Addressing Cyber Security Challenges in the UK

Monday 17 November 2025 - Patrick Kyle

The UK professional security sector is undergoing rapid transformation, driven by technological innovation, regulatory change, and evolving cyber threats. As security solutions become more interconnected and reliant on digital infrastructure, the risks associated with legacy practices and insufficient cybersecurity have grown. 

The Cyber Security Product Assurance Group (CySPAG) scheme, developed by the BSIA, addresses these challenges by providing a structured framework for manufacturers and installers to demonstrate their commitment to secure design, deployment, and lifecycle management. This document outlines the sector’s key challenges, compares CySPAG to other leading assurance schemes, and highlights strategic considerations for stakeholders.

What specific challenges does the UK professional security sector see from past behaviours of deployment of security solutions that have brought around the need for a scheme like CySPAG for both manufacturers and Installers? 

The UK professional security sector has faced several persistent challenges in the deployment of security solutions—particularly those involving connected devices and systems—which have led to the development of the Cyber Security Product Assurance Group (CySPAG) scheme by the BSIA. These challenges affect both manufacturers and installers, and CySPAG was created to address them through a structured, self-declaration framework. Here's a breakdown of the key issues and how CySPAG responds:

Challenges from Past Behaviours in Security Deployment

1. Legacy Equipment and Unsupported Systems

  • Many security systems were deployed and left untouched for years, operating on outdated firmware or software.

  • These systems often lacked ongoing support, leaving known vulnerabilities unpatched.

  • This “fit and forget” mentality created long-term exposure to cyber threats.

2. Supply Chain Vulnerabilities 

  • Security products are frequently sourced from third-party vendors, some of which may not follow robust cybersecurity practices.
  • Risks include backdoors in hardware or firmware, poor update mechanisms, and lack of transparency in vulnerability disclosures. 

3. Insecure Installations

  • Installers may not have followed best practices for secure deployment, such as changing default credentials or segmenting networks.

  • Poor configuration can compromise not just the security system but the wider IT infrastructure it connects to. 

4. Lack of Cybersecurity Awareness and Training

  • Both manufacturers and installers have historically lacked formal guidance or accountability regarding cybersecurity.
  • This has led to inconsistent practices and a lack of confidence among end users about the security of their systems.

5. IoT Device Vulnerability 

  • The rise of IoT in security (e.g., smart cameras, access control) introduced new risks, especially when devices were not designed with cybersecurity in mind.
  • Many devices were deployed without proper lifecycle management or update protocols. 

How CySPAG Addresses These Challenges

For Manufacturers

  • Must self-declare compliance with BSIA Form 343, which includes secure design, testing, and update processes.
  • Required to maintain vulnerability communication and support throughout the product lifecycle.
  • Encouraged to go beyond the PSTI Act 2022 baseline requirements.

For Installers

  • Must follow BSIA Form 369, which outlines secure installation practices, update management, and client communication.
  • Ensures that installations do not compromise network security and that clients are informed of product support status. 

 Sector-Wide Benefits

  • Builds trust across the supply chain by promoting transparency and accountability.
  • Encourages collaboration between manufacturers, integrators, and clients.
  • Provides a recognised mark of quality and cybersecurity assurance for procurement decisions.

How does CySPAG compare to other Cyber schemes?

CySPAG stands out as a UK-specific, security-sector-focused self-declaration scheme, but it exists within a broader landscape of cybersecurity assurance frameworks. Here's a comparative overview of CySPAG versus other prominent schemes like UL 2900, PSA Certified, ioXt, and ETSI EN 303 645:

CySPAG (Cyber Security Product Assurance Group)

  • Region: UK
  • Type: Self-declaration
  • Focus: Professional security systems (CCTV, access control, intruder alarms)
  • Audience: Manufacturers and installers
  • Key Features:
    • Based on BSIA Forms 343 (manufacturers) and 369 (installers)
    • Covers secure design, deployment, and lifecycle support
    • Promotes supply chain accountability
    • Offers a badge of assurance for procurement confidence
    • Tailored to UK regulatory context and BSIA membership.

UL 2900 Series

  • Region: Global (origin: USA)
  • Type: Third-party certification
  • Focus: Network-connectable products (including security, healthcare, industrial)
  • Audience: Product manufacturers
  • Key Features:
    • Rigorous testing: malware detection, code analysis, penetration testing
    • UL 2900-2-3 specifically targets security and life safety signaling systems
    • Aligns with NIST and FDA guidance
    • Formal certification with global recognition

PSA Certified

  • Region: Global
  • Type: Tiered certification (Levels 1–3)
  • Focus: IoT devices, chips, and software
  • Audience: Device manufacturers, silicon vendors, software developers
  • Key Features:
    • Level 1: Self-assessment with lab review
    • Level 2–3: Independent lab testing for software and hardware robustness
    • Maps to ETSI EN 303 645, NIST 8259A, and other standards
    • Recognised by ioXt and UL for fast-tracked certification 

ioXt Alliance Certification

  • Region: Global

  • Type: Industry-led certification#

  • Focus: Consumer and enterprise IoT devices

  • Audience: Manufacturers of connected devices

  • Key Features:

    • Covers security, updatability, transparency, and compliance

    • Uses a compliance profile and public registry

    • Recognised by PSA Certified and other schemes

ETSI EN 303 645

  • Region: Europe (global adoption)
  • Type: Standard with optional certification
  • Focus: Consumer IoT devices
  • Audience: Manufacturers of connected consumer products
  • Key Features:
    • 13 high-level recommendations, 33 mandatory requirements
    • Covers password management, software updates, data protection
    • Basis for UK PSTI Act and EU RED Article 3(3)
    • Certification via ETSI TS 103 701 and accredited labs.

