This is a question which is being addressed by the UK Government as they put forward proposals for new IoT laws. I think it is a fair question to ask. When we buy anything from an electrical product, to a car or a house we are protected. The dangers or potential dangers and risks are mitigated by the seller, they carry the weight of the responsibility.
To the extent that we have a certain level of comfort in knowing that if we plug something in it will not set on fire, for example. Not everyone is an electrician, not everyone can spot the risk.
So surely the same approach should apply when buying a connected device, or a device with the potential to connect to multiple other devices. If a manufacturer builds in the option should they not also have the responsibility of building in the security too?
Especially when as this report by NCC Group mentions;
"...the number of connected devices continue to proliferate, with almost half (49%) of UK residents purchasing at least one smart device since the start of the coronavirus pandemic."
The UK has a unique opportunity to lead the way on this subject, and to potentially set the standard for other nations to follow. But first and foremost finding an effective and fair way to protect the consumer has to be the main goal.
Commenting on the proposed legislation, Ollie Whitehouse, global CTO at NCC Group said: "For many years now we, alongside other campaigners and leaders across the cyber security industry, have been calling for a legislation that sets a clear benchmark for the security of connected devices.