Michelle Kradolfer, Secured by Design (SBD) National Manager and Secure Connected Devices accreditation lead.

Congratulations on the new role! How’s it been so far?

Thank you! It’s a great role, as I have an extensive knowledge in the cybercrime, cybersecurity and IoT landscape and am passionate about finding innovative ways to help reduce crime so it gives me the opportunity to combine all of these.

The role is incredibly busy, given how we work closely with policing, the government, the security industry, test houses, certification bodies, architects, developers, local authority planners, the construction industry – the list is endless. We work across so many fields and collaborate with so many people and organisations across both the public and private sectors when it comes to our prevention work.

How do your responsibilities as National Manager and Secure Connected Device Lead differ and what challenges and opportunities does that present?

Not as much as you would expect, aside from the fact that I now have managerial responsibility for a team of colleagues working across the UK. The Secure Connected Device accreditation is merely an extension of Secured by Design, covering IoT connected products and services. I was working closely with the SBD team prior to becoming National Manager, ensuring that all our SBD member companies who have IoT connected products were aware of the requirements of the new legislation and working towards compliance with it.

The main challenge has been familiarising myself with the huge range of physical security standards. Whilst I have that knowledge and expertise in the cyber world, the physical security world was relatively new to me – thankfully I have a team of technical experts who have fantastic knowledge in this area working alongside me.

Opportunities – well the adoption of cyber security requirements within IoT connected products has historically been poor, whilst consumers overwhelmingly assume these products are secure. IoT products are simply not built with security in mind. Manufacturers have complied with other safety requirements in the past, such as ensuring electrical components don’t overheat. However, merely 20% of manufacturers incorporate fundamental security standards in IoT products. Without the appropriate levels of security, any internet connected device or app is at risk of providing cyber criminals with the ‘key’ in accessing and stealing personal data, and other nefarious activity. This is a huge opportunity to put that right.

What’s involved in Secured by Design’s Secure Connected Device accreditation scheme, and why?

In collaboration with the Department for Science, Innovation and Technology (DSIT), we launched a scheme last year in response to impending legislation. Companies can now turn to us for assessing their products against the full ETSI EN 303 645 standard’s 13 provisions, a requirement that goes beyond the Government’s legislation so that companies can not only demonstrate their compliance with the legislation but help protect themselves, their products and customers.

We evaluate their products, suggest certification routes, and help them meet the Act’s requirements. Once certified by an SBD approved certifying body, companies can seek our prestigious SBD accreditation. The robust standards of certification exceed government legislation and our annual appraisal ensures compliance with evolving government requirements and cyberthreats.

October will be just six months before companies have to comply with the requirements of The Product Security and Telecommunications Infrastructure Act. Are they ready?

Unfortunately, there does seem to be an overall lack of awareness of the legislation, which is worrying given the robust regulatory framework within the law contains an enforcement regime with civil and criminal sanctions aimed at preventing insecure products being made available on the UK market within it. This enforcement regime enables the government to take a range of actions against companies that are not compliant with the law by 29th April 2024, including enforcement notices; compliance notices; stop notices; recall notices; huge financial penalties and forfeiture of stock which is in the possession or control of any manufacturer, importer or distributor of the products, or an authorised representative.

More UK Security News.