Welcome to the December blog – a seasonal summary of all of the 2025 security landscape blog posts. In creating this blog post, I was reminded of the breadth of security topics covered and the importance of building and maintaining enduring and pragmatic security defences. So let’s take a look back and, in doing so, prepare for the future.
A single or basic security defence can only do so much to protect against attacks, whereas multi-layer defences can work in concert to provide effective defence.
Some key defensive strategies were identified in the 2025 security landscape report:
- Defensive force-multipliers – the industry is stronger when it acts together.
- Know the network – to defend the network, it is important to understand its infrastructure, underlying technologies, capabilities, data flows, composition, configuration and then simplify and reduce the attack surface, where possible.
- Protect the infrastructure – several key defences are essential, including patching and platform hardening, layered defences, resilience by design, log analysis, threat hunting, least privilege and multi-factor authentication (MFA).
- Supply chain – as many attacks are launched through suppliers, supply chain security is a core consideration and competence now and into the future.
- Consider the future when making today’s decisions – fully assess the emerging security context, core skills and capabilities to make informed decisions.
Attacks that seek to compromise ‘the edge’ can involve targeting devices such as VPNs, firewalls, Citrix environments, servers & routers, ‘jump’ boxes, load balancers, Network Address Translators, proxies, end-points, internet-facing operational technology and out-of-band server management interfaces; especially where their management interfaces are connected directly to publicly accessible internet connectivity. Attacks on the edge, highlight the ongoing need to build strong security defences, including supporting infrastructure and those provided by third parties and managed service providers, and across the whole attack surface and service inventory.
Defining secure-by-design and by-default requirements within the procurement and delivery phases can build an initial security baseline on which to build additional layered security measures.
The June blog outlined some key security principles such as limiting LinkedIn job role descriptors to make it harder for attackers to successfully target administrators, using privileged access management and least privilege to actively limit and manage account permissions and architecting privileged access workstations (PAWs) to limit attack opportunities.
The force multiplier effect for an attacker of a single successful attack providing access across all the target supplier’s customers makes using a compromised vendor an attractive proposition. This potential attack force-multiplier is enabled through a supply chain attack and means that building skills, processes, tools and experience will present an enduring benefit – supply chain security will remain a key security area.
Most existing post quantum cryptography migration advice sensibly points to establishing an inventory of encryption protocols in use. Other early steps include identifying critical systems and then identifying their supporting protocols, risk analysis and prioritisation, developing the transition plan and delivering it. Practical complementary approaches can focus beyond today’s implementations and look at the planned future state of networks and systems. This can include understanding planned technology refresh, vendor product roadmaps and transformation projects.
The human element remains a key security risk. As our technology becomes more secure, attackers often target people as the weakest link. It’s essential to combine robust technical controls with people-centric advice and awareness to protect against social engineering.
The range, velocity and dynamics of the current threat landscape make it challenging to adequately address every threat in every dimension. The effective impact of security interventions can be maximised through a risk management approach. Threat and risk assessment allows identification of the most likely and impactful risks considering the technical security threats to which the business may be exposed, given its architectural design, legacy network estate, supplier selection, enabling technologies, operation and support arrangements, and software builds, etc. A related topic explored in the 2025 mobile security landscape report is resilience-by-design. This plays to the categories of risk that have high impact, but potentially are less likely; so called ‘black swan’ events. This philosophy requires changing some design and planning assumptions and then developing and deploying networks in accordance with these revised assumptions.
Strategic security controls are complemented by more tactical, but vital, security measures such as patching, red teaming and specific systems controls. A final blog topic covered a top 20 strategic security controls that, when applied in concert, set a path to robust foundations for defensive security. More detailed guidance can be found in GSMA’s recently updated FS.31 Baseline Controls v5.0 document.
- Know your attack surface
- Reduce complexity
- Defensive force multipliers
- Layered defences
- Supply chain security
- Resilience by design
- Risk management
- Playing a long game
- Privileged Access Management
- Privileged access workstation
- Least Privilege
- Secure-by-design
- Secure-by-default
- Zero trust
- Contextual authorisation
- Secure endpoints
- Assurance & governance
- Continuous monitoring
- Robust identity management
- System hardening
2025 has been an exciting and challenging time for advancing security controls against a backdrop of novel and evolving attack methods, new IoCs, new threat actors and a ‘democratisation’ of attack techniques (see more in a future blog post). If you’d like to see the full 2025 report, please take a look and download. Implementing the best set of security controls for each specific network is vital to keep up with attack methods – perfect for the new year of 2026. Also, for 2026, please keep an eye out for the new GSMA Mobile Telecommunications Security Landscape report available for MWC2026 in early March 2026.