As the builders, controllers and operators of critical infrastructure widely used to communicate and store sensitive data, telcos are responsible for keeping our connected world, connected. 24/7. As such, these companies are sizeable targets for cyber attacks. According to Deloitte, illicit actors, and nation states, are increasingly attacking telecom operators’ infrastructure and applications to run covert surveillance operations, to shut down critical services that consumers and businesses rely on or to access sensitive data and personal information – be it names, addresses or private financial data – about their customers and suppliers.
This reality demands that cybersecurity teams at telcos do everything they can to stay ahead of attackers and to identify and eliminate threats before they become a problem. For Kerissa Varma, Vodacom’s head of cybersecurity across Africa, when you look at the rise in cyber attacks across all industries, many of the same old suspects are putting businesses at risk, from poor security hygiene and weak passwords to a lack of awareness around social engineering strategies like those used in ransomware and phishing attacks. The knock-on effects and the potential disruption to so many other industries makes telecommunications companies a particularly attractive target, especially for attackers that are looking to make a big impact.
But Celia Mantshiyane, GM for Technology Security at MTN South Africa, is quick to highlight that your biggest threats might come from people you know. “Your users can be your greatest strength, but they can also be a major weakness. As much as we are all looking outside and talking about hackers, CISOs agree that insider threats are a problem. Telcos need to have strict identity and access controls in place to verify that someone is who they say they are.”
In line with this, she points out that third party risk management is also a major priority for MTN. “Dealing with so many different businesses, we need to be aware that whatever affects our third party suppliers affects us. This is particularly relevant as we move to the cloud.”
To safeguard themselves against these risks, all MTN suppliers must comply with the brand’s rigorous security standards, she adds.
An ever-evolving industry
While Vodacom has never fallen victim to any major cyber breach, Varma admits that most organisations experience smaller scale incidents. These incidents serve as a great learning tool for cybersecurity professionals. Of course, any organisation runs the risk of being breached if an attacker tries hard enough to get it, she says, explaining that this showcases the importance of running regular tests and simulations to identify any issues. “We simulate, we learn, and we remediate. So, we’re almost continuously attacking ourselves so that we can learn and better our processes, technologies and people skills,” she says, adding that the company also has a suite of capabilities in place to prevent attacks from happening.
As part of these capabilities, the telco is leveraging AI, machine learning and automated intelligence that learns, adapts and responds based on the threats it sees. “Not only in your own environment, but also based on what’s happening on a global scale. If a new cybercrime trend emerges in the US, we know about it before it hits our shores, so we’re already exploring how to prevent it.”
Your users can be your biggest strength, but they can also be a major weakness.
Celia Mantshiyane, MTN
As part of this approach, Varma and her team at Vodacom have adopted a principle called ‘defence in depth’, which sees different layers or levels of security being put in place to stop hackers in their tracks. “If I visited your home, you probably have a wall or an electric fence and a front gate with a lock. You might have beams in your yard, burglar bars on your windows, as well as a front door. This is what defence in depth is all about – putting different layered controls in place so that should one fail, there are several others that the hackers will need to get through before they get in.” This is important, she says, because the landscape is ever-changing.
As a cybersecurity leader at a telco, Mantshiyanesays solving the next big problem keeps her busy. “You always have to plan for tomorrow because anything can happen. Yes, we need to defend, prevent and protect, but we also need to be thinking about how we respond.”
A business like MTN can’t afford to have any downtime, she says, so having a well-planned and effective response plan is critical. For her, it’s about security by design. “Doing things right the first time is key for us. We’re not in a business of redos or quick fixes because we understand that a lot of people trust us, and they have very low tolerance levels for downtime or disruptions to the services we offer.”
We’re almost continuously attacking ourselves so that we can learn and better our processes, technologies and people skills.
Kerissa Varma, Vodacom
Like Vodacom, MTN is also using emerging tech as part of its security strategy. In MTN’s case, it has deployed AI and behavioural analytics to categorise different employees in terms of their risk factor and then provide them with training that is valuable for them. “Yes, we've got the overall blanket training, but we use AI and analytics to target specific types of training at different employees, customers and corporate clients based on their behaviour and needs.” These tools also help the business to identify anomalies in behaviour and then send alerts to the relevant people, notifying them of a potential breach.
“As a telco, your reputation and your brand are everything, which is why cybersecurity is so important,” Mantshiyane says. “Understanding this about our business enables me to make sure that our security posture is designed so that we safeguard the crystal balls we simply can’t afford to drop.”
With the incredible rise in cyber activity, cybersecurity professionals need all the help they can get to ensure that they get this right. “Today, you need to get to a point where our defence is automated and people are only looking at the things that the technology is not picking up and looking in between the systems to identify anything unusual,” says Varma. “People simply can’t do this alone; we need to work alongside the technology and use the technology to help us do better.”
* This feature was first published in the September edition of ITWeb's Brainstorm magazine.
Share