Why executives can’t afford to ignore 5G security

(Image credit: Future)

We have already experienced the first wave of 5G deployment from mobile network operators (MNOs). While the commercial opportunities are clear - increased bandwidth, capacity and speed - board members need to wrap their heads around the new security risks circulating this investment. Compared to other generations of networks, 5G is pivotal to an ecosystem of connected devices and applications, making it more dangerous if not secured. It goes beyond users having trouble with their internet, at its worst it could become a matter of national security.

Although tagged as the “next-generation” network, 5G is currently built on the infrastructure of previous generation networks. That means, cyber criminals can exploit security vulnerabilities in signalling protocols (SS7, Diameter and GTP) from 2G, 3G & 4G which can be used to intercept calls & SMS, track user location and strip users of service. 

With security flaws embedded in the network themselves, it is concerning that security is appearing more on the news agenda than on the boardroom agenda. According to Gartner, mobile operator executives priorities shareholder value, sustainable growth and scoping out new growth opportunities over security, risk management & improved digital skills at board level. This is despite the fact that a cyber attack can impact the overall success of the business in terms of revenue and growth. 

Therefore, while it is understandable that telecom operators are wanting to improve network performance and explore the new business opportunities made possible by 5G, it’s incredibly important that they do not neglect previous generation networks. To drive this point home, this article will outline the rippling side effects of a cyber attack for an operator’s bottom line. This includes the impact of instilling doubt in consumers and damaging the company’s brand reputation which can impact share price and sacrifice the company’s position in the market. Because of this all boardroom members - and certainly not just the CISO - have a shared responsibility for improving their network’s security and safeguarding their customers.

Regulator fines and stock price

" In February 2018 more than £114 million was wiped off the value of TalkTalk following its infamous cyber attack."

Dmitry Kurbatov.

When it comes to the protection of information assets and IT infrastructure, governments and regulators are holding board members accountable and increasingly challenging them to actively demonstrate governance in this area. Under GDPR, all European businesses have to disclose the details of the breach to regulators and affected parties or face a fine of up to €20m (£17m) or 4 percent of turnover. 

These are not idle threats, we have already seen the willingness of regulators to act on them. TalkTalk’s data breach and they were slapped with a £400,000 Information Commissioner's Office fine. Whereas, T-Mobile customers and Experian reached a settlement, which required the credit monitoring company to pay $22 million to exit a data breach class action. However, when it comes to the toal cost of a data breach, regulator fines are only the tip of the iceberg. 

Once a cyber incident breaks, there is an immediate impact on the market value of a company, which is obviously bad news for shareholders and board members. In February 2018 more than £114 million was wiped off the value of TalkTalk following its infamous cyber attack, which was undoubtedly far more significant for the company than the eventual fine and came with little warning, with shares falling by as much as 14 per cent in early trading, and closing 9.8 percent down at 108p.

Impact to revenue and profit

Another immediate financial impact of an attack is of course the loss out on revenue stemming from network downtime as a result of a denial of service attack. These attacks are becoming more common and according to our research, 100% of 4G networks are susceptible to denial of service attacks, which 5G is not immune to. However, the unfortunate truth is that revenues will continue to be effective long after network operation is restored due to the reputational damage caused. 

The overall cost of brand damage is difficult to quantify, however there is proof that a data breach directly results in customer churn. When a breach occurs, 75 percent of customers lose trust and nearly a third terminate their relationship with the organisation. A Ponemon Institute study found companies that experienced a breach saw an increase of up to seven percent in customer churn, equating to millions of dollars in lost revenue, a real hit to the bottom line. 

We know that TalkTalk lost over 100,000 customers following their incident and brand reputation can take years to rebuild. What is clear is that, while regulator fines are often in the news, there is a much more significant hidden cost to data breaches. Overall, with all of these factors considered, it is estimated that the total cost of the TalkTalk data breach was £77m.

Security priorities for telecom operators

"As well as reacting to attacks, board members need to adopt a more prepared, offensive strategy, giving them full visibility of the network to detect and prevent security breaches."

Dmitry Kurbatov.

To avoid losing customers and revenue to competitors, telecom operators need to be aware of the security risks within their networks and to monitor and track them vigilantly so they can avoid a major incident. Telecom operators need to be extra vigilant as cyber criminals can take advantage of flawed protocols within networks in multiple ways, such as:

Board executives need to be aware of these cyber threats, not the least because it is the executives who are in the spotlight following an attack. They need to have a direct involvement in determining the response to defend and mitigate the impact of attacks, as the buck ends with them. 

Once a company is hit, a company’s incident response plan which addresses and manages the aftermath of an incident will directly impact its reputation even after the dust settles. We still remember high profile attacks such as TalkTalk and the way they handled the cyber incident. Whilst no business is immune to attacks, the goal is to handle the situation in a way that limits both short-term and long-term reputational damage and reduces recovery time and costs. Preparation, transparency and communication is key. 

Develop a prepared, offensive strategy

As well as reacting to attacks, board members need to adopt a more prepared, offensive strategy, giving them full visibility of the network to detect and prevent security breaches. Companies that highlight security as an integral part of their brand story and implement the most up to date security measures to protect against attacks will fare better with investors/consumers and will rebound from the event more quickly and more effectively. 

Although every mobile operator has their eyes set on 5G to boost their competitive edge in a fast-changing industry, it's important that they recognise that any “lead” they do manage to achieve through fast deployment could be completely undone by just one cyber attack. Beyond the fines they would experience, consumers are increasingly aware of cyber attacks and it does impact the brands they choose to trust. While deployment is the priority right now, the operators are putting an emphasis on security could well define the overall winners and losers of 5G adoption in the telecom industry. 

Dmitry Kurbatov

Dmitry Kurbatov holds a degree in information security of telecommunications systems from Moscow Technological University (MIREA). He worked as a network engineer for system integrators from 2006 and joined Joined Positive Technologies in 2010.  After developing an automated security analysis system, he switched to telecom security, researching a range of vulnerabilities in network equipment, including errors in data transfer network design, protection of signalling protocols (SS7, Diameter, GTP), through to IoT security. Since 2014, he has been Director of Telecom Security at Positive Technologies.