Rock Tsai, Taiwan Mobile: “the most significant cyberthreat that organizations face today is social engineering attacks”

July 13,2023

Cybercriminals have found ways to exploit social engineering techniques, infiltrating systems that directly impact the supply chain and financial industry. Disruptions in telecommunications, including mobile phones, make such breaches possible.

Failure to take the right measures to protect personal data places companies at risk of exposure, leaks, financial losses, and regulatory violations. Experts have weighed in and recommend individuals and organizations use every security tool at their disposal. From finding the best VPN and leading antivirus software to “robust security measures like encryption, biometric locks, or remote wipe capabilities.”

To gain a deeper understanding of how cyberattacks can impact the communications industry, we spoke with Rock Tsai, Chief Information Officer at Taiwan Mobile – a forerunner in digital innovation, providing mobile, fixed-line, cable TV, and broadband services to over 7.5 million users.

Tell us about your story. How did Taiwan Mobile come about?

We are a leading telecom operator specializing in mobile, fixed-line, cable TV, and broadband services. Our focus is on digital innovation and repositioning ourselves as a next-gen technology company.

With the advent of 5G, we launched 5G Services and embarked on a rebranding initiative to advocate the spirit of "Open Possible." We follow the 5 "G"+ guidelines to become a regional enterprise, leveraging our big data and strategic partnerships to expand in Southeast Asia.

Since our founding in 1997, we have become Taiwan's second-largest network service provider, offering innovative applications and services. We provide businesses with telecom services, cloud computing, and integrated solutions. Corporate social responsibility is integral to us, and we collaborate with global organizations for sustainability.

Through partnerships, we drive business innovations in smart city, manufacturing, retail, and healthcare. Our goal is to enhance customer experiences, improve lives with technology, and fulfill our sustainability promises.

Can you introduce us to what you do? What are your main fields of focus at the moment?

I'm the Chief Information Officer and Chair of the Personal Data and Information Security Committee at Taiwan Mobile. My role encompasses guiding the IT team's transformation to drive our company's evolution into a prominent regional technology telecommunications player and overseeing our extensive information security efforts.

In addition to the critical expansion into 5G technology and enhancements in AI, big data, and cloud services, our work involves comprehensive strategies for information security. As the nature of our work increasingly requires handling large volumes of sensitive customer data, safeguarding this data has become a pivotal part of our responsibility.

We are fostering a dynamic IT culture that encourages innovation, collaboration, and a business-oriented mindset. Our vision is to ensure that IT is the driving force in Taiwan Mobile's transformation. That way we are connecting to the wider world and helping the company seize growth opportunities in the Southeast Asian market.

What kind of technologies and innovations have Taiwan Mobile implemented to enhance its services?

As part of Taiwan Mobile's transformative strategy, we've adopted the "Telco+Tech" approach. It has led to many innovations and enhancements in our services.

One of our significant innovations is the development of the "Gift-as-a-Service" model. It allows us to leverage our inherent telecom capabilities, extensive user base, and data security infrastructure to create diverse, new services. This model is designed to aid our enterprise clients in their digital transformation journey. We do this by offering services that enrich their operations.

A standout service under this model is the "Number Masking Service (安心call) " feature. It's designed to bolster privacy during customer interactions. This solution hides the customer’s real number by generating a temporary number printed on the delivery label. One that only the courier can call. Once the package is safely delivered, the number no longer works.

This solution protects the customer, courier, and e-commerce platform. In a competitive space such as e-commerce, peace of mind for customers and trust in the e-commerce company and delivery teams are paramount. This unique service has curbed related fraud incidents by over 90% within three years.

The "Anti-phishing Service (反詐戰警) " is another innovative service under Taiwan Mobile's Gift-as-a-Service (GaaS) model. Leveraging our telecommunications security technologies and vast data resources, we provide 24/7 monitoring for potential phishing websites. Upon detection of a fraudulent site that imitates one of our enterprise customers, we promptly alert the affected party.

We provide them with relevant information to aid their immediate actions such as reporting to the authorities. This service minimizes the damage inflicted by phishing websites on our enterprise customers and their brand reputation.

In the digital entertainment sector, we've made strides by securing rights to popular esports games like League of Legends. This move has led to a significant surge in our user base and revenue. Our new media services, such as MyMusic, MyVideo, and MyBook, have achieved significant market shares in Taiwan, further enhancing our digital entertainment services. Other innovative technologies like MyMoji and M+ meet (video conference) also hold great potential.

