New laws to protect consumers from cyber criminals come into force

From today, regulations enforcing consumer protections against hacking and cyber-attacks will take effect, mandating that internet-connected smart devices meet minimum-security standards by law.

  • World-first laws protecting UK consumers and businesses from hacking and cyber-attacks take effect today   
  • manufacturers of products such as phones, TVs and smart doorbells are now required to implement minimum security standards against cyber threats   
  • consumers will benefit from banning of easily guessable default passwords, marking a significant leap in protecting individuals, society and the economy from cyber criminals 

Consumer protections against hacking and cyber-attacks will come into force today, as all internet connected smart devices will be required by law to meet minimum-security standards. 

Manufacturers will be legally required to protect consumers from hackers and cyber criminals from accessing devices with internet or network connectivity – from smartphones to games consoles and connected fridges – as the UK becomes the first country in the world to introduce these laws.  

Under the new regime, manufacturers will be banned from having weak, easily guessable default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be promoted to change it on start-up.

This will help prevent threats like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the US East Coast without internet. Since then, similar attacks have occurred on UK banks including Lloyds and RBS leading to disruption to customers. 

The move marks a significant step towards boosting the UK’s resilience towards cyber-crime, as recent figures show 99% of UK adults own at least one smart device and UK households own an average of nine connected devices. The new regime will also help give customers confidence in buying and using products, which will in turn help grow businesses and the economy.  

An investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.   

 Minister for Cyber, Viscount Camrose said:   “As every-day life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater. 

“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe.   

“We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world.”

Data and Digital Infrastructure Minister, Julia Lopez, said: “Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected.

“Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.”

OPSS Chief Executive, Graham Russell said: “The use and ownership of consumer products that can connect to the internet or a network is growing rapidly. UK consumers should be able to trust that these products are designed and built with security in mind, protecting them from the increasing cyber threats to connectable devices.    

“As the UK’s product regulator, OPSS will be ensuring consumers can have that confidence by working with the industry to encourage innovation and compliance with these new laws.”

NCSC Deputy Director for Economy and Society, Sarah Lyons said:  “Smart devices have become an important part of our daily lives, improving our connectivity at home and at work; however, we know this dependency also presents an opportunity for cyber criminals.  

“Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks and this landmark Act will help consumers to make informed decisions about the security of products they buy. 

“I encourage all businesses and consumers to read the NCSC’s point of sale leaflet, which explains how the new Product Security and Telecommunications Infrastructure (PSTI) regulation affects them and how smart devices can be used securely.”

With 57% of households owning a smart TV, 53% owning a voice assistant and 49% owning a smart watch or fitness wristband, this new regime reinforces the government’s commitments to addressing these threats to society and the economy head on.  

The laws are coming into force as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.    

The new measures will also introduce a series of improved security protections to tackle the threat of cyber-crime:  

  • Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking  
  • Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with  
  • Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates  

Rocio Concha, Which? Director of Policy and Advocacy, said: “Which? has been instrumental in pushing for these new laws which will give consumers using smart products vital protections against cyber criminals looking to launch hacking attacks and steal their personal information. 

“The OPSS must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law, but we also expect smart device brands to do right by their customers from day one and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.

David Rogers, CEO of Copper Horse, said: “We started this work many years ago so that people would not have to understand lots about the security of connected product in order to be secure. Getting rid of things like default passwords that are set to ‘admin’ or ‘12345’ are fundamental basics.

“Manufacturers should not be providing anyone with products like webcams that are so weak and insecure that they are trivial to hack into and takeover. This stops now and people can have greater confidence that the internet connected products that they buy have better security measures built-in to protect them.”

The UK government has collaborated with industry leaders to introduce this raft of transformative protections, which also include manufacturers having to publish information on how to report security issues to increase the speed at which they can address these problems.

In addition, consumers and cyber security experts can play an active role in protecting themselves and society from cyber criminals by reporting any products which don’t comply to the Office for Product Safety and Standards (OPSS).   

The government is beginning the legislative process for certain automotive vehicles to be exempt from the product security regulatory regime, as they will be covered by alternative legislation.   

This new regime intends to increase consumer confidence in the security of the products they buy and use, delivering on one of the government’s five priorities to grow the economy.

The new laws are part of the government’s £2.6 billion National Cyber Strategy to protect and promote the UK online.

Keeping people safe and secure online

£500,000 funding for communities

Projects providing practical help to support people tackle the growing risks posed by online crime will share a £500,000 fund aimed at ensuring a digitally secure and resilient Scotland.

Organisations including Scottish Union Learning and Community Enterprise, will use the money to provide workshops aimed at tackling scams and internet safety, deliver training to upskill under-represented groups into careers within cyber security and provide digital advice in different languages.

The projects will be targeted at specific groups, including disabled people and those with specific learning needs, minority ethnic groups, people living in areas of social deprivation or in rural or remote communities and those for whom English is not their first language.

