Less than 10% of security professionals say that their security posture is fully prepared for 5G rollouts, according to an AT&T Cybersecurity report.
With IDC, AT&T Cybersecurity Insights Report: 5G and the Journey to the Edge surveyed 1,000 security practitioners worldwide and asked them about their 5G security preparedness.
“5G is a revolutionary technology,” said Theresa Lanowitz, head of evangelism at AT&T Cybersecurity. “It’s not just the next-generation network, it is really a revolutionary technology, and a more secure network than any previous generation of network. And what an enterprise has to really be looking at is how are they going to really assess their cybersecurity posture, what are they going to do about their cybersecurity risks with those devices, those applications, that data, and so on, that they actually put on to that new 5G network.”
While 5G networks will enable new types of use cases and potential revenue streams for virtually all industries, 5G isn’t a one-size-fits-all network, the report says. Organizations can choose from an on-premises private 5G network or one that shares mobile operator 5G network resources. They can also choose multi-tenant public options delivered as a service with network slicing and virtualization to provide a single-tenant experience. And how organizations architect their particular 5G deployment will — or at least should — shape their security design.
Enterprises Adopt 5G to Remain CompetitiveSurvey respondents say they are adopting 5G to remain competitive. Almost 58% of respondents listed remaining competitive as their primary concern for implementing 5G now, and 56% chose that reason as their top reason to rollout 5G in 12 to 18 months.
In fact, companies’ lines of business are driving 5G adoption, Lanowitz said, and this also separates 5G from earlier network generations typically led by the network infrastructure and IT teams. “What we found in this report is that the line of business is really looking at 5G as a way to enhance their competitive differentiation in the market,” she said. “And that’s where, from a cyber perspective, you look at your organization’s appetite for risk, and you want to make sure that your security posture is as good as it can possibly be.”
Risk-Benefit AnalysisThis requires companies to review their existing security programs and policies, and then evaluate the risks around access management and data security against the 5G benefits of better speed and reduced latency. It also tightly couples these lines of business with the security team and makes security a critical component of a company’s competitive differentiators, Lanowitz said.
“This is really indicative of what we actually are seeing in 2020 because of COVID,” she explained. “Cybersecurity moved from being a technology problem, to really being a business enabler. Digital transformation has really come to mean something very clear and very critical in 2020, and cybersecurity is really part of that digital transformation."
Data Challenges Around 5G SecurityThe AT&T Cybersecurity report found that 83% of respondents believe attacks on web-based applications will be a challenge to implementing 5G. For example, moving data processing to the edge, and closer to use case applications provides benefits such as near-real-time and artificial-intelligence enabled processing for intelligent decision making. But is also comes with certain security challenges such as SQL injection attacks and unencrypted data traveling along private networks.
The report also found that 31% of respondents think 5G is secure out of the box from the network provider and the customers doesn’t need to implement any additional security measures. Another 26% said they have no strategic plan to address the security of 5G.
These findings directly contradict the 56% of respondents that say 5G will require them to change their approach to security, and about half of respondents believe 5G actually increases their security risk.
AT&T Cybersecurity ‘Aha Moment’ for 5G SecurityLanowitz said these opposing beliefs — 5G security is inherently more secure and inherently introduces more threats — was “the biggest aha moment from the data.” It illustrated that customers need a better understanding about how a shared responsibility model, like that with public cloud providers, works.
“I’m a big believer in understanding history to understand where you’re going,” Lanowitz said. “And if we look historically at the cloud, 10 years ago, enterprises would say, we don’t have to worry about our application security because we’re running it in name your favorite public cloud.”
This, of course, didn’t work out as enterprise customers expected. While cloud providers are responsible for protecting their public cloud infrastructure and implementing logical controls to separate customer data, the customer is responsible for configuring application-level security controls and for protecting its workloads running on cloud servers.
5G Security Shared Responsibility ModelIn other words, both the cloud provider and the customer have a shared responsibility when it comes to cloud security — and the concept of this shared responsibility model is something that, even 10 years later, many companies still don’t understand.
“Now we’re in that same position with 5G,” Lanowitz said. “5G is such a piece of revolutionary technology and is more secure than any previous generation of network. I think many people look at that and say, ‘5G security is good enough. I'm not going to have to worry about anything at all that I put on that network.’ And we know that there is really a shared responsibility model that goes along with that.”
This means the customers remain responsible for everything they put on the network. “That includes all of those endpoints, the IoT devices, MEC devices, and so on,” Lanowitz said. “You’re also responsible for the applications that you’re putting out there. You’re responsible for the security of the data that you are creating on that network and storing.”