Interesting times for communication service providers who are investing heavily in next generation optical fibre and 5G networks to support the fastest growth in connected devices and services ever. Undoubtedly, the COVID-19 pandemic has accelerated demand, as nearly everyone shifted, almost over-night, to remote working and virtual services. While, many users are still acclimatising to this ‘new normal’, in the background, hackers have redoubled their efforts in creating malware and phishing attacks. Reports suggest they are leveraging thousands of vulnerabilities identified over the course of the pandemic alone, such as, the Solarwinds hack in 2020. This is potentially the largest hacking event ever, where reportedly thousands of hackers collaborated to attack the US government.
New regulations, as ever, are destined to have an impact too, with the European Union and the UK Government introducing a raft of new measures, such as NIS2D and the Telecommunications Security Bill. The latter in particular has received much coverage recently due to the focus on high-risk vendors (HRVs) such as Huawei, but also because it includes a range of new requirements to be set out in secondary legislation, which will not be possible to ignore. These include:
- Security by design at the core
- Scrutiny on access permissions
- Audit rights
- Assured services and protection for customers.
Yet, as if a cyber breach wasn’t damaging enough already, with the new UK bill enshrined in law, and Ofcom due to be given the power to fine companies 10% of turnover or £100,000 a day until a vulnerability is fixed, the potential impact on service providers is the highest it’s ever been. In particular, around protection for customers, the effect of data breaches cannot be underestimated for customers and the fall-out can last for years, as reported after the Sprint Telecoms breach in 2019.
What needs to change?
To protect their networks and customers, when it comes to their cyber security plans, communication service providers need to ask themselves some key questions, like those posed by the technology analyst firm, Gartner, in a recent white paper on cybersecurity initiatives:
- How will this support business resilience and growth goals while reducing risk?
- How can we use an outcome-driven approach to establish cybersecurity priorities and investments?
- Which leaders and teams need to be involved in the process?
For most organisations the first question is quite straight-forward; however the second one requires more consideration, when it comes to ‘outcomes’ simply being ‘more secure’ can potentially be subjective and requires a detailed assessment of the as-is environment.
On the third point, the assumed wisdom, it’s important to construct cross-functional teams across applications, architecture, infrastructure etc… to design and deploy a cyber initiative but no mention of supply chain? Implementing industry best practice thinking across internal teams and suppliers on any subject is always a challenge in terms of both design and operation.
The recent zero day attack on SingTel in late 2020 highlighted the challenges faced by an industry built on tightly integrated supply chains. Hackers can be inside an organisation for many months before a breach is identified, unless there are sophisticated and constantly evolving security protocols in place from end-to-end, both inside and outside the organisation.
How can we fix it?
Where standards and procedures are evolving that address a variety of stakeholders, I find a top down approach always works best. CGI has decades of experience working with clients in this space and there are three key areas communication service providers should focus on:
Assessing the risk
- Ensuring that your most vulnerable information is secure
- Ensuring you have an honest and accurate understanding of your security status
- Creating an always on 'cyber security aware' culture in your organisation
- Ensure you comply to industry and regulatory requirements e.g. ISO 27001, PCI-DSS, UK and European data protection law
- Quantifying your risk and justifying your security investments
Protecting your business
- Secure designs which include the appropriate level of security controls and crypto management
- Testing for vulnerabilities and providing certifications for products and services
- Quantifying your controls and justifying the investment
Operating with confidence
- Designing, integrating and maintaining the best tools and information sources that provide monitoring and analysis services – with management information feeds
- Building a team of highly experienced and talented analysts who understand the trends and latest attack vectors
- Create capacity, technology and skills to provide a rapid response to an incident
- Deliver constant improvement, recognising that threat behaviours and defensive technologies evolve at a fantastically rapid pace
And don’t leave the back door unlocked, remember to include your supply chain in the planning!