Since  2019- 20 cyber crimes (crimes committed using the internet) have risen with an estimated 14,890 cyber-crimes recorded by Police Scotland in in 2022-23 almost twice the level in 2019-20 (7,710). This £500,000 fund is part of £1.16 million invested by the Scottish Government in 2023-24 to improve preparedness to withstand, defend against, manage, and recover quickly from cyber incidents.

Justice and Home Affairs Secretary Angela Constance said: “Cybercrime such as fraud and data theft can have a devastating impact on people, communities and businesses. 

“The Scottish Government is committed to building cyber resilience within all our communities and this funding will enable many more people across the country keep themselves safe and secure when going online by supporting them to gain practical knowledge and skills to recognise and avoid cyber-attacks.

“We will also continue to work closely with Police Scotland and the National Cyber Security Centre to ensure Scotland’s public sector is resilient to cyber threats.“

Expert reveals how you can protect your mobile device from malware 

During the first few months of 2022, mobile malware attacks increased by 500%, with one of the main reasons being because many people aren’t protecting their smartphones. 

Experts at IT support specialists CloudTech24 have revealed the best ways you can go about protecting your mobile device from malware effectively. 

  1. Use mobile anti-malware 

Your mobile phone needs anti-virus and anti-malware software too! Malware can infect smartphones and tablets easily so it’s important to have a reliable anti-malware app installed to your device. 

  1. Don’t download apps from unknown sources 

Only download mobile apps from trusted sources. Do not download outside a main app store. Trusted app stores include places like: 

  • Apple App Store 
  • Google Play 
  • The Microsoft Store 
  • Amazon Appstore 

You also should research the app developer online. Make sure they have a good reputation. Once you download a dangerous app to your phone, it can infect it with malware. That malware can remain behind even if you delete the app later. 

  1. Be wary of SMS phishing, AKA “smishing” 

Spam texts are extremely common nowadays, with the text equivalent of phishing being known as “smishing”. 

Through malicious links in text messages, hackers may ask you to message back to capture personal information, and/or try to gain access to your device. 

Beware of text messages from unknown sources and be on the lookout for texts that don’t make sense. A common text spam is getting a shipping notification when you haven’t ordered anything. 

  1. Remove old apps you don’t use 

Apps these days are often abandoned by the developer, and there are around 2.6 million apps that haven’t received an update in a year or more. Having these old apps on your phone can leave security vulnerabilities which can be exploited by hackers, so it’s important to address them. 

Look through your device for any older apps you aren’t using, and if there’s no reason to keep them around, they can leave your device at risk.  

Also, look at the time of the last update, and if it’s over a year, consider replacing it with an app that’s more current and updated more frequently.

  1. Keep your device updated 

In addition to keeping your apps updated, it’s important to keep your device updated too. Not updating to the latest version of your device’s operating system can also leave your phone with security vulnerabilities, allowing hackers to breach your data. Turn on automatic updates if possible!

Cyber security boost: Training to help safeguard Scottish organisations 

A £500,000 contract to extend cyber resilience training to more than 250 organisations across the country has been awarded by the Scottish Government.

The grant will enable the Scottish Business Resilience Centre (SBRC) to run online and in-person workshops for public services and third sector health, housing, and social care bodies to ensure they are better prepared and protected.

Scotland has been subject to a number of disruptive large scale cyber-attacks in recent years with developments in Ukraine and the recent COVID lockdown exacerbating the situation. 

The training, which has already benefited 450 organisations, includes mock scenarios such as a third-party software compromise, a ransomware attack and a threatened sensitive data leak.

It is hoped more than 250 organisations will benefit from the training programme, which comes ahead of a major summit in Edinburgh as part of European Cyber Security Month in October.

Justice Secretary Keith Brown, who will address the event, said: “We have all seen the devastating impact of an organisation falling victim to a cyber-related incident, so extending training to make more people aware of the risks is absolutely crucial.

“The Scottish Government is committed to ensuring Scotland leads the way in cyber resilience and security.

“This extended training will help many more organisations to stave off the threat of an attack, and protect against disruptive and costly data breaches.

“The workshops provide practical guidance to mitigate or respond to hostile cyber-attacks. I would urge eligible organisations to take up this opportunity to ensure they are protected.”

Jude McCorry, Chief Executive Officer of the SBRC, said: “There is no denying that the ongoing pressure facing everyone from a cyber-perspective has increased massively in recent years. Just as we see one organisation recover from the grips of a cyber-incident, another is targeted.

“It is also now believed that cyber criminals have targeted more than three-quarters of public sector organisations and, closer to home, we have seen this play out with a number of disruptive large-scale attacks already in Scotland.

“We don’t want to see more Scottish organisations fall victim to these attacks and that is why upskilling and awareness programmes continue to be so vital.”

