ForgeRock: Security and the future of passwords in telecoms

Matt Berzinski, Senior Director at ForgeRock, explores key sources of vulnerability in the telecoms industry and how organisations can protect themselves

Telecommunications, like many other industries, has evolved rapidly over the last few years through necessity. The pandemic induced a mass shift to digital, with even the less technologically savvy demographics forced to work and live online. And for all its benefits, this increase in digital adoption has been a blessing for opportunistic cyber hackers and a curse for unprepared telecommunications and media companies, Matt Berzinski, Senior Director at multinational identity and access management software company ForgeRock, says.

Although employees have been granted work-from-home and flexible benefits made possible by a sprawling growing web of connected and cloud devices, Berzinski says in turn, not only are insider risks more acute, many honest employees are completely unaware that they themselves have become a company’s main threat. According to a report by MalwareBytes, 20% of companies were breached due to remote workers in the first three months of the pandemic lockdown. And, with training in cybersecurity not a widespread requirement, those who do receive it might not take it seriously or action it effectively, especially when working from home.

Ever since the TalkTalk hack in 2016, cybersecurity has been near the top of every telecom company’s boardroom agenda, with big improvements made since the attack. Most recently, a new code of conduct now requires telecoms firms to ensure the safety of network equipment and data which could otherwise cause the theft of sensitive data. But, as Berzinski stresses, the pace at which the threat landscape evolves means security teams need to re-think just how vulnerable other access points are. Here, he explores key sources of vulnerability in the telecoms industry and how organisations can protect themselves.

What if we could remove a major threat vector completely?

The telecom industry keeps the world connected, and leaders operating within these organisations need to realise that no threat can be tackled in isolation. A widespread change in how these firms approach employee identity authentication has the potential to take a threat vector off the table for both consumers and employees for good. That approach is passwordless authentication. 

Understanding the threat landscape

As consumers demand better experiences, faster connectivity, easier access, and instant gratification, the risk of a security vulnerability grows. For example, the acceleration of the connected home and Internet of Things devices provides a growing list of avenues to hackers to exploit. The risk is compounded by the ability to hop from a device through a network that has access to something critical. 

Poor entitlement access management can invalidate a company’s strategy meant to control, monitor and secure which identities are able to access resources, thus expanding the attack surface. Imagine the number of employees at a telecom firm with unnecessary access to sensitive information just because that organisation set blanket permission settings. Hackers only need one point of entry through one vulnerability. Leaders need to start paying closer attention to their own employees to secure what should and shouldn’t be accessed.

In such a hotly contested market, it is imperative to put a robust identity governance technology in place to make sure employees only have access to the assets they require for their job to protect infrastructure and assets. Given that telecoms companies control critical infrastructure that so many depend on, should a data breach of a mobile network take place, the repercussions would be fierce. If that breach results in a ransom demand and an outage for millions of customers, it could lead to extortionate fines and reputational damage that could collapse a firm.

Employees play a primary role in protecting their company and security is something they must be accountable and responsible for. We need to ensure they understand the risks and are able to spot potential attacks, even if they don’t understand the technicalities. We must minimise human error and misjudgement as much as possible. 

The promise of passwordless authentication

We all know passwords are a major problem. That’s why passwordless authentication is growing in popularity. Removing passwords from the authentication process can significantly reduce the ability of many hackers to gain access to a system. If no passwords exist, phishing attacks are rendered useless, hackers can’t use brute force to try to guess a password, nor could they socially engineer a password: they simply have to find another way to gain access.  

While organisations move to passwordless technology, deploying single sign-on coupled with the advancements in AI such as contextual risk signals, and a plethora of more secure authentication techniques, can help supplement the security of a password based logon. In this environment, AI would process the contextual signals to develop a risk score, and if the authentication attempt is deemed risky it could prompt for a second authentication factor or completely block the authentication attempt altogether. Thanks to breakthroughs in AI, not only does most of this happen in the background but the accuracy allows for a seamless user experience. 

Of course, for this to work, major software companies would have to deploy the technology for programs that telecoms companies rely on. But as an ambition, the industry should remove password authentication wherever it can. There are even techniques for accessing the most legacy terminal emulators and command prompt interfaces with passwordless capabilities today. Many of these older systems that many telco organisations rely on to deliver their service, wouldn’t even be able to detect if a hack is in progress with a simple password authentication. That’s why telecom firms need to take this major source of vulnerability off the table. It won’t be a quick process, but standards are aligning, and the more companies understand what’s possible, the faster change will come. 

******

For more insights into the world of Cyber - check out the latest edition of Cyber Magazine and be sure to follow us on LinkedIn & Twitter.

Other magazines that may be of interest - Technology Magazine | AI Magazine.

Please also check out our upcoming event - Cloud and 5G LIVE on October 11 and 12 2023.

******

BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.

BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.

Share

Featured Articles

Tech & AI LIVE: Key Events that are Vital for Cybersecurity

Connecting the world’s technology and AI leaders, Tech & AI LIVE returns in 2024, find out more on what’s to come in 2024

MWC Barcelona 2024: The Future is Connectivity

Discover the latest in global technology and connectivity at MWC Barcelona 2024, where industry giants converge to discuss 5G, AI and more industry trends

AI-Based Phishing Scams Are On The Rise This Valentine’s Day

Research from Egress Threat Intelligence, Avast, Cequence Security & KnowBe4 outlines how AI is being used in dating app phishing scams on Valentine’s Day

Speaker Lineup Announced for Tech Show London 2024

Technology & AI

Darktrace predicts AI deepfakes and cloud vulnerabilities

Cloud Security

Secure 2024: AI’s impact on cybersecurity with Integrity360

Technology & AI