scroll it

4 Steps for Telcos to Improve Their Risk Management Stance by Aligning with the Telecommunications Security Act

Tom Simmonds
0% read

The Telecommunications Security Act was first enacted in November 2021 with further guidance coming a year later across the United Kingdom, pushing for stronger cyber security practices among those that connect residents and businesses with voice, data and beyond. The Act, which includes substantive amendments since the original Communications Act 2003, makes a push for cyber resiliency across critical infrastructure. It formalises disclosure requirements for the largest of telco operators and stipulates requirements that will enable them to (hopefully) bounce back quickly in the aftermath of a cyber incident. 

Telcos covered under the Act must meet several key measures by 31st March 2024. Over the months in between, enterprises operating in the space should consider the following tools and methods, which may enable them to meet or exceed the requirements.

1. Improved Testing of Headless APIs

The use of headless application programming interfaces (APIs) is growing as companies build more communication connections between B2B, B2C and B2G technologies. But not all API endpoints are accessible via a web UI, making it difficult to test them during a web app pentest. Taking an adversarial perspective to documenting and testing these hidden endpoints is critical to understanding the risk in your headless APIs. 

Organisations need to regularly test their interfacing API endpoints, with full transparency into attack traffic being a critical requirement to the desired outcome of reduced API risks. 

2. Regular Infrastructure Testing and Analysis

The explosive growth of and demand for 5G networks has increased the number of linked third parties in the supply chain for said networks, which has greatly expanded the attack surface among telcos dependent on them. Testing internal and external networks are an essential component to maintaining good infrastructure security. Continuous testing of the links between 5G networks can ensure that information security teams are aware of the most critical vulnerabilities and are prioritising patching with haste.

3. Open Source Intelligence (OSINT) Reports to Harden the Security of the Supply Chain

OSINT reporting is utilised by organisations to gather information across network, web and human sources. The collected data can be useful in reporting on an orgnisations’ external digital footprint. Knowing which weaknesses are noticeable to the outside world can provide telecom security teams with an actionable shortlist of vulnerabilities to prioritise for remediation and reduce brand risk overall. OSINT is also useful in assessing potential third-party partnerships for any existing vulnerabilities that might jeopardise either company’s security posture.

4. Actionable Insights from a Managed Vulnerability Disclosure Program (VDP)

Also known as Responsible Disclosure Programs, VDPs allow members of the public to submit any kind of vulnerability found — cyber or kinetic — to companies, governments or other organisations. A managed VDP refers to such programs which are managed by a trusted third party with capabilities to triage reported vulnerabilities. Ideally, the third party also maintains expertise in dealing with security researchers, who are often the submitters to such programs.

Action Is Needed to Become Compliant with Telco Requirements

Security leaders that take action in the above mentioned areas should reap outcomes that include exploring the attack surface for unknowns with OSINT, VDP reporting and stronger infrastructure and headless API testing. 

The Synack Platform empowers hundreds of enterprises and government agencies with continuous security testing so they can find the vulnerabilities that matter now while getting to the root cause of vulnerabilities and track improvements over time. Read more about the Synack Platform or click here to book a one-on-one demo to see how Synack can help your organisation become compliant with the Telecommunications Security Act.