SBRC will deliver the National Cyber Security Centre’s (NCSC) ‘Exercise in a Box’ programme on behalf of the Scottish Government. It has already upskilled 450 organisations across Scotland since being  launched in 2020.

Organisations interested in learning more about ‘Exercise in a Box’ are invited to attend a taster session on 25 August. Find out more or register here.

Top five cyber-resilience tips

1 Improve password security:

Creating strong, separate passwords and storing them safely is a good way to protect yourself online.

Use a strong and separate password for your email.

Weak passwords can be hacked in seconds. Make yours strong, longer and more memorable by combining three random words that you can remember.

2 Save your password in to your browser:

This is safer than re-using the same password for all your accounts. Save them to secure them.

3 Turn on 2-Step Verification:

Two step verification protects you with a second layer of security that checks it’s really you logging in. Think of it as a double lock for your data. Be doubly sure.

4 Update your devices:

Cybercriminals exploit weaknesses in software and apps to get your information. Updating fixes those weaknesses. Think of update reminders as an alarm telling you to act. Stay secure. Update regularly.

5 Back up your data:

If your phone, tablet or laptop is hacked, you could lose all your personal files including photos and videos. Keep everything secure by backing up. Back it up, keep it secure.

CyberScotland Week:

Scotland’s ability to prevent and respond to the growing cyber threat will be increased with the creation of a new Scottish Cyber Co-ordination Centre (SC3).

The £1.5 million central coordination function will strengthen Scotland’s resilience to withstand the highest level of cyber threat. 

The Scottish Government’s Covid Recovery Strategy commits to establishing a recognised, authoritative and collaborative function to combat the accelerating threat of cyber attack.

This has led to the creation of the SC3, which will pool expertise to: share intelligence; provide early warning of cyber threat and attacks; manage incidents and lead recovery. Recruitment for a head of the centre is already underway, with SC3 set to be formally launched later this year.

SC3 was announced ahead of the start of CyberScotland Week (Monday 28 February – 6th March), which will feature over a hundred events and activities across Scotland, focusing on building the cyber resilience of individuals, businesses and organisations.

Deputy First Minister John Swinney said: “At times of heightened international tension, it is more important than ever to ensure that Scotland is ready to defend itself against cyber attacks. 

“Sustaining and increasing Scotland’s cyber resilience requires us to continue harnessing the power of working in partnership, and stepping it up at all levels.

“Establishing a new dedicated cyber co-ordination centre is a bold and ambitious development for Scotland.

“By providing a central coordination function that pools expertise from across a number of existing or developing Centres of Excellence, we can maximise our ability to work together to address cyber threats and attacks – whether that is sharing intelligence, providing early warnings, managing incidents or leading recovery.

“During CyberScotland week, I would urge individuals, businesses and organisations across Scotland to reflect on what they can do to keep themselves and others safe from emerging threats. The National Cyber Security Centre has trustworthy and up-to-the minute guidance on keeping safe and secure online.”

The top cybersecurity threats for 2022: and what businesses can do to protect themselves

As we enter into a new year, cyber crime continues to threaten businesses. Cyber attacks cost the global economy an estimated $6 trillion USD in 2021, and the costs are predicted to increase for 2022.

Since the beginning of the pandemic, hackers have been quick to exploit the growth in home working practices. Small businesses also reported an increase in attacks, and with 60% closing within six months of falling victim to a data breach, establishing a comprehensive cybersecurity strategy has never been more important.

Anthony Green, CTO and cyber crime expert at FoxTech, discusses what businesses should watch out for in the coming year: “In 2022, with many organisations implementing flexible working policies, and bringing personal devices into the office, it’s important to understand how cyber attackers might continue to exploit our changing working practices.

“It is often easier for attackers to breach home network devices, so when personal devices are being used to access company data at home, or brought into the office and connected to company networks, it can expose their system to hackers searching for vulnerabilities to exploit. With hybrid working policies expanding companies’ cyber risk, it’s vital to be aware of what the threats are, and how to prevent attackers gaining access.” 

To help businesses plan their cybersecurity strategies, FoxTech has put together a guide to the top predicted cybersecurity threats for 2022, and what organisations can do to protect themselves:

Ransomware

Ransomware was the defining force of cyber attacks in 2021. Hackers infiltrate a system, steal sensitive data and demand a ransom for its return. Ransomware attacks surged by 144% in 2021 from the previous year, and the problem is only expected to develop in 2022.

Anthony comments: “A spate of high-profile ransomware attacks in 2021 has led many organisations to review their cyber risk controls and implement more effective strategies against data loss.

