It’s official - new laws to protect consumers from cyber criminals have finally come into force in the UK.
Hailed by the UK Government as ‘world-leading’ legislation putting businesses and consumers on the front foot against cyber criminals, the move has been welcomed by industry as a major step towards boosting the UK’s resilience towards cybercrime.
But the UK’s journey towards total cyber resilience is far from over. Daily advancements by bad actors, now further fueled by AI, mean that new and innovative ways to trick consumers and invade business networks are coming to the fore.
So, what exactly does this new legislation do and solve? And what else do we need to do to protect UK businesses and consumers from cyber criminals?
Chief Global Strategy Officer of ISACA.
What’s new?
The security vulnerabilities in internet-connected devices provide great opportunities for cyber criminals. And with 99% of UK adults owning at least one smart device, and UK households owning an average of nine connected devices each, this problem is bigger than ever.
To tackle this, the new legislation mandates that internet-connected smart devices meet minimum-security standards, and requires manufacturers to take steps to protect consumers from hackers accessing devices with internet or network connectivity - from smartphones to games consoles to connected fridges. In addition, manufacturers will need to be transparent about security updates and publish contact details to allow issues to be reported.
Under the new regime, passwords are also getting an overhaul - with weak, easily guessable default passwords becoming a thing of the past.
What does this mean in practice? From the get-go, products will be built, sold, set-up and monitored with cybersecurity in mind. There’s no doubt that this is a significant leap in protecting individuals, businesses, and the wider economy from cyber crime.
AI changes the game again
It’s great to see the government turning cybersecurity concerns into action. But does this legislation go far enough? The simple answer is no. Protecting from cyber criminals will take more than just having secure passwords, regularly updating your phone or having strengthened data protection policies on the internet.
This is even more important in the age of AI. We are yet to witness the full power of artificial intelligence, but we know that it is rapidly advancing – and therefore so too are the threats it poses. In fact, ISACA’s recent research found that 61% of cyber professionals are extremely or very worried about AI being harnessed by bad actors.
For example, AI has the power to quickly synthesize large volumes of data and to mimic people and messaging, meaning that usual tell-tale signs of hacking such as spelling errors or an absence of personalized greetings will be eradicated. Ultimately, this is making attacks made by cyber criminals more convincing than ever before - and leaving consumers, businesses and supply chains more vulnerable than ever.
The bottom line is that cyber criminals are advancing at speed, and if we are to win the cyber arms race, we must do so too.
Building a culture of cyber awareness and expertise
Whilst welcomed as a great first step, government legislation on cybersecurity does not go far enough, fast enough. And we can’t just focus on robust cyber protections for consumers in their day to day lives - we must take firmer action to ensure businesses, and the structures that support them, are protected too.
In order to keep pace, we must create a culture and society that prioritizes consumer cyber awareness and prevention - and allows businesses to create the skilled workforce needed to tackle cybercrime head on.
However, it’s widely recognized that the technology and cyber industry is facing a skills shortage, with businesses often struggling to find cyber talent to help protect their business from bad actors. In fact, a recent report by the Department for Science, Innovation and Technology found that around 739,000 businesses (50%) have a basic cyber skills gap.
Only when we have the people in place with the right skills and training will we be able to adequately detect cyber threats and attacks, protect organizations and their data and quickly recover and repair. We must support legislative change with a culture of cyber training and upskilling - or else regulation and legislation will not have the desired impact.
There is hope on the horizon
There are steps that can be taken to create the culture of skills we need across the UK and beyond.
Government schemes such as the Cyber Explorers program are helping to encourage young people into the industry and build their cyber skills. Schemes like this will be crucial in the push towards greater cyber awareness and protection.
But businesses also have a large role to play here. Currently, businesses recruiting into cyber positions demand years of relevant experience from prospective talent. Instead, they should provide accessible routes into cybersecurity and open their minds to different talent pools. Employers need to acknowledge transferable skills, take a leap of faith and recognize that training somebody from entry level, or even retraining somebody from another industry, is worth it.
The UK is taking steps to address the need for greater cybersecurity protections through new legislation. But these steps won’t go far enough without a culture of skills and cyber expertise supporting it. Cyber skills must become a focus - or else we risk losing the cyber arms race for good.
We've featured the best endpoint protection software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
