How the United Kingdom’s Telecom Security Act is catalyst meaningful change
Subsequent to a protracted parliamentary passage period, the United Kingdom’s Telecom Security Bill is going to become law this autumn, putting forth new requirements on telecom operators. In short, the new legislation forces telecom organizations to safeguard their networks against typical attacks, leveraging advanced tools to detect and resolve security problems influencing crucial voice network infrastructure.
The Act specifies that telecom operators must proactively detect “the risks of security compromises happening: minimize the hazards of security compromises happening, and prep for the occurrence of security compromises.” The Act empowers Ofcom to penalize non-compliance with 100,000 each day in fines, up to a maximum penalization of 10 million pounds.
Obviously, the law enhances telecom provider’s accountability and pressures in a manner that ensure cybersecurity will be taken with the seriousness that it deserves. Telecom organization’s capacity with regards to compliance and avoid censure will be decided by how well they can see, assess, and remediate their computing and network infrastructure threats.
However, practically meeting the fresh legal mandates puts forth a huge challenge for operators due to the immense complexity and scale of their networks. Carrier’s network sprawl and assets have appreciated considerably with the passage of time and usually have the burden of redundant technologies and technical debt. Moreover, the size of any telecom organization’s attack surface implies several still don’t possess a complete comprehension of their security loopholes across their hybrid infrastructure.
How telecoms prep themselves to function within the scope of the fresh regulations boils down to three primary recommendations:
Crack the susceptibility administration challenge
Obtaining visibility of the issue is complex due to the significantly escalating volume of possible security susceptibilities that a telecom operator is now legally obligated to address. Skybox Research Lab reports 18,341 fresh vulnerabilities in 2020 and a record 106% escalation in malware. Accurately detecting, evaluating, and remediating susceptibilities needs a new strategy as the attack surface is so dynamic.
Vulnerability administration’s centrality is underscored in the new legal guidelines. The law needs a telecom provider to inform both Ofcom and its own users of any security susceptibilities, expanding on the current requirements that the Information Commissioner’s Office must be signified of a security breach.
Obviously, the Act puts considerable pressure on all communications providers to review and fortify their security positioning. The new law needs the provider not just detect and minimize security risk efficiently but additionally prep for breaches.
Balance stringent security with no compromises on service quality
There is an additional complication for telecom providers: they are simultaneously need to maintain crucial services and scan their network infrastructures in a more intensive and comprehensive manner. Providers comprehend, although, that conventional security scanning can create service outages and performance problems.
The solution must thus be more sophisticated security techniques that ensure compliance with the new stringent regulations while simultaneously ensuring ongoing network and service availability.
Total network visibility can be accomplished by comprehending all network infrastructure components combined with detecting the device, its config, and firmware version. Leveraging this detail, real-time threat intelligence can indicate susceptibilities that impact particular devices. After susceptibilities that can be exploited are detected across the attack surface, security ops can undertake deployment of patches and fixes, controls, and countermeasures, which includes firewalls.
On the basis of historical experience in management of a major teleco’s security infrastructure, it is very tough to modify telecom infrastructure architecturally, introduce components, or swiftly carry out upgrades. Such work must be carefully plotted and timetabled to be carried out overnight; any risk of anything going wrong and services being affected must be steered clear of. Downtime in itself creates regulatory issues with Ofcom, in addition to impacting client trust and a provider’s brand value.
Ensure clear prioritization to ensure hazardous susceptibilities are remediated first
For forward-thinking telecoms, compliance with the legislation has implied taking up a security platform which includes hybrid network visibility, threat intelligence, vulnerability prioritization, and security policy administration in a singular view. Proactive cybersecurity needs a data-based strategy that can identify susceptibilities on mission-critical assets. Then, attack simulation can ensure the correct compensatory controls are poised to remediate susceptibilities swiftly.
Alternatively, security teams can leverage data to outwit malicious actors, or bad actors. For instance, if there is no observed exploit coding and nil accessibility, there is very little risk, and the work can be deprioritized. On the other hand, if there is known exploit code however no accessibility, there is a degree of risk via like a bad change inadvertently opening up unintended access. The worst-case situation would be a vulnerability which is undergoing exploitation on an ongoing basis in the wild on a server with a clear access pathway from a threat origin, making this a leading priority for remediation.
Leveraging these differing levels of prioritization, telecom providers can obtain the visibility they require and make sure they are leveraging their restricted resources in the correct areas to reduce risk and ultimately meet regulatory requirements.
Prep for future cybersecurity legislation
The new telecom security act will definitely push providers to fortify their infrastructure against attacks. However, seeing ahead at what’s to come, it is essential to nobody considers this Act to be the last destination as far as network security regulation is concerned: as security experiences evolution, so will the attacks, and extra mandates will be needed to safeguard data within the 5G era. For the purpose, the UK State has made it obvious that the Act’s mandates are applicable particularly to voice communications and that regulations will be subsequently updated to secure Internet-of-things devices.
In other words, telecom providers must be ready for additional regulatory oversight in the near future. Correct preparation should consist of adopting an advanced platform that integrates susceptibility administration, analysis, and remediation capacities in a fashion that can maintain pace during a decade of digitization that will be shaped by persistent change, spurred in equal parts by cyber-attacks by malicious, bad actors, and legislation.