“While this might make it more difficult for cyber criminals to mount traditional ransomware attacks in the short term, attackers are incredibly agile, so we are expecting their strategies to shift in the coming year”

“To prevent your business from falling foul to a ransomware attack, there are two things to consider:

  • Preventing an attacker from gaining network access – investing in an external security assessment is the most reliable way to discover your vulnerabilities. Cybersecurity experts can then configure your security tools to protect you from the latest methods of attack.
  • Catching an attacker before it’s too late – it can take months for an attacker to gather the data they need to demand a ransom. Working with an external, specialised cybersecurity company that can monitor your system and quickly alert you to any suspicious activity can be the difference between a minor incident and devastating financial loss.

“Constant systems monitoring – by someone who is aware of developments in attackers’ tactics – will be more important than ever, as cyber criminals are looking for new ways to circumvent security operations. Currently, businesses are subject to 10,000 attempted attacks a day, but it often takes months for hackers to infiltrate an organisation’s most well-protected data. Catching a threat straight away, and acting quickly to mitigate the effects of a breach, will prevent attackers from stealing enough sensitive data to deliver a ransom.”

Phishing

Over 75% of cyber attacks start with someone opening a malicious email. These emails are designed to extract data from the recipient, usually a password, which is used to gain further access to an organisation’s network. Once an account takeover has been successful, hackers are able to mount more sophisticated attacks.

So how can businesses protect themselves from phishing scams?

Anthony comments: “Security awareness training is essential. Only 14% of UK companies perform cybersecurity awareness training, but educating employees on how to spot phishing scams is crucial.

“Things such as shortened links, an impersonal address, or anyone asking for private information, can all indicate that an email is not legitimate, even if it appears to come from a trusted source.”

The NCSC provides free security awareness training available here: 

https://www.ncsc.gov.uk/training/top-tips-for-staff-scorm-v2/scormcontent/index.html

It is also imperative to set up Two Factor Authentication on email accounts and ensure the secure configuration of your email service.

Business Email Compromise Attack

In 2022, when so much business will be conducted through online conversations between remote workers, organisations need to be aware of business email compromise attack – also known as ‘conversation hijacking.’ These attacks are well-researched, and highly personalised, making them difficult to detect and very effective.

This kind of attack usually comes once access has been gained through a phishing attempt. A hacker reads through breached emails to learn as much as they can about business practice and payment details.

Next, they will use this information to craft seemingly authentic messages which can be sent to both employees and customers, with the aim of tricking them to transfer money or update their payment information.

“A scam that we are seeing more and more frequently is when a hacker impersonates an organisation’s CEO to redirect large payments to their own accounts,” says Anthony.

“Once this money has been lost, it is almost impossible to retrieve, so it really is crucial to prevent hackers gaining access in the first place – and to have your accounts frequently and carefully monitored by cybersecurity experts who can spot an intruder before the final attack has been mounted.”

Companies interested in finding out their cyber risk score can order this for free from FoxTech here: Get in touch | FoxTech (foxtrot-technologies.com).

UK exposes series of Russian cyber attacks against Olympic Games

Russia’s military intelligence service, the GRU, conducted cyber reconnaissance against officials and organisations at the 2020 Olympic and Paralympic Games due to take place in Tokyo this summer before they were postponed, the UK has revealed.

The targets included the Games’ organisers, logistics services and sponsors.

The attacks on the 2020 Summer Games are the latest in a campaign of Russian malicious cyber activity against the Olympic and Paralympic Games.

The UK is confirming for the first time today the extent of GRU targeting of the 2018 Winter Olympic and Paralympic Games in Pyeongchang, Republic of Korea.

The GRU’s cyber unit attempted to disguise itself as North Korean and Chinese hackers when it targeted the opening ceremony of the 2018 Winter Games.

It went on to target broadcasters, a ski resort, Olympic officials and sponsors of the games in 2018.

The GRU deployed data-deletion malware against the Winter Games IT systems and targeted devices across the Republic of Korea using VPNFilter.

The National Cyber Security Centre (NCSC) assesses that the incident was intended to sabotage the running of the Winter Olympic and Paralympic Games, as the malware was designed to wipe data from and disable computers and networks.

Administrators worked to isolate the malware and replace the affected computers, preventing potential disruption.

Foreign Secretary Dominic Raab said: “The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless. We condemn them in the strongest possible terms.

The UK will continue to work with our allies to call out and counter future malicious cyber attacks.

The UK has already acted against the GRU’s destructive cyber unit by working with international partners to impose asset freezes and travel bans against its members through the EU cyber sanctions regime.

Today (Monday 19 October), the US Department of Justice has announced criminal charges against Russian military intelligence officers working for the GRU’s destructive cyber unit – also known by the codenames Sandworm and VoodooBear – for conducting cyber attacks against the 2018 Winter Games and other cyber attacks, including the 2018 spear phishing attacks against the UK’s Defence Science and Technology Laboratory (DSTL).

The UK attributed the attacks against DSTL, which followed the Salisbury poisonings, to Russia in 2018.