Everything you need to know about the new telecoms regulations and cybercrime

The UK Government is instigating new telecoms security regulations and an accompanying draft code of practice in Parliament, reflecting that the threat of cybercrime is as strong now as it has ever been.

Although there are many other macro issues occupying the news and our daily lives at the moment, chief of which being the cost-of-living crisis, we cannot forget that we are also living in a time where cybercrime is as high as we have ever seen it.

Telecoms is one sector that is particularly vulnerable. Operators are a big target for cyber-attacks because they build, control and operate critical infrastructure that is used widely to communicate and store large amounts of sensitive data.

And the past few years have shown an almost continuous rise in both the number and sophistication of cyber-attacks. The digitisation of business means a larger part of the economy is a potential target; this was accelerated by more people working from home during the Covid-19 pandemic. We're also seeing that attacks are on the increase due to the number of connected devices growing and the cloud expanding. The number of attacks, and the impact they're having, has also grown because of the cybercriminals' increased professionalisation, automation, and the limited risk of being caught. And so we can expect the cyber threat to continue to rise towards the end of 2022 and into 2023.

Changes in place for October 2022

Under the new UK telecoms security regulations, announced on 31 August 2022, as of October 2022 UK telecom companies face fines of up to 10% of their turnover if they don’t follow industry best practice when it comes to protecting networks from cyberattacks. With the introduction of the new rules, Ofcom will be responsible for overseeing and enforcing the new code of conduct.

These regulations and the draft code are intended to address risks to the security of the UK’s public telecoms networks and services and have been developed in conjunction with the National Cyber Security Centre and Ofcom.

For ongoing issues, companies could face further fines of up to £100,000 per day until the problem is resolved. The regulations will be among the strongest in the world and will provide tougher protection for the UK from cyber threats which could cause network failure or the theft of sensitive data.

Utilising a tier system

The related code of practice for all this puts telecoms providers into three ‘tiers’, which are filtered according to size and importance to UK connectivity (i.e. the smallest see softer regulation).

Tier 1 providers are the biggest players (e.g. BT, Vodafone, Virgin Media/VMO2, etc.), while Tier 2 providers are medium-sized players (Hyperoptic, Zen Internet) and Tier 3 reflects the smallest companies (those that are not micro-entities).

One catch is that some smaller providers may supply parts of networks and services owned by larger Tier 1 or Tier 2 providers. In that case, the regulations stipulate that where a provider acts as a third-party supplier to another provider, they must take security measures that are equivalent to those taken by the provider receiving their services.

Currently, telecoms providers are responsible for setting their own security standards in their networks. However, the government’s Telecoms Supply Chain Review found that providers often have little incentive to adopt the best security practices. Part of the Telecommunications (Security) Act, which became law in November 2021, the new regulations give the government power to set security standards for mobile and broadband networks.

Growing reliance on mobile is encouraging attacks

Mobile devices and networks continue to be a target of cybercriminals as well. The number of mobile malware attacks is likely to increase as the use of mobile productivity apps, banking and payment platforms, and data storage solutions continue to grow.

During 2020 and 2021, new security threats emerged that try to exploit the growing reliance on mobile devices. Mobile malware, and specifically banking trojans, are targeted at intercepting text messages on devices, compromising the two-factor authentication security protocols.

Cyberthreat especially relevant for telecoms industry

Telecommunication companies are a major target for cybercriminals and nation-state actors because they build, control and operate critical infrastructure that is used to transmit and store large amounts of sensitive data. Securing client data is therefore a key component in protecting the operator brand. The surging complexity of networks increases the complexity of cybersecurity, and virtualisation means networks become more vulnerable to software-based attacks.

Operators also have to be able to identify when anomalous activity is taking place and be able to report it, as well as take account of supply chain risks and make changes to the operation of their networks and services to enhance security.

With internet availability critical to both businesses and home workers, any down time can cause significant disruption and business loss. Such regulations are an important step in securing our digital supply chains and making UK organisations more resilient in the face of increasingly sophisticated cyberattacks.

Wider cyber landscape

In March of this year, the National Cyber Security Centre (NCSC) issued advice to organisations following Russia’s attack on Ukraine. This guidance was non-specific but included a list of actions that should be taken to improve an organisation’s cyber threat resilience.

These actions covered such topics as (not exhaustive):

• ensuring your systems are patched.
• reviewing the business case for your unpatched systems.
• ensuring you have an anti-virus software correctly installed and with signatures that are regularly updated.
• effective firewall rules being in place.
• confirming that you take regular backups that are regularly tested for effectiveness.
• ensuring your staff are adequately trained.

In addition, as of October 2022 following this new UK Government announcement, telecoms providers will be legally required to:

• protect data stored by their networks and services, and secure the critical functions which allow them to be operated and managed.
• protect tools which monitor and analyse their networks and services against access from hostile state actors.
• monitor public networks to identify potentially dangerous activity and have a deep understanding of their security risks, reporting regularly to internal boards.
• take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services.

Fortunately, despite the conflict in Russia/Ukraine, the UK hasn’t seen anything like the scale of cyber-attacks that we all imagined. The UK media reported a suspected Russian Distributed Denial of Service (DDoS) attack against a UK based cryptocurrency, but this has not been confirmed by the authorities. However, while the conflict still continues, so does cybercrime.

In July, the NCSC reminded organisations that the threat from cyber-attacks remains and to prepare for the long-haul, encouraging organisations to keep their guard up and remain alert to staff burnout. The focus was clearly on people resilience, empowering staff to make day-to-day operational decisions about threat response and spreading workloads across teams and individuals, ensuring adequate time to take breaks and recharge.

The cyber landscape remains a complex one. Organisations continue to recover from the pandemic, coupled with the new-normal of hybrid working and the economic fuel crisis approaching Winter. The future is certainly a challenging one.

Capita offers a wide range of cyber security solutions that seek to simplify your understanding and empower you to reduce your cyber risk profile. If we can help you in any way, please do not hesitate to reach out.