by Mark Hathaway
Telecoms providers operate a vast ecosystem of critical infrastructure, stretching from base stations to virtual instances. New legislation in the UK aims to improve baseline cybersecurity, remove high-risk vendors from supply chains and limit the damage from breaches.
With penalties for non-compliance of up to 10% of turnover or £100,000 per day, there’s no time to delay. A new Trend Micro guide has some useful advice for communication service providers (CSPs).
Old and new cyber risks
CSPs are beset by challenges on various fronts. On the one hand, they must keep the lights on for the 3G and 4G networks that most users still rely on. These may suffer from support issues and low levels of perimeter protection, increasing cyber risk.
On the other hand, the push to 5G, FTTP and cloud demands greater use of virtualisation and container-based architectures to scale apps and services. However, security is rarely built-in as a ‘day zero’ component in these environments, adding significant risk.
What’s in the Act?
The new legislation clearly requires CSPs to mitigate cyber risk effectively and inform the regulator of any breaches promptly, adhering to the as-yet-undefined codes of practice in the process. Secondary legislation is likely to introduce requirements to:
- Secure core network equipment
- Reduce third-party equipment supplier risk
- Control access permissions for core network equipment and software
- Carry out security audits and put governance in place to better understand cyber risk
- Maintain network operations whilst keeping customer data secure
What happens next?
Achieving compliance will require different strategies depending on your current IT set-up and risk profile. However, a few suggestions from Trend Micro include:
- Migration to standards-based, platform-based security offerings which support legacy systems
- Embedding security into DevOps as part of the CI/CD process
- Investing in best-in-class network protection to maximise threat visibility whilst lowering CAPEX
- Consolidating on fewer, more interoperable vendors to eliminate security blind spots and support real-time threat awareness/ad hoc compliance assessments
Read the full guide here.