Through these innovations and our commitment to technological advancements, Taiwan Mobile is consistently improving its services while positioning itself at the forefront of the telecommunications industry.

How did the recent global events affect your field of work and Taiwan Mobile's technology and cybersecurity strategy? Were there any adjustments you had to make?

The COVID-19 pandemic compelled Taiwan Mobile to reassess our traditional work arrangements. The decision we made was to adopt a hybrid working model. We have decided to continue with a long-term hybrid working model. We allow each employee to choose to work from home for ten days each month.

This significant shift required our IT team to swiftly adapt and upgrade our existing infrastructure. We expanded our Virtual Desktop Infrastructure (VDI) and Virtual Private Network (VPN) capacity, implemented Multi-Factor Authentication (MFA) across the board, and bolstered our network security with increased vulnerability detection capabilities.

Our approach was holistic, centering on robust cybersecurity measures, clearly defined management structures, and effective, secure communication tools. Given the responsibility of protecting the data of our 7.5 million users along with our considerable internal business secrets, it was paramount for us to establish comprehensive, multi-layered data security measures.

Three critical strategies defined our approach to data security:

Micro-segmentation of core sensitive data. We introduced a segmented structure to our data storage, likened to the separate compartments in a submarine. By isolating sets of data, we increased the overall security against potential breaches.

Strengthened data management with VPN dual-factor authentication. To enhance our data access security, we made it mandatory for employees to use dual-factor authentication for VPN access. For highly sensitive data, we put additional measures in place, instantly blocking any suspicious activities.

Unified hardware use. To prevent unauthorized access, we mandated the use of company-issued laptops. Each one gets encrypted to prevent data leakage even in case of physical loss of the devices.

In addition to these technical measures, we focused on nurturing a security-conscious culture among our employees. We conducted rigorous training to ensure they understand their responsibility in maintaining company secrets. Also, to follow safe data handling protocols, even while working remotely. This involved steps like avoiding surveillance cameras, not connecting to public printers, and using only secure Wi-Fi networks.

We've also instituted precautionary measures such as embedding watermarks in critical documents to deter screen captures and data leaks. Moreover, to identify the source of any potential leaks, we use hidden watermarks that can be decoded to trace back to the specific employee account and the time of data leakage.

To facilitate seamless communication among staff, we employ our enterprise-grade instant messaging platform, M+. It has proven to be a reliable tool for regular team meetings, group discussions, and general communication.

Following this comprehensive approach, we've been able to successfully transition almost all our employees to a remote work setup. Today, except for roles requiring a physical presence, such as data center maintenance, inventory management, and in-store service, nearly all our teams can work effectively from anywhere.

What would you consider the main security threats surrounding mobile phones?

Mobile phones, being central to our digital lives, are susceptible to a range of security threats.

Some mobile operating systems, due to their open-source nature and fragmented ecosystem, often have backdoors or security vulnerabilities. There are countless brands and branches under the open-source ecosystem. That makes it difficult to maintain consistent security updates and standards across all devices. Such gaps get exploited by cybercriminals to gain unauthorized access to devices.

The mobile app landscape is vast and always evolving. Regulatory oversight often falls behind. This can lead to apps with inadequate security measures. Cybercriminals can exploit these vulnerabilities to steal data or execute malicious codes.

With the advent of mobile banking and online payment platforms, mobile phishing attacks have become more common. These involve deceptive messages, usually through SMS or email, that tricks users into revealing their sensitive information.

Cybercriminals often set up rogue Wi-Fi networks to trick users into connecting their mobile devices. Once connected, they can track the user's activities and steal sensitive data.

Mobile phones are often targeted with spyware and malware. Such software can record keystrokes, capture screen information, access contact lists, and track location. This all poses severe privacy and security risks.

Additionally, unlike desktop computers, mobile phones are portable. That means it's easier to lose or get stolen. In such cases, unless protected by robust security measures like encryption, biometric locks, or remote wipe capabilities, the data stored on the device can get accessed by unauthorized individuals.

To mitigate these threats, it's crucial to choose a trustworthy mobile phone maker. Regularly update the device's operating system and apps. Only download apps from trusted sources. Be wary of unsolicited messages. Connect to secure and trusted networks, and maintain robust physical security measures for the device.

In your opinion, what is the most significant cyberthreat that organizations face today? What are the top three best practices for cybersecurity that you would recommend to other organizations based on your experience at Taiwan Mobile?

In my opinion, the most significant cyberthreat that organizations face today is social engineering attacks. Humans are often the weakest and least predictable link in the entire security system. In recent years, there have been cases where criminal elements have exploited social engineering techniques to infiltrate systems and cause significant damage. That includes supply chain breaches in national defense departments and ATM networks in the financial industry.

