New PSTI Act part of a set of new protections in the US, UK, EU

United Kingdom’s new PSTI Act, which took effect in 2024, is the next stage of the UK’s ongoing move to protect consumers from vulnerabilities found in products.  This new regulation is part of the UK’s more comprehensive plan to stop hackers and other bad actors from accessing devices and data. The nation has been leading the way in protecting consumers from vulnerabilities found in popular consumer products and devices from smart TVs to a variety of Internet of Things (IoT) devices. 

Along with the UK, the European Union is moving forward with a similar new cybersecurity law, the proposed Cyber Resilience Act (CRA). The CRA will place “mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product’s life cycle,” according to the European Commission, noting that cybersecurity is “inadequate” in many products. 

Meanwhile, the U.S. Federal Communications Commission (FCC) recently announced the U.S. Cyber Trust Mark, a new voluntary cybersecurity labeling/incentive program for consumer IoT devices and products similar to those covered by the PSTI and CRA. Previously, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released the Secure by Design set of guidelines, including a voluntary pledge for software companies to follow. 

Protection beyond devices is critical 

Cyberthreats and risks to consumer and business data and privacy are constantly evolving. Endpoints and attack surfaces continue to expand rapidly, as consumers and businesses add more internet-connected tools and devices to make work and life easier. But more convenience is also raising new concerns, as new threats targeting devices are growing rapidly. The FCC recently stated, “According to one third party estimate, there were more than 1.5 billion attacks against IoT devices in the first six months of 2021 alone. Others estimate that there will be more than 25 billion connected IoT devices in operation by 2030.”

Cyberattacks on devices have escalated in recent years due to attacks such as Mirai botnet, a malware specifically designed to attack IoT devices that make it easier to launch distributed denial of service (DDoS) attacks.

However, protecting devices is only part of the cybersecurity process. Approaches and protections must extend beyond the devices alone. 

The Secure by Design concept for software products is critical to protecting devices as well and can provide better protection overall against cyberattacks, as CISA notes. “Secure by Design principles should be implemented during the design phase of a product’s development lifecycle to dramatically reduce the number of exploitable flaws before they are introduced to the market for broad use or consumption,” according to the agency.

What is secure by design? 

The term secure by design refers to software, products, and applications that have security as a core objective throughout every stage of the design and deployment. When software products are secure by design, this means that security measures are integrated into every stage as a core foundation of the product in each iteration. The concept is related to the idea that security should “shift left” in the development process. Secure by design means that products are secure out of the box, meaning that their users don’t need to take any additional measures to use the product. Secure by design places the responsibility for protecting consumers on the manufacturers rather than the consumers themselves.

Conversely, when products are designed with security bolted on as an afterthought, security can be more easily compromised by hackers and cybercriminals. Software is more likely to be susceptible to vulnerabilities when security isn’t the paramount goal from the start. As a report in Security Intelligence notes, “poorly coded applications present more viable attack vectors.”

Security must also protect integrations and how devices are connected to other systems and platforms. For instance, when evaluating software integration or SaaS platforms, organizations may consider software that offers more secure features such as customizable security and privacy settings, policies and terms of service, and better protection of data and content, as well as secure communications with other devices and systems. 

Secure by design isn’t only about coding, however. The approach also requires a security mindset that can mean a culture shift in the software organization. Keeping security at the core of software products and devices is one essential way software companies can help build more trust for their customers.