UK Government Lays Out Plans To Protect Telecoms Networks Against Cyber Attacks

We generally welcome this initiative. As demonstrated by both GDPR and CCPA for privacy in the EU and US, respectively, government regulations with the ability to levy fines make a real difference in how seriously companies address what is, up to that point, a self-regulating industry. As with the aforementioned regulations, the devil is in the details. Rather than tick-the-box compliance with generic guidelines, specific recommendations and requirements will require organisations to remediate any deficiencies they may currently have. While there are several important aspects to the legislation, we particularly welcome how the legislation requires that penetration testing includes regularly simulating real techniques that might be used in an attack on the network. Continuous security control validation is the only way to truly ensure the organisation’s resilience to malicious attacks. Of course, other parts of the legislation are just as important; notably, the safety-by-design, similar to privacy-by-design, will require organisations to reconsider how some of their legacy networks and systems need to be redeployed. Shorter patching cycles and incorporating signals from threat intelligence feeds are a welcomed requirement – to reduce the gap from when a new vulnerability is discovered – to when the organisation addresses it. All of these ultimately help protect the consumers.