It’s no secret that the race is on to keep up with cyberattackers in recent years. Indeed, the proportion of firms worldwide experiencing a data breach exceeding US$1 million in the past three years has increased from 27% last year to 36% now, according to a recent PwC report.
As one example, supply-chain attacks are posing an increasing risk to organisations. However, only just over one in 10 UK businesses reviews risks posed by their immediate suppliers and just 7% the wider supply chain, according to a 2022 report by the UK’s National Cyber Security Centre.
The onus is thus growing on communications providers to ensure that their own and their customers’ networks are fully protected. In the UK, that’s even more the case since the country’s Telecommunications Security Act came into force in late 2022, calling for stronger resilience from telecoms players in protecting their networks and equipment, as well as boosting their third-party risk-management processes.
Time for a rethink
This combination of effects has led to a transition in how wholesalers approach security, says Andrew Napier, head of cloud and security products at UK wholesale provider PlatformX Communications (PXC). He notes that such players often used to consider themselves merely as the service-delivery mechanism for the internet, without a responsibility to police the web. However, both regulations and global trends in security breaches have caused them to rethink their role.
“It’s a big sea change in how wholesale telecoms providers look at security,” says Napier. “They’re now much more on the hook for the security of the equipment they provide. If someone can organise a DDoS attack that threatens to take down an internet service provider, that means huge reputational damage and headlines, and impacts on share price: it’s super-visible.”
Furthermore, Napier points out, it’s in the interest of wholesale providers to boost security. On top of that, they are facing a challenge of how to reduce churn, while increasing average revenue per user and margins.
“One of the ways to do this is to onboard security products,” says Napier. “There needs to be a mindset change in the telco space that getting involved in security has substantial side benefits for our resellers. One is that they gain a more granular understanding of what their customers are using connectivity products for and can thereby offer better levels of customer service.”
The challenge for UK telco resellers and businesses is how to quickly pivot into security if they lack significant experience in that area. Some view it as an extra cost and as hard to implement rather than as providing scope to offer value-added services, says Napier.
Guards up
Yet some options already exist. For instance, PXC, which rebranded from TalkTalk Wholesale Services and Virtual1 this March, has been investing for many years to protect its own and customers’ networks and services. “We’ve already made multimillion-pound investments in tools, systems, people and processes to keep our network assets secure, with the goal of increasing uptime for our network customers,” says Napier. “We understand security on a granular level.”
Lee Walker, head of cloud and security sales at PXC, backs this up. “I think it’s fair to say that we’re our own best case study,” he says.
Conversations with partners aiming to enter the cybersecurity space have flagged up sizeable investment barriers, leading PXC to launch security services tailored for the wholesale market.
“This will allow partners to leverage our investments, reducing their initial costs,” says Walker. For providers that face growing complexities in the threat landscape, new tools often lead to management difficulties and higher overheads. “We have solutions for this as well. For example, our partnership with Acronis’s Cyber Protect Cloud platform addresses this by consolidating tools, reducing costs and streamlining operations through APIs.”
One platform that PXC provides, 1Cloud, allows partners to consume compute resources alongside secure data storage and virtual service edge firewalls so they can build secure applications within the heart of their networks. The company’s cloud services can be easily scaled through its 1Portal, a platform that provides full visibility of all services available to customers, and allows them to manage and configure services in real time.
Using a virtual firewall hosted in PXC’s 1Cloud rather than a physical device removes many logistical issues faced by customers. There is no need for disruptive installation by engineers and it can be delivered ‘as-a-service’ via a monthly subscription rather than customers being charged up front. As a managed service, firewalls are updated with the latest version of vendor firmware once it’s tested and certified as bug-free. Critical vulnerability patching also keeps customers secure. Furthermore, service-level uptime agreements for cloud-based virtual firewalls are stronger than those offered by physical firewalls, explains Napier.
Another PXC offering is managed DDoS mitigation, for which the firm is drawing on its earlier investments in building out the same NetScout-based platform that defends its own network. The automated service is backed by global threat intelligence, with the ability to identify attacks before they hit. It also benefits from the support of the PXC security operations centre in ongoing attack mitigation, meaning customers save on downtime, lost revenue and, ultimately, a damaged brand.
Meanwhile, within the 1Portal, PXC is introducing more security services and enhancing automation.
User-facing
But apart from the security services themselves, a further consideration today is how they are structured and made available to end users.
In line with the fast-transitioning market, PXC therefore plans to launch an end-user-facing version of the 1Portal that it offers to resellers in the first half of next year.
Napier explains that when an end user currently wants to make configuration changes to network products such as PXC’s software-defined Ethernet or add services, they need to go through the reseller first. That means it can take time for those requests to be implemented rather than being able to make changes immediately.
“We have SDN functionality built into our network that provides resellers with the tools to make changes, upgrade bandwidth and so on without having to talk to us because it’s all automated,” says Napier. “The idea is, wouldn’t it be great if we had an end-user-facing portal that the reseller could allow access to so their customers can have access to the same SDN tools as them?”
Such an offering will give end users more control over their services. It will also improve visibility, as the direct connection with such users will provide more insight into how they use the portal and their needs. Napier explains that partners will have the choice of how visible they make the platform by integrating it directly into their own portals or connecting to it via APIs.
The right balance
Another challenge with wholesale security services is striking a balance between keeping them simple enough for a broad spread of users while allowing enough flexibility to provide added value and avoid presenting a one-size-fits-all proposition.
Napier says things are moving towards the “portalisation” of security in one-stop platforms, with orchestration and visibility high up the list of user needs. “It’s important to be a bit more fluent in the options we present during the security journey,” he says.
“It’s about making these services easy to consume for the person on the street,” adds Walker. He says it’s important to give partners the ability to come to players like PXC for the underlying security infrastructure, but also enough control to deliver their own value proposition.
“We need to be able to provide in-depth guidance on how to take these services to market and manage them on behalf of customers.”