Cybersecurity in the Messaging Industry and Our Strategic Response to Emerging Threats
The internet is constantly evolving, for better or worse. When it comes to security, new threats are constantly emerging from creative criminals.
The messaging industry is no exception and is increasingly targeted by fraud and attacks including AIT, SMS phishing and hacking.
Cybersecurity has been a critical part of GatewayAPI from day one and is also interwoven with our daily operations. In light of the rapidly evolving threat landscape, we are continuously dedicating more resources to the area and introducing new security measures, which you can read more about below.
This blog post is the first in a series on the topic of security, where we look at the subject from different angles with focus on the messaging industry. In this post, we will NOT discuss GDPR and our ISAE 3000 certification, which you can read more about here instead.
Security framework based on ISO standards
While we have implemented several measures to strengthen the security of GatewayAPI, we recognize the importance of staying ahead of emerging risks by taking a holistic and proactive approach.
Our Information Security Management System (ISMS) is central to this. The framework is built around the principles of ISO standards, ensuring that we systematically assess risks and implement controls to mitigate them. Every year, we conduct comprehensive risk assessments that allow us to adapt our strategies and stay up-to-date with best practices. These frameworks not only help us protect our platform, but they also guide future certifications that we aim to achieve.
Engagement across the company and industry
We focus on fostering a security-first culture through internal initiatives such as our Innovation Days. These events focus on exploring new ways to strengthen the security of our platform and allow our teams to collaborate on solutions that address the latest threats.
Another important area is our commitment to improving security within the telecommunications industry. We actively work to make SMS more secure for all users by contributing to initiatives like Sender ID protection. This prevents criminals from impersonating legitimate companies, a tactic that has become increasingly common in phishing attacks. Furthermore, we are committed to educating our customers about security through our various communication channels.
In addition, we are preparing for the impact of the Network and Information Systems Directive (NIS2), which imposes strict security requirements on a number of industries considered critical infrastructure. We are taking proactive steps to ensure our systems meet these standards, recognizing that these guidelines represent future best practices in security.
Concrete initiatives: Security tools, penetration tests and scans
So far, we have looked at how we strategically work with security. Below we will highlight selected initiatives that we believe have a significant impact on the security of both GatewayAPI and the industry as a whole.
They consist of: Security tools in GatewayAPI, including automatic blocking of unauthorized URLs, IP whitelisting and geo permissions. In addition, they consist of recurring security processes, including external penetration tests and scans.
External penetration test
As part of our annual compliance wheel, we conduct an external penetration test of GatewayAPI. The latest penetration test was handled by a group of international consulting firms, led by Epiventus and Thursday Consulting and executed by Shards Cybersecurity Consulting. The test included both thorough automated scans and manual attempts to find vulnerabilities.
One of the great benefits of inviting external experts is that they can point out blind spots that you may have overlooked. In addition, the specialists work with security on a daily basis, they are trained to think like black-hat hackers and have in-depth knowledge of vulnerabilities that can potentially be exploited. Therefore, they are typically in a better position to identify potential security holes than yourself.
The test requires a larger investment, but is extremely valuable and therefore well spent. The penetration test often results in a report with a prioritized list of areas to look at and recommendations for improvement, helping you to focus on the most critical vulnerabilities first – if there are any.
One step ahead of the hackers
It’s crucial for all organizations to continuously assess and improve their security measures to protect against emerging threats. We always strive to be transparent, which is why we want to share our findings in the hope that this blog post will inspire other companies to give their systems a service check as well. Keeping up to date with best practices and the latest security features is essential to stay one step ahead of the hackers.