Comparison Summary

Strategic Takeaway

  • CySPAG is ideal for UK-based security professionals seeking a sector-specific, practical framework.
  • UL 2900 and PSA Certified offer deeper technical assurance for global markets.
  • ETSI EN 303 645 is a regulatory-aligned baseline for consumer IoT, increasingly referenced in UK and EU law.
  • ioXt provides a lightweight, scalable option for IoT manufacturers seeking public trust.

What does the UK private security sector landscape look like regarding cyber solutions that are currently being deployed, also what do we envisage are the challenges for the sector over the next five years regarding security solutions being deployed on customers  IT networks?

The UK private security landscape is undergoing rapid transformation, driven by technological innovation, regulatory reform, and evolving threat dynamics. Here's a comprehensive overview of current deployment trends and the key challenges expected over the next five years, especially regarding solutions being deployed on customer networks.

 Current Landscape of Security Solutions in the UK (2025)

Deployment Trends

1. Hybrid Architectures

  • Security systems increasingly use a mix of edge, cloud, and on-premise technologies.

  • This allows flexible data storage, processing, and device management tailored to client needs. 

2. AI and Machine Learning Integration

  • AI is used for real-time threat detection, anomaly analysis, and predictive security.
  • Generative AI is emerging in surveillance, access control, and incident response. 

3. Cloud-Based Security Systems

  • Remote monitoring and control are now standard, especially for multi-site operations.

  • Cloud platforms offer scalability but raise concerns around data sovereignty and cyber resilience. 

4. Cyber-Physical Convergence 

  • Physical security systems (e.g., CCTV, access control) are increasingly integrated with IT networks.
  • This convergence introduces new vulnerabilities if not properly managed. 

5. Biometric and Smart Access Control

  • Fingerprint, facial recognition, and mobile credentials are replacing traditional cards.
  • These systems require robust data protection and fallback mechanisms. 

Challenges Over the Next Five Years (2025-2030)

1. Cybersecurity Risks on Customer Networks

  • AI-powered ransomware and deepfake-assisted fraud are rising threats.
  • Security systems connected to customer networks may become entry points for attackers. 

2. Supply Chain Vulnerabilities

  • Third-party devices and software used in security deployments can introduce hidden risks.
  • Supply chain attacks are expected to increase, targeting integrators and manufacturers. 

3. Regulatory Pressure

  • New laws like the Cyber Security and Resilience Bill and Martyn’s Law will demand compliance in both physical and digital domains.
  • Installers and manufacturers must align with NIS2, PSTI, and other evolving standards.

4. Data Privacy and Governance

  • With GDPR and emerging UK-specific regulations, handling surveillance and biometric data will require stricter controls
  • Customers will demand transparency on data retention, access, and processing.

5. Integration Complexity

  • As systems become more interconnected, ensuring interoperability and secure configuration will be critical.
  • Poor integration can lead to network instability, data leakage, or system downtime.

6. Skills Shortage

  • The sector faces a shortage of professionals skilled in both physical security and cybersecurity.
  • This may hinder secure deployment and maintenance of advanced systems. 

Strategic Considerations for Stakeholders

  • Manufacturers should embed security-by-design principles and provide clear update/support lifecycles.
  • Installers must follow secure deployment practices, including network segmentation and credential management.
  • Clients should demand assurance schemes like CySPAG, Cyber Essentials, or UL 2900 to validate product and service integrity.

Key Takeaways

  • CySPAG addresses persistent UK security sector challenges such as legacy vulnerabilities, supply chain risks, and inconsistent installation practices.
  • Compared to global schemes, CySPAG offers a sector-specific, practical approach tailored to UK regulatory requirements and BSIA membership.
  • Stakeholders must prioritise secure-by-design principles, robust lifecycle support, and transparent supply chain practices.
  • Manufacturers and installers are encouraged to adopt CySPAG as a mark of quality and assurance.
  • Ongoing engagement with industry standards and continuous professional development will be critical to navigating future challenges.

Take the Next Step with CySPAG

The security landscape is evolving rapidly, and proactive engagement with robust assurance schemes is essential. Whether you are a manufacturer, installer, or client, adopting CySPAG demonstrates your commitment to best practice, compliance, and customer confidence.

  • Manufacturers: Begin your CySPAG self-declaration process today to showcase your products’ security credentials.
  • Installers: Align your practices with BSIA Form 369 and provide your clients with the assurance they demand.
  • Clients and Specifiers: Look for the CySPAG mark when procuring security solutions to ensure quality and resilience.

For more information or to join the CySPAG scheme, visit www.cyspag.co.uk  or contact the BSIA for guidance.