EU brings down the hammer on cybersecurity risks to smart devices

The EU is about to announce legislation cracking down on smart device cybersecurity, an encroaching threat.
13 September 2022

A “Gentle Monster” smart control eyewear of Huawei and a mobile device are on display at the Internationale Funkausstellung IFA international trade show for consumer electronics and home appliances. (Photo by Tobias SCHWARZ / AFP)

It is late 2022, and interoperability is the name of the game. Systems are more connected than ever before, and the same goes for the exploding market for smart devices. As users acclimated to kitting out their homes with the latest, trendiest interconnected gadgets over the last two years, consumers have prioritized the price points of smart devices over the potential cybersecurity risks. Quantity and functionality have overruled tight device security.

In the recent past, there has been a veritable deluge of cybersecurity incidents, including high-profile cases of ransomware attacks affecting major organizations and end-users, as well as a noticeably increased frequency of data breaches and malware, intruding on both on-premises and cloud-based environments.

The Open Door

A common entry point for security vulnerabilities has been Internet of Things (IoT)-enabled smart devices, as there have been increasing incidents of unsecured BYOD (Bring Your Own Devices) in the workplace, exposing internal networks and closed-off systems to external threats.

And new research from BlackBerry Limited – once infamous purveyors of revolutionary mobile devices themselves, now turned cybersecurity and network specialists – reveals that two in five businesses (or 41%) are not placing enough emphasis on extending enterprise-grade protection standards to the homes of their workers, even as hybrid and remote working policies become more commonplace.

The research points out that even though three-quarters (77%) of smart devices have been purchased for the home in the past two years, slightly less than a third (32%) of 1,000 UK workers who own a smart device said that security was a top priority when making these purchase decisions. Perhaps understandably, given the increasing cost of living crisis across the UK, more than half (58%) said that price point was a priority.

So it stands to reason that the European Union is due to announce a proposal known as the Cyber Resilience Act today, with Reuters reporting that smart internet-connected devices ranging from TVs to fridges will have to comply with tougher cybersecurity regulations going forward – or run the risk of being heavily fined or even banned from the bloc.

The incoming legislation, likely to become law once the EC has received feedback from EU member states, will affect enterprises the most. Under the new regulations, manufacturers must assess the cybersecurity vulnerabilities of their smart devices, and take steps to address these issues.

How To Enforce The Rules

Measures would include notifying the EU cybersecurity agency ENISA of security incidents within 24 hours (once the maker has learnt of the issue), and carrying out appropriate protective steps. For importers and other distributors along the supply chains of these smart devices, the product ranges would need to be ascertained to conform with EU guidelines before being rolled out.

Failure to comply with the proposed rules can “prohibit or restrict that product being made available on its national market, to withdraw it from that market or recall it,” according to the EC document.

If BlackBerry’s research into the UK’s increased use of smart devices is emblematic of EU countries at all, the new ruling could cause significant inconvenience – only 21% of UK home workers say their company’s policies include cybersecurity advice concerning smart devices. Along with attacks on critical infrastructure, small-medium businesses (SMBs) are facing eleven or more cyberattacks per connected device every day, according to the BlackBerry 2022 Threat Report.

As for the EU legislation due out today, skirting the proposed rules could result in hefty fines for companies, with the most serious offenses ranging up to 15 million euros or 2.5% of their total global turnover, whichever is higher.