Telecommunications providers hold a wealth of sensitive data, provide vital communications infrastructure, and have frequent interactions with third parties, making them a high-value target for malicious actors. These providers are indispensable in keeping the world connected, as their networks support economies and businesses of all sizes.
A successful cyberattack on a telecoms provider can have far-reaching consequences for both the company and its customers. So far in 2023, we saw over 74 million private records of AT&T, T-Mobile, U.S. Cellular, and Verizon customers spilled onto the dark web. There are financial consequences to consider as well, with the average cost of a data breach in the telecoms sector reaching $3.9 million in 2023.
One type of attack that has risen significantly in the past couple of years is application programming interface (API) breaches. APIs are the primary way telecom providers interact with their customers, partners, and devices, making securing them essential. As API abuses become a more common attack vector, organizations are forced to re-evaluate their approach to network and API security.
API breaches: the weak link in telco security
In recent years, hackers have increasingly targeted the telecoms industry. Telecom operators are the second most targeted industry for cyberattacks, after the financial sector, according the 2022 World Economic Forum report on the Global Risks Report.
When telcos share highly sensitive data without adequate protections in place, then a cyberattack is almost inevitable, and the massive, lasting ripple effects of a breach can be catastrophic. Customers’ financial information, location data, and usage data can all be weaponized by hackers once accessed. In September 2022, Australian telecoms company Optus made the mistake of neglecting API security, resulting in a breach that exposed over 9.8 million customers’ names, driver's licenses, passports, and more.
Mobile recently revealed that an attacker had started targeting an API and stealing customer data back in November 2022. By the time the breach was spotted, and their access was cut off in January 2023, data for 37 million accounts had been stolen. The company ultimately paid $350 million to settle class-action lawsuits brought over the attack – showing that while the average cost of a data breach in the telecoms sector is relatively low, the secondary impact could have much more weight. Both of these instances are prime examples of why telcos need to start paying attention to API security now, safeguarding all aspects of their networks before a breach occurs to protect customer data and minimize the risk of future reputational and financial damage.
The use of third-party applications is another reason why telcos are especially susceptible to data breaches. Providers are increasingly using APIs to connect with third-party applications and services, allowing access to key network capabilities. This heightens the threat of data exposure and enables hackers to gain unauthorized access to user accounts. Furthermore, APIs can be used to commit fraud through unauthorized charges or stolen personal information.
Ensuring customer trust is a staple for any company, however, given their number of users and amount of personal data, telecom providers and mobile carriers have a deeper responsibility to actively protect sensitive information. These companies have the power to implement API security to further protect customers’ information, so what’s holding them back?
The key challenges of implementing API security
Lack of awareness
When it comes to API security, knowledge is power. Unfortunately, many telecom providers don’t have an in-depth understanding of the risks, which can lead to vulnerabilities being overlooked.
Because API security is a relatively new priority, many providers are still learning about risks and best practices, permitting cyber criminals to have a field day. Moreover, new APIs are being developed all the time. This can make it difficult for companies to ensure they’re staying on top of their attack surface.
Third-party dependencies
Notably, APIs are built on top of open-source technologies. Telecom companies also often rely on third-party APIs to provide services to their customers. These external dependencies can introduce additional risks that make it difficult to ensure overall security. As organizations take on more vendors and suppliers (like third-party APIs), supply chain security becomes increasingly difficult to maintain.
Infrastructure complexities
With a wide variety of interconnected systems and devices, telco networks are massive and highly complex, making it difficult to identify and secure all components, including APIs. Their infrastructure has also stayed relatively unchanged, and their protocols and technologies don’t have the same level of security as modern ones. As a result, exposing the functionality delivered by these legacy systems and protocols to the internet without taking absolute care to ensure you’re adding appropriate layers of security can have serious consequences.
How can telcos overcome these challenges?
Telecoms providers have enough to worry about – API security doesn’t need to be added to the list!
Identifying and assessing risks
For telcos, the first step to strengthening security is gaining a comprehensive understanding of how many APIs they have, and what they do. This typically involves thorough inventory checks, API discovery and mapping exercises, and robust asset management practices.
Maintaining a holistic view
Having defined an accurate picture, telcos can more easily identify potential vulnerabilities and assess the security risks associated with each API. As part of this, it's fundamental for telcos to maintain a comprehensive overview that considers their entire API ecosystem. This involves looking at more than just individual APIs in isolation and evaluating the interconnected systems, dependencies, and integrations that APIs rely on.
When conducting scans using automated tools or manual processes to identify security vulnerabilities, organizations must look at the bigger picture and search for possible security weaknesses that may arise from API interactions and dependencies with other components.
Layering security solutions
To maintain this holistic ecosystem, it is important to note that using just one security solution isn't enough to prevent API exposures. Telecom providers must look to layer them. Implementing multiple layers of security such as robust authentication, encryption, access controls, and intrusion detection systems can strengthen and create a more resilient API ecosystem for businesses.
Updating API documentation
Documentation helps organizations track APIs, functionalities, and security requirements, ultimately helping developers and administrators understand the purpose and potential vulnerabilities of each API. Telcos should prioritize establishing processes and guidelines when documenting APIs, including version control, access restrictions, and regular updates. Luckily, documenting isn’t as laborious as it once was. Now there are tools that auto-generate documentation for API endpoints, streamlining the process and increasing overall security by removing the human element.
Practicing continuous security
Cybercriminals are constantly adapting their tactics, making it necessary for telcos to do the same. Moreover, the telecoms industry is fast-moving – regular technical updates to APIs, systems, and networks means security can’t be a one-time thing. Companies should adopt a continuous monitoring approach, rather than relying on yearly security assessments. This typically includes regular vulnerability scans and penetration tests.
Despite the challenges, it’s important for telecom companies to implement API security to better protect their customers and their networks. By following these best practices, telcos can help mitigate the risks of API attacks, protect their customers' data, and avoid deep financial losses.
