What threatens other critical infrastructure when communications are down?
Everyone knows this person who likes to say that they are not addicted to their phone. In 2021, it’s hard to find a way to socialize, work, access essential services, and be entertained without the internet. From Zoom meetings to forecasts relayed through Alexa, the communications industry provides it all. As a critical infrastructure sector, the communications industry has taken the world by storm in so many ways you may not even realize. From repetitive sunglasses ads on Instagram to curated playlists on Spotify, it’s all created using data collected from the internet and smartphone activity.
According to the United Nations, Internet use has become so pervasive that Internet access is considered a fundamental human right. Dominated by private companies, telecommunications service providers have capitalized on widespread use. In 2020, AT&T was awarded a total revenue of $ 171.6 billion, and their competitor, Verizon, earned a comfortable $ 128.9 billion. The combination of wide use with profitable businesses is sure to invite a multitude of malicious actors seeking to exploit the industry.
Cybercriminals can exploit banking information, personal information, and business documents through device breaches. Spreading like a virus, malware needs only one point of entry to compromise all clients and devices on the same telecommunications network. Entry points abound in the communications sector. As demand for the Internet and accessibility increase, so do devices.
Widespread effects of cyber breach in the communications industry include departmental / regional internet outages, compromised or stolen information, damage to corporate reputation and huge financial losses.
As telecommunications increasingly become part of our daily lives, service providers face a deluge of cyber risks that target the organization, consumers and the nation. Governments depend on the Internet just like businesses and individuals. It provides agencies with the networks to communicate and function, and they are just as vulnerable to threats as other Internet users. The possibility of malicious actors hacking into government systems that control sectors such as transportation, nuclear systems and financial services is a great public risk.
With so much at stake for ISPs, businesses need to take a proactive approach to their security strategy and instill strong cybersecurity practices within their business. In addition, regulators need to step up their efforts. The Federal Communications Commission (FCC) has been catastrophic at best in mandating compliance and managing risk. We’ll dive into the inefficiencies of the FCC in a moment.
Technology is driving the future of this industry. But, as technology develops, the security and risk management strategies that businesses implement to protect themselves are expected to evolve. Obsolete governance, risk and compliance (GRC) platforms cannot withstand the speed and sophistication of new cyber threats. Businesses can deliver stronger products and services and ensure public safety with a protected supply chain by prioritizing risk management and compliance.
The challenges of a cyber breach
The communications sector facilitates many other critical infrastructure sectors. The IT industry works with the communications industry to provide essential Internet services. The energy sector depends on communications networks to monitor and control the delivery of electricity, and transportation agencies rely on the communications sector to monitor and control land, sea and air traffic. Emergency services rely on the industry to coordinate responses, public alerts and warnings. Without telecommunications, emergency services cannot direct resources or receive 9-1-1 calls.
To fully understand the value of this industry, let’s take a look at the consequences of a communications cybersecurity incident. In state-sponsored cyber attacks, malicious actors can gain access to networks through remote infiltration, manipulate critical infrastructure, steal personal data or intellectual property, and launch spy campaigns.
From 2017 to 2021, Chinese hackers carried out a cyber espionage campaign over five global telecommunications companies. In a report released by Cybereason Inc., the group targeted Southeast Asia, including Microsoft Corp’s Exchange servers. Hackers were able to enter networks through a computer’s trash folder and disguise malware as antivirus software. According to the researcher, the hackers could have obtained information about government officials, businesses and law enforcement. They could also have interfered with or shut down networks.
Closure of networks via a telecommunications system would have a domino effect of closures in all of the dependent sectors mentioned. A compromised telecommunications network leads to a vulnerable government and puts critical infrastructure sectors at risk. Networks in the telecommunications supply chain are highly interconnected and vulnerable because of this. As with the SolarWinds attack, a compromised tech companyy allowed hackers access to the US Treasury, Justice, and Commerce Departments and other agencies.
As the health industry, the telecommunications industry faces many entry points with the number of smartphones and IoT devices being used to access the internet. To meet the demand for larger mobile networks and 5G technology, the telecommunications industry faces risks with every device that practices unhealthy cyber practices. Between customers and employees, every vulnerable application, insecure network, and repeated password is a risk that carriers face.
Through compromised devices or domain name systems (DNS), there can be attacks in the form of Distributed Denial of Service (DDoS), stolen files, and Operational Technology (OT) manipulation among many other forms of attack. According to Global DNS Threat Report, 79% of businesses experienced a DNS attack and, on average, it cost them $ 942,000 to recover.
With so much at stake for ISPs, businesses need to take a proactive approach to their security strategy and instill strong cybersecurity practices within their business.
Mitigate risks at industry and company level
Even though the telecommunications industry is quite large, only one regulator is responsible, the FCC. In the past, the commission ignored the Communications Act. Agency review of the Communications, Security, Reliability and Interoperability Council (CSRIC) and discontinuation of Electronic Alert System (EAS) monitoring for security vulnerabilities.
The sector lags behind most other critical infrastructure sectors without a trade regulatory compliance mandate. In order to push private companies to improve their cybersecurity measures and reduce risk, there must be a regulatory body that encourages the advancement of security. This will ensure sector-wide security that also protects government, the public and the entire supply chain.
There are a lot of things that businesses can do on their own. In 2019, 43% of telecom companies have suffered of a DNS malware attack and it costs them an average of $ 600,000 to contain and recover from the attack. Instead of repeatedly falling into the trap of these attacks, organizations should implement multi-factor authentication (MFA). This extra layer of protection makes it difficult for hackers to access accounts.
When implementing AMF, companies should also caution employees and customers against using single or repeated passwords. If cybercriminals discover a repeated password, all associated accounts can be exploited. Users should follow strong password suggestions and avoid storing password information in cloud software. Network access controls (NAC) should also be enforced. Companies must regulate where and on what device the network is accessible. Employees should avoid using public networks that make users vulnerable to data theft.
Risk-aware personnel should already implement these practices. Along with these measures, companies should train their employees in risk awareness and healthy cyber practices. To alleviate the stress of small risks, in-depth training in phishing tactics will allow security teams to be better prepared for prevention and recovery. This would create a better risk management culture in the workplace. An advanced global cybersecurity posture will facilitate the implementation of an Integrated Risk Management (IRM) platform.
What GRC tools cannot do, IRM tools can do. Those with legacy GRC solutions may fear to change, but a The MRI approach is more efficient securing sensitive information systems and managing long-term risks. Businesses can leverage a third-party platform such as CyberStrong to perform vendor risk assessments to secure the supply chain network and provide real-time insight into cybersecurity posture.
Knowledgeable staff and innovative technology will enable business leaders to improve decision-making and business performance. Telecommunications companies will be better equipped to deal with evolving cyberthreats through ongoing risk assessments and collaboration between the C suite and the security team.
Create a stronger sector
The telecommunications industry is ubiquitous and will continue to be so as we become more and more dependent on the internet and IoT devices to communicate and work. Positioned as a power source for all other critical industries, malicious actors and other national hackers will continue to target the industry. With such unique value, there must be enterprise and industry-wide cybersecurity regulation, the incorporation of stronger security tools, and ongoing risk and vendor assessments.
To learn more about how to respond to malware attacks, please see our webinar How to Respond When a Competitor is Affected by Ransomware. To see how CyberSaint can be a risk assessment tool for your organization, Contact us.