Families unboxing connected gifts are being asked to spend five minutes enabling basic protections. In a 27 December press release, the Department for Science, Innovation and Technology, working with the National Cyber Security Centre, urged households to switch on two‑step verification and automatic updates when setting up new devices.
Ministers framed the ask as simple measures that reduce account takeover risk during a high‑usage period. Cyber Security Minister Baroness Lloyd highlighted the value of a short setup routine, while the NCSC’s Director for National Resilience, Jonathon Ellison, reiterated the priority of turning on two‑step verification for important accounts.
The government’s seasonal checklist aligns with established NCSC guidance: enable two‑step verification on email and other key services, use strong passwords based on three random words, leave automatic updates turned on, set up child profiles, and review privacy settings to disable unnecessary remote access. Public-facing instructions are available on NCSC’s “Smart devices in the home” pages and the Stop! Think Fraud campaign.
The timing reflects scale. The press notice cites an average of nine connected devices per UK household and analysis indicating devices can face around ten attacks in a 24‑hour period, with security tooling blocking roughly 1,736 threats each minute. Poor setup can expose personal data or live audio‑video feeds from toys and monitors.
Behind the advice sits a binding legal regime. The Product Security and Telecommunications Infrastructure (PSTI) Regulations took effect on 29 April 2024, establishing baseline security for consumer connectable products, including a ban on universal default or easily guessable passwords.
Duties apply across the supply chain. Manufacturers must ensure passwords are unique per product or user‑defined, provide a clear route for reporting vulnerabilities, and publish the minimum security update period; a Statement of Compliance must accompany products as they move from manufacturer to importer to distributor.
Enforcement is led by the Office for Product Safety and Standards on behalf of DSIT. OPSS can issue compliance, stop and recall notices, and impose civil penalties. Statutory maxima are the greater of £10 million or 4% of qualifying worldwide revenue for a fixed penalty, plus up to £20,000 per day for continuing non‑compliance.
For households, the regime should make insecure defaults rarer over time. Buyers can expect manufacturers to publish how long security updates will be provided; where this is unclear in product documentation, retailers should be able to confirm it before purchase. That information helps users judge whether a device will remain supported for its expected life.
For retailers and online marketplaces, PSTI is not optional. Do not make products available without the required Statement of Compliance; keep supply‑chain records; notify OPSS promptly if a compliance failure is identified and be prepared to action corrective steps, including withdrawal or recall, where directed.
The immediate steps remain straightforward: switch on two‑step verification for email and other critical accounts, prefer three‑random‑word passwords, keep automatic updates enabled, set child accounts and review app permissions. The NCSC and the Stop! Think Fraud campaign host step‑by‑step instructions for mainstream services.