Why Foundational Trust Is Critical To Mitigate Telcos Against Cyber Risk
Capacity Europe’s 2020 conference on cybersecurity shows the critical role that technology will play in mitigating against the risks facing the telecommunications industry
Trustonic’s CTO Jason Hart recently sat on a panel of cybersecurity experts at Capacity Europe’s 2020 Conference. Joining Jason were James Nesbitt, Eric Cole, Lisa Past, Heyrick Bond Gunning, and Charl van der Walt. The panel discussed the cybersecurity challenges faced by the telecoms industry, and the factors which are important when devising a corporate cybersecurity strategy.
Are we cybersecure?
Cybersecurity breaches are on the increase despite record investment in cybersecurity. Part of the problem is the assumption that the next attack will be a sophisticated one. However, most attacks are opportunistic, reactive and ‘situationally aware’. In other words, cybercriminals focus on the technology risk, people and processes, and then take a targeted approach to carry out simple attacks. The effects, however, can be dramatic in terms of undermining free market economies and democratic governments.
Telecommunications companies (telcos), present attractive and potentially lucrative targets because of the amount of personal data they hold, together with their complex organizational structures, often due to rapid growth, acquisitions and mergers. Cyberattacks on telcos, like other Critical National Infrastructure (CNI), can have a detrimental and wide-ranging impact on national economies.
“Telcos have huge amounts of personal data … plus complexity in the way they’ve grown makes them a nice target … (and) because it’s Critical National Infrastructure … attacks can have a major impact on national economies”. Heyrick Bond Gunning, CEO of S-RM
Three aspects are important to mitigate telcos against cyber risk:
- Because of the pandemic and increase in remote working, it’s important to secure, protect and lock down the end point.
- The ability to detect within encrypted traffic. Despite customers putting in new security technology and behavioural analytics, hackers are using encrypted command and control channels to slip in under the wire.
- Addressing the 90% rule. Companies typically patch, lock down and harden only 90% of their systems, but adversaries are clever at finding the missing 10% and exploiting it.
The sheer pace of digital change during the pandemic means we need to secure not just the endpoint but also the identity, both of machines and users.
Attacks result in a degradation of the trust placed in the technology and systems it supports: everything from election results to the ability of a company to protect identities.
The biggest risk facing the industry, however, are integrity attacks in which data is intercepted and altered. An organisation cannot recover as easily from an integrity attack as a confidentiality breach. Integrity attacks may not be spotted for several years, during which compromised data may have been used to make business decisions; by which point it’s too late. There is also a lack of trust and understanding about the tools and cryptographic technologies on which we rely. Integrity attacks will therefore only further undermine people’s trust in organisations and governments.
Companies need to know what their critical data and critical business processes are. Cybersecurity is about understanding, managing, and mitigating the risk of critical data being disclosed, altered or destroyed. Along with confidentiality and integrity issues, there’s also an availability aspect where ransomware is having a significant impact on organisations. Cole recommends businesses have a “one pager” that outlines their critical data and business processes, together with their biggest threats. Only with this understanding can an organisation determine the biggest threats they face: confidentiality (where someone discloses your data), integrity (where they alter data), or availability (where they make data unavailable), and understand where they’re most vulnerable.
However, few organisations have the capability, knowledge and ability to arrive at this point of understanding. Therefore, it’s important to focus on the data since this is what interests the cybercriminals: the type of data, the location of data, the business processes and flow. Only once you’ve mapped this out, can you understand the risks.
Our CTO, Jason Hart believes that many cybersecurity issues can be addressed with technical solutions; for example, by building in a root of trust into every device before it leaves the factory. The challenge, however, is for companies to accept that this is how they must do business, and that security is part of this process. There are other simple security controls and processes around cybersecurity where this approach should become the norm.
“Many cybersecurity issues can be solved easily with technology; for example, by building in a root of trust into every device before it leaves the factory”. Jason Hart, CTO of Trustonic
In addition to technology, people and processes are also key to an organisation’s cybersecurity. For example, if remote workers around the globe are clicking on phishing emails, an organisation will be vulnerable to ransomware if users are not trained in cybersecurity.
A company, of course, can never be 100% cybersecure; digital solutions will always present ‘unknown unknowns’. Therefore, it’s important to put a risk management system in place, and security must be part of the fundamental design of your processes and systems. Security must never be an afterthought; if it is, it may be ten times as expensive to retrofit. It is also important that businesses are seen to be doing the basics properly and showing due care, especially in the event of an attack.
Security, however, is often not well understood in companies, and this results in a lack of investment. Chronic underinvestment in cybersecurity can ‘bankrupt’ a company because, like financial debt, security debt accrues over time and can affect a business’s valuation. And, for some, the cost of fixing their inherent security issues means they’d no longer be viable. And, because we’re so interconnected, this debt has a domino effect on other businesses in a community. Therefore, it’s important for companies to see the accumulative security debt and the wider impact, and not focus only on the cost of a short-term security breach.
How can telcos defend against the risks?
Clearly, targeted investment in cybersecurity is required and to obtain this, it’s important that the C-level understand the need for it and the potential impact on the business of not investing in it from the outset.
Typically, the CSO position is an advanced technical position but it needs to be more than this. The CSO must also have strategic focus, the ability to speak the business language, and drive a clear security strategy.
Engaging sectorially is also important in terms of putting structures and forums in place for collaboration and information sharing; for example, a dedicated security operations centre, and an information sharing and analysis centre.
Furthermore, the industry needs to lead the way to create a shared system of vision and values for security and trust. So, rather than putting cybersecurity issues on the vendors and regulators, the industry must be more proactive and less reactive.
For more information about how Trustonic can help you embed the best security into the world’s smart devices and apps, and empower developers to build in the trust required to deliver simple, fast and secure solutions, see: https://www.trustonic.com/.