|
[To Eurosmart members only]
ENISA Telecom Security Report: Key findings
Last month, ENISA published its Annual Report on Telecom Security Incidents. Electronic communication providers are obligated to notify national authorities of security incidents that significantly impact the continuity of their services. The Annual Report Telecom Security Incidents 2021 is based on aggregating these data sent by national authorities. It provides an overview of major telecom security incidents last year. Smaller incidents, such as SIM Swapping affecting a smaller portion of the population, are not part of this report.
ENISA offers a platform (CIRAS) where the data is compiled.
In total, national authorities reported 168 incidents from 26 EU Member States and 2 EFTA countries. The total user lost was 5 106 million user hours, which represents a sharp increase from the 841 million user hours lost in 2020. The reason for this increase is a large-scale EU-wide incident -affecting OTT services- that was reported separately by three different Member States.
Overall, the number of incidents reported per year has been stable over the last five years.
The percentage of malicious actions doubled
Malicious actions rose from 4% of incidents in 2020 to 8% in 2021. More particularly, the DDoS-related incidents significantly increased.
Human errors represent the vast majority of lost hours
Human errors represent 91% of users' hours lost in 2021 (23% of all incidents). System failures follow with 7% of users' hours lost (59% of all incidents). However, the good news is that system failures have been on a downward trend for over ten years. Electronic communication providers' maturity is growing in handling and containing system failures.
It is worth noting that 2021 saw fewer incidents related to third-party failures. Electronic communication providers seem to manage the supply chain risks better.
Another root cause for incidents is natural phenomena (flood, heavy snow etc.), accounting for 10% of the incidents.
Reporting method for OTT incidents could be improved
Three different Member States reported in three different ways the same incident affecting an OTT communication service provider. Such triple reporting greatly inflated the 2021 figures. ENISA notes that there is an issue in how cross-border and EU-wide incidents should be reported, particularly for OTT communication service providers.
Hardware failures account for the majority of "detailed causes"
ENISA tracks the "detailed causes" in addition to the "root causes" (e.g., human errors, malicious actions etc.). In 2021, the most frequent detailed cause for incidents was hardware failures, followed by faulty software changes/updates and software bugs. In 2021, 31 incidents were marked as hardware failures and caused 53 million user hours lost. They were all reported as system failures.
The large-scale incident three-time reported concerned a faulty hardware update.
|
