Telecom operators have become high-profile targets for cybersecurity attacks that have exposed personal information on tens of millions of customers, which according to consulting firm EY has numbed consumers to having their electronics data stolen.

Andy Aiello, managing director in EY’s Telecom, Media, and Technology practice, explained to SDxCentral in an interview that the firm’s most recent research found 46% of consumers believe it’s impossible to keep their personal data secure when using the internet. His colleague Michael Misrahi, telecommunications leader for the Americas at EY, added that the same survey showed 39% of telecom CISOs believe security aspects aren’t adequately factored into strategic investments.

“The general consumer is just numb to all of this at this point,” Misrahi said.

Who can blame them?

For instance, T-Mobile US earlier this year said it was hit by a cyberattack, which came just months after it was hit be another attack that impacted 37 million customers. The carrier said the most recent attack was from a “bad actor” that “used a single [API] to obtain limited types of information on their accounts.”

T-Mobile US’ latest attack also came after the operator pledged to spend $500 million on data security and customer remediation efforts that came off the back of what one analyst called “the largest carrier breach on record.”

AT&T earlier this year admitted to a cyberattack that impacted approximately nine million customers; Verizon last year was hit by a much smaller cyberattack impacting hundreds of its prepaid customers; and nascent operator Dish Network is still digging out from a “cybersecurity incident” that may have “extracted” personal data.

Misrahi explained that operators are seemingly being hit more by cyberattacks due to being more exposed to the software ecosystem as they evolve their 5G networks. He noted that operators are increasingly having to integrate new services and operating models that have placed additional pressure on resources.

“I've been at operators, and I think [security] is a bit of the focus, but everything is urgent and important,” Misrahi said. “As much as this is a revolutionary change in the network, it's a revolutionary change in the business models. You have to balance this with getting to market, capturing market, making sure your business is viable, and then at the same time you have to think about all the security,” Misrahi added. “The numbness of the consumer when there are breaches doesn't create an enormous incentive for operators to really focus on that. Not that there aren't people raising their hand in every operator about this, but it's just there's only so much you can do.”

Misrahi added that this technological change comes as the service provider space remains highly competitive with new entrants and cloud-based over-the-top (OTT) players.

“As the operators get into 5G, you just can't have OTT taking your business model,” Misrahi said. “There’s just so many different areas that are changing and it makes it really difficult. Operators need to spend mindshare to evolve their business models, while at the same time the general consumer is indifferent, or a lot of folks are at this point just numb to these leaks. I think the carriers are doing their absolute best, but it's not necessarily an individual operator’s responsibility or ability to actually fix this problem. It's not a quick fix. It's not a silo fix.”

One benefit of operators moving toward the cloud ecosystem is their ability to open up their network resources and glean more value from that network data. This was highlighted at the recent MWC Barcelona 2023 event that included a strong push behind network APIs.

“As you move into 5G standalone, now you have the opportunity to have APIs and interfaces and business models for things like quality of service, lower latency network slicing, and guaranteed bandwidth, and we think that’s where the carriers need to go,” Dan Hays, partner at consulting firm PwC, said in an interview at the MWC Barcelona 2023 event.

However, Hays said that while the “technical hooks” are becoming available, “it requires the business model innovation to actually get it done.”

EY’s Aiello said the rush toward this innovation has opened operator network information to third-party entities, which in many cases have become tangential security targets for operators.

“I think we see a lot more carriers really sharing and trying to enable more digital infrastructure or digital processes, which puts more of the data in new situations, especially in third-party situations that create these security issues we've seen,” Aiello said. “I think that's really key to this business expansion, but some of these new areas create a change of the security boundary of the security expectations.”

Aiello also noted that telecom organizations continue to diverge on their internal security operations. He explained that EY’s research found nearly half of CISOs surveyed expressed concern over the internal security investment of their organizations, a notion that has been compounded by the pandemic that forced companies to restructure those operations to take into account a new operating environment.

So how can operators counter this increase in cyberattack activity?

Misrahi recommends that operators take the long-standing approach in reducing their attack surface; work with security vendors that have a history in the telecom and networking space; and be more interactive in sharing information.

“If you look at some of the vendors for identity verification and authentication, they use consortiums to pull information. There's only so much that a single operator can do and the third-party vendors can do,” Misrahi said, noting that recent conversations around more openness and sharing are starting to show progress. “The same thing probably needs to happen in the operator space and in the telecom space.”

Aiello echoed those comments, noting that operators should look toward standardization around the security interconnections between their network software and hardware.

“It’s about how do we really do telecom-level network security and not just IT network security,” Aiello said. “In some cases that may mean all the way down to the need to have common methods to do device testing and device security testing as part of the rollout like we've done with handsets. Do we need to do that that with remote radio heads and other things we are putting in the network?”