Based on my experience at Taiwan Mobile, I would recommend the following top three best practices for cybersecurity to other organizations. First, every organization must conduct regular social engineering drills. Or conduct phishing tests targeting all employees. These drills should get conducted at least once per quarter for each employee. With a minimum hit rate of 1%, meaning that at least 1% of the participants should fall for the simulated attack. This helps strengthen the overall awareness and resilience of every employee.

Second, I recommend organizations conduct annual red team assessments. A red team, based on the latest attack techniques, should simulate real-world attacks to test the organization's defense capabilities. This exercise helps identify any vulnerabilities. It ensures that the organization's defense system remains robust.

Third, maintaining a strong cybersecurity culture is essential. This includes promoting regular security awareness training for employees. Also, implementing multi-factor authentication along with zero-trust infrastructure. And regularly updating and patching software and systems. It's important to establish incident response plans, which include conducting regular drills to ensure readiness in the event of a cyber incident.

By implementing these best practices, organizations can enhance their cybersecurity posture, mitigate the risks associated with social engineering attacks, and better protect their valuable assets and sensitive information.

What role do you see emerging technologies such as AI and machine learning playing in the future of cybersecurity for Taiwan Mobile?

We have already incorporated AI into our cybersecurity services for enterprise clients at Taiwan Mobile. For example, our " Anti-phishing service (反詐戰警)" constantly monitors global websites using AI to compare similarities in layouts, images, and text. This helps identify and block or take down counterfeit websites for our corporate clients.

Additionally, we have started using advanced AI techniques to detect fraudulent text messages and prevent them from reaching our customers. We believe that AI has significant potential in various aspects of information security, including event recognition in SOC monitoring centers, detection of abnormal user behavior in application systems, and identification and mitigation of malicious traffic in data networks.

As emerging technologies continue to evolve, AI and machine learning will play an increasingly vital role in the future of cybersecurity at Taiwan Mobile. These technologies can analyze vast amounts of data in real time, detect patterns, and identify anomalies that may indicate potential security threats. By leveraging AI and machine learning, we can enhance our threat detection capabilities, respond to incidents more quickly, and strengthen our overall cybersecurity defenses.

Furthermore, AI can help us stay one step ahead of cybercriminals by enabling proactive threat intelligence and predictive analytics. By analyzing historical data and continuously learning from new threats, AI-powered systems can anticipate and prevent emerging cyber threats before they cause significant damage. This proactive approach allows us to minimize the impact of potential security breaches and protect our customers' sensitive information effectively.

We see AI and machine learning as essential tools for the future of cybersecurity at Taiwan Mobile. By harnessing the power of these technologies, we can enhance our threat detection, response, and prevention capabilities. Ultimately, we're providing our customers with more robust and effective cybersecurity solutions.

What are the most serious issues that can arise if an organization doesn't have secure communication systems in place?

If an organization doesn't have secure communication systems in place, several serious issues can arise.

Exposure of Business Secrets: Without secure communication systems, the organization's sensitive and confidential information is at risk of being intercepted or eavesdropped upon. This can lead to the exposure of critical business secrets. For instance, proprietary technology, trade secrets, or strategic plans. Unauthorized access to this information can have severe consequences. This includes loss of competitive advantage, compromised intellectual property, or damage to the organization's reputation.

Leakage of Customer Personal Data: Inadequate communication security puts customer personal data at risk of getting compromised or leaked. This can result in significant reputational damage for the organization. It erodes customer trust and loyalty. Moreover, organizations may face legal consequences and financial liabilities due to data breaches. For example, penalties under data protection regulations or lawsuits from affected individuals.

Financial Losses from Intrusions: Insecure communication systems can be vulnerable to unauthorized access or hacking attempts, potentially leading to financial losses. For example, if payment or invoicing processes get compromised, fraudulent activities such as unauthorized transactions or funds diversion can occur. These incidents can result in direct financial losses. There are operational disruptions and damage to the organization's financial stability and business relationships.

Compliance and Regulatory Violations: In industries with strict compliance and regulatory requirements, the absence of secure communication systems can lead to violations. Failure to protect sensitive information, such as financial data or personally identifiable information, may result in non-compliance with data protection regulations, industry-specific security standards, or contractual obligations. This can expose the organization to legal consequences, fines, and reputational damage.

