Beyond the well-known risks (phishing, credential theft, malware, ransomware, etc.): What specific risks are companies in the telecommunications (TC) industry exposed to?

Telecommunications providers should distinguish between two types of attacks. On the one hand, cyber attacks that directly target the corresponding infrastructure of the telecommunications provider. 

On the other hand are indirect attacks that target customers, suppliers or business partners. The potential effect on one’s own company, especially in the second scenario, is still too often underestimated by the providers.

In a telecommunications market that maintains completely different security measures among the EU states, cyber criminals see this heterogeneous security situation as a digital gateway, which operators are usually not aware of.

In addition, the sometimes sluggish transition from 4G to 5G has implications for cyber security. 4G has its problems, especially on the interconnect level. For example, the unique identifier of a subscriber cannot be encrypted. 5G remedies this and thus also makes man-in-the-middle attacks more difficult.

In your view, how well prepared for cyber attacks are the critical infrastructure (CI) companies in the TC segment, and how well prepared are smaller providers that do not fall under the CI definition? 

Telecommunications companies of all sizes are facing the challenge that cyber criminals are acting in an increasingly professional and decentralised manner. As a result, the demands on common cyber security solutions are also increasing on a daily basis. 

I believe that the recent attacks on CI sectors can be regarded as a foretaste of what is to come in the CI sector in 2023. The companies, operators and institutions concerned here need to realise that they are increasingly becoming the preferred target of hackers. 

Small companies may believe that they lack funds to invest in IT security; they must at the same time be fully aware: no company is so small or insignificant, no market environment is so specific that it is not potentially attractive to cyber criminals.

Where do you see the greatest need for improvement for both groups of companies, what measures do you recommend? 

In my view, large companies, regardless of the sector, make a mistake if they limit themselves exclusively to their internal IT systems. 

They are dependent on many delicately interactive components to provide services. A good example of this from the industry is SolarWinds. This attack from early 2021 underpinned the fact that companies above a certain size cannot avoid regular audits, pentests and scenarios. Risks are identified in good time on the basis of these steps and rapid mitigation is made possible. The “big ones” also forget this too often.

Small companies usually overlook the basics of IT security. This usually ends in a heterogeneous security landscape within the company, in which security solutions are only organised very inefficiently.

Recently, T-Mobile USA experienced its second major data breach, this time apparently through an API-based attack. How well equipped do you think German providers are against such API attacks?

In my view, the fact that globally oriented, digital companies are becoming increasingly networked, whether with each other or with their partners and service providers, also increases their vulnerability to established IT attacks. 

Whether companies have their headquarters in the DACH region, Europe or the USA does not play a decisive role. Ultimately, all target regions are mutually dependent. Areas such as communication, production and sales are equally affected.

In this respect, the constant internationalisation of technology-based business models offers sizeable advantages by addressing global target groups. However, digital attack surfaces do not thereby become automatically smaller.

A popular approach to identity theft (at least in the US) is SIM swapping. Are German consumers better protected against this type of attack than US consumers? If so, by what techniques/organisational measures?

As diverse as the telecom industry is, attack vectors and vulnerabilities of IT infrastructures are very similar depending on the target regions. The biggest mistakes in everyday IT result from the human factor, which cyber criminals always speculate on. 

SIM swapping is a good example of this: In this case, hackers aim to manipulate employees of telecommunications companies by means of social engineering. The end result is that a user’s call and account number can be illegally accessed. 

The big advantage in Europe and Germany for me, however, is that new EU directives (e.g. PSD2) are leading banks to use tokens instead of SMS-TANs. This component makes it more difficult for hackers to succeed in SIM swapping. This is different from the USA, where the framework is not yet as fully developed. 

In addition, SIM swapping is not the most profitable business for cyber criminals in this country. Cyber crime “services”, on the other hand, are enjoying a real boom and offer a higher ROI, especially in the field of ransomware.

What advice would you have for consumers and user organisations to protect themselves from the threat of cyber attacks emanating from telecoms providers/mobile networks?

End-users as well as organisations today face two basic problematic scenarios: Data loss and data theft. 

All devices connected by networks are potential vulnerabilities that can be exploited by cyber criminals. In order to avoid defencelessness or having to do without services, three security concepts help in everyday life: 

Regular local or digital backups primarily counteract data loss, while good password management and multi-factor authentication support account security. 

A comprehensive security solution that goes beyond individual device security could sometimes be implemented by network operators as a comprehensive, network-integrated and device-independent approach.

Please tell me the usual key data about your company (year of foundation, number of employees, market segment, customer base, etc.).

cyan was originally launched in 2006. The initial phase after the founding of the company consisted primarily of the development of cyber defence technologies for government institutions and companies. 

In 2012, the integration of security services into telecommunication systems followed, which made the security product “suitable for the masses”. 

Today, as a globally active company with over 120 employees, we focus on end-user products, with the aim of integrating cyber security without its being perceived as costly and cumbersome.

Where do you see your particular contribution to value creation in the area of security in the telecommunications market?

In addition to the loss of sensitive data, business interruptions and severe revenue losses due to professional attacks must be taken into account in digital business models. 

Among other things, such dynamics can trigger an enormous loss of public trust for the companies affected. Customers would henceforth not trust any company that is not able to protect its own data. 

In this respect, we as a cyber security company not only help to develop digital resilience. In case of doubt, we also contribute to the competitiveness of the individual brands. 

—

Frank von Seth started his professional career as an Insurance and Risk Consultant with several companies on three continents and five different countries. Before joining cyan, Frank served Aon in Switzerland for over ten years. He started his current position as the CEO of cyan AG and is now leading the company into its future while working on a safer tomorrow for everyone by safeguarding users on their daily digital and connected journey.