Home
...
Security
Mobile Telecom Security Landscape Blog: July 25

Wednesday 2 July, 2025

Mobile Telecom Security Landscape Blog: July 25

Welcome to the July blog. This month we identify a top 20 strategic security approaches; a topic described in greater detail in the 2025 Mobile Telecommunications Security Landscape report and in the May and June GSMA blog posts. A recent report from the Australian Signals Directorate (ASD) Foundations for modern defensible architecture identifies 10 foundational steps. There are several strategies outlined in that report that complement and build upon those already identified. This GSMA blog discusses the expanded range of security strategies, that when applied in concert, set a path to robust foundations for defensive security.        

Security defence approaches

The 2025 Mobile Telecommunications Security Landscape report identified 8 strategic security defence approaches:

  • Know your attack surface: your attacker will know your technology ‘estate’ so best you know it so it can be defended in its entirety.
  • Reduce complexity: simpler systems can be easier and lower cost to defend and can reduce the attack surface.
  • Defensive force multipliers: the industry is stronger when it acts together in mutual defence.
  • Layered defences: one layer isn’t enough – a holistic and efficient security strategy may be composed of multiple layers. The security controls in each layer combine to deliver a unified security solution for each operator. Multi-factor authentication (MFA) is an example of a layered defence for access verification.
  • Supply chain security: the potential force multiplier effect for an attacker across a potential target’s customer base can make individual suppliers attractive attack propositions.
  • Resilience by design: with far-sighted design assumptions, network and service designs and implementations can enable better preparation and delivery response to possible step changes in the threat landscape.
  • Risk management: the effective impact of security interventions can be maximised through a risk management approach.
  • Playing a long game: playing the ‘long game’ for security can deliver high impact engagements with long-term ongoing value.

Security strategies

In previous GSMA security landscape blog posts, we identified a range of additional security strategies that complement those already identified:

  • Privileged Access Management (PAM) is a cybersecurity discipline that focuses on controlling and monitoring access to sensitive resources by users with elevated privileges.
  • Privileged access workstation (PAW): a highly restricted and audited physical device that helps an organisation minimise the attack surface for its high-risk systems. 
  • Least Privilege: giving users only the permissions they need to undertake their role, which reduces the risk of unauthorised access to sensitive or critical areas of a system.  This should include all ‘non-user’ accounts.
  • Secure-by-design software development process is a systematic approach applied throughout the development lifecycle that places security at the centre of product development.
  •  Secure-by-default means products are delivered in a resilient, ‘hardened’, configuration against likely exploitation techniques without additional steps to secure them. 

The ASD report

The ASD report Foundations for modern defensible architecture identifies many of these same strategies but also, helpfully, draws out additional concepts that complement those already identified. The report identifies the inter-play with ASD’s Essential Eight maturity model.   

More detailed concepts include (topics already covered omitted):

  • Zero trust: never trust, always verify; assume an adversary already has presence; and verify explicitly.
  • Contextual authorisation: access to enterprise resources is initially, and continuously, authorised based on defined levels of trust, using the context of the sessions and resources to gain confidence in the access request.
  • Secure endpoints: harden and configure all endpoints to provide protection against cyber threats and mitigate weaknesses in software and hardware.
  • Assurance & governance: perform assurance activities that enable decision makers in the governance structure to be able to make decisions on security actions and priorities.
  • Continuous monitoring: monitor and respond to all identified and suspected security incidents in a timely and efficient manner.
  • Robust identity management: reduce the number of authoritative sources for enterprise identities in their information environments by using centrally managed solutions.
  • System hardening: there is extensive advice for hardening approaches, including operating system and operating environments.

Robust foundations for defensive security

This blog has identified a top 20 (not in priority order) strategic security strategies that, when applied in concert, set a path to robust foundations for defensive security. More detailed guidance can be found in GSMA’s recently updated FS.31 Baseline Controls v5.0 document.

  1. Know your attack surface
  2. Reduce complexity
  3. Defensive force multipliers
  4. Layered defences
  5. Supply chain security
  6. Resilience by design
  7. Risk management
  8. Playing a long game
  9. Privileged Access Management
  10. Privileged access workstation
  1. Least Privilege
  2. Secure-by-design
  3. Secure-by-default 
  4. Zero trust
  5. Contextual authorisation
  6. Secure endpoints
  7. Assurance & governance
  8. Continuous monitoring
  9. Robust identity management
  10. System hardening

If you’d like to discuss these topics or to get more closely involved, please email [email protected].