Impaired Collaboration and Decision-Making: Insecure communication systems can hinder effective collaboration and decision-making within the organization. When employees are concerned about the confidentiality and integrity of their communications, they may be hesitant to share sensitive information or engage in open discussions. This can impede information sharing and hinders timely decision-making. It will also negatively impact productivity and innovation.

Talking about average Internet users, what safety tools do you think everyone should have on their mobile devices?

The most important aspect for average Internet users is not just installing safety tools but rather making careful choices in terms of secure mobile operating systems and trusted mobile device brands. It's crucial to avoid installing unverified apps that aren't subjected to proper supervision. It's essential to refrain from jailbreaking the device or installing any apps from unofficial sources.

If these security measures are diligently followed, and there's sufficient awareness regarding online safety, there may not be a need for additional safety tools. However, if one chooses to install safety tools, it's crucial to select trusted providers, as criminals often disguise themselves as security tool providers.

It's important to note that security is a multi-layered approach. While safety tools can provide an extra layer of protection, it's essential to prioritize preventive measures. For example, cautious browsing, strong passwords, and regular software updates. By adopting these practices and exercising good judgment, individuals can significantly enhance their mobile device security. They can protect themselves from various online threats.

What predictions do you have for the future of ​​telecommunications? What are the key priorities for your technology and cybersecurity departments in the coming year? How do you plan to achieve them?

In the future of telecommunications, I predict the industry will continue its transformation and technological investments. Even after being criticized as a “dumb pipe” over the past decade or so. These transformations are already showing positive results. We have seen it with Taiwan Mobile, being the only major telecommunications provider globally with non-telecom revenue exceeding 50%. The success or failure of technology transformations will determine the competitive landscape within the telecommunications industry and the overall prosperity of telecom companies worldwide.

In the coming year, the key priorities for our information technology and cybersecurity departments revolve around facilitating the organization's technology transformation. A crucial aspect of this transformation is the internal transformation of the IT department itself. This includes fostering an innovative culture, attracting and nurturing top technology talents, adopting agile operating models, establishing horizontal IT organizations, and cultivating excellent leadership.

To achieve these priorities, we will focus on several strategies. First, we will create an environment that encourages and rewards innovation. That enables our teams to explore new technologies and approaches to enhance our services and operations. We will invest in attracting and developing top technology talents. This ensures a skilled and competent workforce to drive our technological advancements. Additionally, we will adopt agile operating models to enhance our ability to respond swiftly to market changes and customer demands.

This will involve embracing cross-functional IT departments that promote collaboration and knowledge sharing among different technology domains. Finally, we will emphasize the development of strong leadership skills within our IT teams. This will empower them to lead and execute technology initiatives effectively. By prioritizing these key areas, we aim to position

Taiwan Mobile is a leader in technology transformation within the telecommunications industry.

Would you like to share what’s next for Taiwan Mobile?

Taiwan Mobile, under the strategic leadership of our CEO, Jamie Lin, is ushering in a new era of growth and transformation with the introduction of the Telco+Tech strategy. This innovative strategy leverages our core strengths as a leading telecommunications operator. That includes our robust connectivity, vast data capacities, widespread physical stores, strong cybersecurity measures, and diverse bundled offerings. All to incubate and develop technology services that expand beyond the conventional boundaries of telecommunications and e-commerce.

At the heart of our business agenda are several focus areas: telecom finance, game publishing, and the mo-coin ecosystem. The convergence of these sectors underpins our commitment to innovation, diversification, and continuous transformation. We are resolute in our mission to broaden our footprint in the technology and telecommunications sectors, nurture meaningful partnerships, and fuel the evolution of groundbreaking services and solutions.

Moreover, Taiwan Mobile is deeply committed to our ESG goals, guided by the principle "Love Humanity, Love Taiwan, Love the Earth". We aim to use 100% renewable energy by 2040, achieve net-zero emissions by 2050, and continue our mobile recycling program that has already recovered 264,000 units. On the governance front, our board of directors comprises nine highly experienced members, including five independent directors, exceeding the mandated requirement for listed companies, which is quite rare.

Our green and governance efforts have been recognized globally, evidenced by our inclusion in the DJSI World Index for six consecutive years. We're ranked among the top 3 global telecommunications companies. We have attained full scores in 10 ESG rating items.

We are dedicated to expanding our presence in the technology and telecommunications landscape. This includes fostering partnerships and driving the development of cutting-edge services and solutions. By capitalizing on our strengths and staying ahead of industry trends, we aim to position Taiwan Mobile as a leading force in the digital era. We want to continue creating value for our customers, stakeholders, and the industry as a whole.