asset manager for a regulated EU financial services client, then you will feature on your client’s new DORA risk register that must address the risk exposure to and from other financial entities.

We expect your client will contact you to evaluate your cyber security controls. The outcome may determine whether your EU client can continue a business relationship depending on the quality of your cyber risk management, the EU client’s own risk appetite, and their interpretation of their local regulatory compliance.

Remember you will be dealing with an EU client that has been deep-diving into DORA for some time, so their knowledge and experience on this may be greater than yours at present and their questions may be challenging. Remember too that DORA includes managing the risks of third-party IT providers, so your risk analysis and management must be independent of your IT provider.

We know how long the journey can be for some organisations to implement proportionate cyber risk controls across people, operations, and technology. Your approach to managing cyber security risks is now a key competitive advantage, when your client compares your approach to that of your competitors locally and in other locations. 

We recommend starting now, to avoid being on the back foot when contacted by your EU clients. The UK Government has expressed its intention to implement similar legislation in the UK.

Contact us now to discuss our refined cyber risk analysis and leadership training designed for Channel Islands customers.

Although the new EU Digital Operational Resilience Act (DORA) applies to regulated financial services organisations in the EU from January, the effects will be felt in the London fund and asset management sector.

If you have regulated EU financial services clients for example in Ireland or Luxembourg, then you will feature on their new DORA risk register that must address the risk exposure to and from other financial entities.

We expect your client will contact you to evaluate your cyber security controls. The outcome may determine whether your EU client can continue a business relationship depending on the quality of your cyber risk management, the EU client’s own risk appetite, and their interpretation of their local regulatory compliance.

Remember you will be dealing with an EU client that has been deep-diving into DORA for some time, so their knowledge and experience on this may be greater than yours at present and their questions may be challenging. Remember too that DORA includes managing the risks of third-party IT providers, so your risk analysis and management must be independent of your IT provider.

We know how long the journey can be for some organisations to implement proportionate cyber risk controls across people, operations, and technology. Your approach to managing cyber security risks is now a key competitive advantage, when your client compares your approach to that of your competitors locally and in other locations. 

We recommend starting now, to avoid being on the back foot when contacted by your EU clients. The UK Government has expressed its intention to implement similar legislation in the UK.

Join our free webinar at 12:00 noon on Tuesday 21 May 2024, to learn more including how to conduct a proportionate cyber risk analysis and prepare for conversations with your clients. Places are limited. Contact us for details on training@blackarrowcyber.com.