There is a significant gap between enterprises’ high expectations that their communications service provider will provide the security needed to protect them against voice and messaging scams and the level of security those CSPs offer, according to telecom and cybersecurity software maker Enea.

Bad actors and state-sponsored threat groups, armed with the latest generative AI tools, are rushing to exploit that gap, a trend that is apparent in the skyrocketing numbers of smishing (text-based phishing) and vishing (voice-based frauds) that are hitting enterprises and the jump in all phishing categories since the November 2022 release of the ChatGPT chatbot by OpenAI, according to a report this week by Enea.

The report, “Mobile Network Security: Bridging the Gap Between Enterprise Needs and CSP Capabilities,” paints a picture of a highly connected world, rapidly evolving mobile networks, and software-based data center networks that is driving significant innovations and services but also are making mobile networks and the enterprises that use them more vulnerable.

“We’ve observed the rapidly evolving threat landscape with growing concern, particularly as AI-powered techniques become more accessible to cybercriminals,” John Hughes, senior vice president and head of network security at Enea, said in a statement. “The stark increase in mobile fraud, particularly following the advent of advanced technologies like ChatGPT, underscores a critical need for enhanced network security measures.”

For the Enea’s report, Mobile World Live surveyed 416 organizations, including CSPs, enterprises, and technology vendors. The tech vendors’ responses were filtered out, leaving only the other two groups. CSPs accounted for more than 70% of responses, with enterprises filling out the other 30%.

Bad Actors Exploit Ubiquitous Connectivity

The report’s authors noted the billions of people armed with wireless devices who rely on mobile networks, with the vast connectivity being an attractive target for cybercriminals and nation-state actors who exploit vulnerabilities to run scam or espionage campaigns.

“Such vulnerabilities can be traced to the tremendous evolution the telecoms industry has undergone,” they wrote, adding that once closed and state-controlled ecosystems are now “mobile networks [that] exist in a highly innovative environment where new business ideas and state-of-the-art technologies are continuously integrated. And the value mobile networks provide to individuals and society is far greater today than only a few years ago. But this shift to open and innovation-driven networks has come at a price for security.”

That price can be seen in the numbers. Pointing to a report from Agari and PhishLabs, Enea said smishing attacks last year jumped 381% year-over-year, with vishing scams spiked 500%, according to Proofpoint. What’s more, since the launch of ChatGPT, all forms of phishing have increased 1,265%, SlashNext found.

Enterprises at Risk

This is happening at a time when both enterprises and CSPs are vulnerable. According to Enea, 76% of enterprises don’t have the necessary protections against voice and messaging fraud, particularly now that bad actors are armed with AI-powered capabilities. This had led to 61% of enterprises continuing to sustain significant losses from mobile fraud, with vishing and smishing being most prominent and costly.

At the same time, 51% of enterprises said they expect their telecom provider to protect them against both voice and mobile messaging fraud, adding that the CSPs’ role in providing protection was more important than cloud providers, managed IT companies, systems integrators, or software vendors. In addition, for 85% of enterprises, the question of security plays a crucial role in making spending decisions about CSPs.

The problem is that telecoms may not have the necessary cybersecurity tools in place to keep enterprises safe.

“We found that a large percentage of operator respondents indicated that there were gaps in their capabilities to meet enterprise customers’ needs for security,” the authors wrote.

Cybersecurity Lacking

That includes only 59% having implemented a SMS or multi-protocol firewall and only 51% said they have a signaling firewall in place. In addition, 46% have a threat intelligent service and another 46% have plans to do so. The other 8% have no plans to implement such a service. Only 35% have a security operations center (SOC); 19% have none.

That said, some CSPs are becoming security leaders. Those providers are more likely to detect a breach than those who don’t prioritize security and to see security as a revenue generator. They’re also better understand that telecom cybersecurity capabilities are important to enterprises and likely will have implemented threat intelligence services, according to Enea.

“Maintaining and enhancing mobile network security is a never-ending challenge for CSPs,” the report’s authors wrote. “Mobile networks are constantly evolving – and continually being threatened by a range of threat actors who may have different objectives, but all of whom can exploit vulnerabilities and execute breaches that impact millions of subscribers and enterprises and can be highly costly to remediate.”

Overall, telecoms need to address challenges like a lack of skilled staff and budgets as well as organizational issues that keep them from investing in security. However, those that prioritize cybersecurity are better positioned to compete for enterprise business and generate revenue from those security investments, Enea said.