Everyone knows that one person that likes to say that they’re not addicted to their phone. In 2021, it’s difficult to find a way to socialize, work, access vital services, and be entertained without the internet. From Zoom meetings to the forecast relayed through Alexa, the communications sector provides it all. As a critical infrastructure sector, the communications industry has captured the world in many ways that you may not even realize. The repetitive sunglasses ads on Instagram or the curated playlists on Spotify, it’s all created through the data collected from the internet and smartphone activity.
According to the United Nations, Internet usage has become so ubiquitous that access to the internet is considered a basic human right. Dominated by private enterprises, telecommunications service providers have capitalized on the widespread usage. In 2020, AT&T earned a total revenue of $171.6 billion, and their competitor, Verizon, earned a comfortable $128.9 billion. Combining broad usage with profitable businesses is bound to invite a multitude of malicious actors looking to exploit the industry.
Cybercriminals can exploit banking information, personal information, and business documents through device breaches. Spreading like a virus, the malware just needs one entry point to compromise to take down all clients and devices in the same telecom network. There is no shortage of entry points in the communications sector. As demand for the internet and accessibility grows, so do the devices.
The widespread effects of a cyber breach in the communications sector include departmental/ regional internet outages, compromised or stolen information, business reputation damage, and huge financial losses.
As telecoms integrate more and more with our daily lives, service providers face a deluge of cyber risks that target the organization, the consumers, and the nation. Governments rely on the internet just as businesses and individuals do. It provides agencies with the networks to communicate and function, and they are just as vulnerable to threats as other internet users. The possibility of malicious actors hacking government systems that control sectors like, transportation, nuclear systems, and financial services is a great public risk.
With so much on the line for internet providers, enterprises must take a proactive approach in their security strategy and instill strong cybersecurity practices within their enterprise. In addition, regulating bodies need to step up. The Federal Communications Commission (FCC) has been abysmal at best for mandating compliance and managing risk. We’ll dive into the inefficiencies of the FCC in a moment.
Technology drives the future of this sector. But, as technology develops so should the security and risk management strategies that companies implement to safeguard themselves. Dated governance, risk, and compliance (GRC) platforms cannot withstand the rapidity and sophistication of newer cyber threats. Companies can provide stronger products and services and ensure public safety with a protected supply chain by prioritizing risk management and compliance.
The Stakes of a Cyber Breach
The communications sector facilitates many other critical infrastructure sectors. The IT sector works with the communications industry to deliver critical internet services. The energy sector depends on communication networks to monitor and control the delivery of electricity and transportation agencies rely on the communications sector to monitor and control ground, sea, and air traffic. Emergency services rely on the sector to coordinate responses, public alerts, and warnings. Without telecommunications, emergency services cannot direct resources or receive 9-1-1 calls.
To fully grasp the value of this sector, let’s examine the consequences of a communications cybersecurity incident. In state-sponsored cyberattacks, malicious actors can access networks through remote infiltration, manipulate critical infrastructure, steal personal data or intellectual property, and launch espionage campaigns.
From 2017 to 2021, Chinese state-back hackers conducted a cyber espionage campaign on five global telecommunications companies. In a report published by Cybereason Inc., the group targeted Southeast Asia, including Microsoft Corp’s Exchange servers. Hackers were able to enter networks through a computer’s recycle bin folder and disguised malware as anti-virus software. According to the researcher, hackers would have been able to gain information about government officials, corporations, and law enforcement agencies. They also would have been able to interfere with or shut down networks.
Shutting down networks through a telecommunications system would have a domino effect of shutdowns in all of the dependent sectors mentioned. A compromised telecommunications network leads to a vulnerable government and jeopardized critical infrastructure sectors. Telecom supply chain networks are highly interconnected and vulnerable because of it. Like with the SolarWinds attack, a compromised tech company allowed hackers to access U.S. Treasury, Justice, and Commerce departments and other agencies.
Like the healthcare industry, the telecoms sector faces risk from many entry points with the number of smartphones and IoT devices used to access the internet. To deliver on the demand for broader mobile networks and 5G technology, the telecom industry faces risk with every device that practices unhealthy cyber practices. Between clients and employees, every vulnerable app, unsecured network, and repeated password is a risk telecom companies must deal with.
Through compromised devices or domain name systems (DNS), there can be attacks in the form of distributed denial of service (DDoS), stolen files, and manipulation of operational technology (OT) among many other forms of attack. According to the Global DNS Threat Report, 79% of businesses faced a DNS attack and on average, it cost businesses $942,000 to recover from them.
With so much on the line for internet providers, enterprises must take a proactive approach in their security strategy and instill strong cybersecurity practices within their enterprise.
Mitigating Sector-Wide and Enterprise Risks
Even though the telecommunications industry is quite expansive, only one regulatory authority is in charge of it, the FCC. In the past, the commission ignored the Communications Act. Communications, Security, Reliability and Interoperability Council (CSRIC) agency review, and stopped monitoring the Electronic Alert System (EAS) for security vulnerabilities.
The sector as lags behind most of the other critical infrastructure sectors with no mandate for commercial regulatory compliance. In order to push private companies to improve their cybersecurity measures and reduce risks, there must be a regulating body that incentivizes security advancement. This will ensure sector-wide security that also protects the government, the people, and the entire supply chain.
There are many things that enterprises can do on their own. In 2019, 43% of telecom businesses suffered from a DNS malware attack and it costs them an average of $600,000 to contain and recover from the attack. Instead of repeatedly falling for these attacks, companies should implement multi-factor authentication (MFA). This additional layer of protection makes it difficult for hackers to access accounts.
With implementing MFA, companies should also caution employees and clients from using simple or repeated passwords. If cybercriminals figure out one repeated password, all associated accounts can be exploited. Users should follow suggestions for strong passwords and avoid storing password information in cloud software. Network access controls (NAC) should also be enforced. Businesses should regulate where and on which device the network is accessed. Employees should avoid using public networks which make users vulnerable to data theft.
A risk-aware staff should already be implementing these practices. Along with these measures, businesses should train employees on risk awareness and healthy cyber practices. To mitigate the stress of smaller risks, in-depth training on phishing tactics will allow security teams to be better prepared for prevention and recovery. This would create a better culture for risk management in the workplace. An advanced overall cybersecurity posture will help the implementation of an integrated risk management (IRM) platform.
What GRC tools cannot do, IRM tools can. Those with legacy GRC solutions may be apprehensive to change, but an IRM approach is more effective at securing sensitive information systems and managing risk long term. Companies can leverage a third-party platform like CyberStrong to perform vendor risk assessments to secure the supply chain network and provide real-time insights on the cybersecurity posture.
A cyber-aware staff and innovative technology will grant company leaders to improve decision-making and business performance. Telecommunication enterprises will be better equipped to tackle ever-evolving cyber threats with continual risk assessments and C-suite and security team collaboration.
Creating a Stronger Sector
The telecommunications sector is pervasive and it will continue to be as we grow more and more dependent on the internet and IoT devices to communicate and work. Positioned as a powering source for all other critical sectors, malicious actors and other nation-back hackers will continue to target the sector. With such unique value, there needs to be enterprise-wide and sector-wide cybersecurity regulation, incorporation of stronger security tools, and continual risk and vendor assessments.
To learn more about how to respond to malware attacks, please check out our webinar How To React When a Competitor is Hit by Ransomware. To see how CyberSaint can be a risk assessment tool for your organization, contact us.