Network & Data Security

Cybersecurity is one of the biggest challenges facing our ever-more-connected world. At AT&T, we operate one of the largest networks in the world, connecting more than 100 million U.S. families, friends and neighbors, plus nearly 2.5 million businesses. We maintain continuous and near-real-time security monitoring of the AT&T network for investigation, action and response to network security events. This security monitoring leverages tools, where available, such as near-real-time data correlation, situational awareness reporting, active incident investigation, case management, trend analysis and predictive security alerting. From inventing SIGSALY to being one of the originators of the packet-filtering firewall in 1988, security innovations are engrained in our DNA. AT&T holds more than 1,000 security-related patents in areas including identity management and cloud automation.

In 2023, AT&T’s work to advance network and data security included:

• Continuing to utilize state-of-the-art security tools to detect and mitigate cyber threats to our network. 
• Gathering experts from AT&T, government, industry and across the security spectrum to share perspectives on today’s threat landscape at the AT&T Secure Connections Conference. Participants heard from top security practitioners on the latest security innovation and implementation strategies, including network-embedded security, generative artificial intelligence, cyber talent and quantum computing.

Governance

We maintain a network and information security program that is reasonably designed to protect our information, and that of our customers, from unauthorized risks to its confidentiality, integrity or availability. Our security governance structure consists of the following: 

• Chief Information Security Officer: Our Chief Information Security Officer (CISO) plays the key management role in assessing and managing our material risks from cybersecurity threats. The CISO also works closely with AT&T Legal to oversee compliance with legal, regulatory and contractual security requirements.
• Chief Security Office: We maintain a Chief Security Office (CSO), which is charged with management-level responsibility for all aspects of network and information security within the Company. Led by our CISO and comprising a large team of highly trained security professionals across multiple countries, the CSO is responsible for:
  • Establishing the policies, standards and requirements for the security of AT&T’s computing and network environments.
  • Protecting AT&T-owned and -managed assets and resources against unauthorized access by monitoring potential security threats, correlating network events and overseeing the execution of corrective actions.
  • Promoting compliance with AT&T’s security policies and network and information security program in a consistent manner on network systems and applications.
  • Providing security thought leadership in the global security arena.  
• Board Oversight: The Audit Committee of the AT&T Board of Directors has oversight responsibility to review and discuss with management the Company’s privacy and data security, including cybersecurity, risk exposures, policies and practices, and the steps management has taken to detect, monitor and control such risks and the potential impact of those exposures on our business, financial results, operations and reputation. The full Board and Audit Committee regularly receives reports and presentations on privacy and data security, which address relevant cybersecurity issues and risks and span a wide range of topics. These reports and presentations are provided by officers with responsibility for privacy and data security, including our CISO, Chief Technology Officer and AT&T’s Legal team. In addition to regular reports to the Audit Committee, we have protocols by which certain security incidents are escalated within the Company and, where appropriate, reported in a timely manner to the Audit Committee.

Security Policies and Standards

AT&T Security Policies & Standards

We maintain a network and information security program that is reasonably designed to protect our information, and that of our customers, from unauthorized risks to its confidentiality, integrity or availability. Our program encompasses the CSO and its policies, platforms, procedures and processes for assessing, identifying and managing risks from cybersecurity threats, including third-party risk from vendors and suppliers; the program is generally designed to identify and respond to security incidents and threats in a timely manner to minimize the loss or compromise of information assets and to facilitate incident resolution. Our policies and standards are based in part on leading industry standards such as ISO/IEC 27001. 

• Application & Alignment of Security Standards: The requirements apply to all personnel and establish the minimum required safeguards to protect computing and networking assets, data and services. Our policies align with applicable laws and standards such as:
  • Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS)
  • Control Objectives for Information and Related Technology (COBIT)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST 800-53r5
  • External certification and assessment requirements, such as PCI-DSS, SOX, SSAE18/ISAE3402 SOC and ISO-27001
  • Privacy laws and regulations, such as the California Consumer Privacy Act

Certifications & Standards

In addition to AT&T security requirements, we maintain the following standards and certifications:

• Supplier Security Standards:
  • AT&T’s supplier contracts stipulate that suppliers comply with our Supplier Information Security Requirements (SISR). SISR applies to supplier entities when performing any action, activity or work that involves:
    
    • The collection, processing, storage, handling, backup and disposal of or access to in-scope information
    • Providing or supporting AT&T branded applications and services using non-AT&T information resources
    • Connectivity to AT&T’s nonpublic information resources
    • The development or customization of any software for AT&T
    • Website hosting or development for AT&T
  • For publicly available products or applications not specifically developed to AT&T specifications, vendors must contractually agree to comply with common network and data security industry standards. 
• Third-Party Certifications & Audits: Third-party assessors audit AT&T internal security controls annually, including:
  • Information Security Standard (ISO/IEC 27001): AT&T maintains two global ISO/IEC 27001 certifications. The scope of these certifications covers the AT&T global IP infrastructure and certain customer-facing managed services. To maintain the certifications, we undergo annual recertification assessments.
  • Quality Management Standard (ISO 9001)¹: AT&T achieved ISO 9001 certification, which demonstrates our belief that customer satisfaction and expectations are the most important factors in the work we do. We are fully committed to a high standard and quality of work for any project we undertake.
  • Other third-party audits are performed for certain services, such as those for the Payment Card Industry Data Security Standard, the Sarbanes-Oxley Act and the Statement on Standards for Attestation Engagements 18/International Standard on Assurance Engagements 3402. 

Compliance Reviews

To uphold our security standards, AT&T performs regular analysis of our operations and applications for security compliance. These reviews are facilitated or conducted through our Chief Security Office; by a department representative for a product, service, supplier or partner relationship; or by an internal operations team responsible for life cycle service management who are separate from the operations teams.

Risk Management

We assess, identify and manage risks from cybersecurity threats through various mechanisms, which from time to time may include tabletop exercises to test our preparedness and incident response process, business unit assessments, control gap analyses, threat modeling, impact analyses, internal audits, external audits, penetration tests and engaging third parties to conduct analyses of our information security program. We conduct vulnerability testing and assess identified vulnerabilities for severity, the potential impact to AT&T and our customers, and likelihood of occurrence. We regularly evaluate security controls to maintain their functionality in accordance with security policy. We also obtain cybersecurity threat intelligence from recognized forums, third parties and other sources as part of our risk assessment process. In addition, as a critical infrastructure entity, we collaborate with numerous agencies in the U.S. government to help protect U.S. communications networks and critical infrastructure, which, in turn, informs our cybersecurity threat intelligence.

For more information on our approach to network security monitoring, testing and reporting, please see our Information & Network Security Customer Reference Guide.

Training & Employee Awareness

Our internal security awareness program provides interactive content to help our employees develop skills to protect AT&T data, devices and networks. The program emphasizes personal responsibility on the part of every person who touches the network, including office workers, server administrators, field employees and others. Our Chief Security Office is charged with directing and coordinating security awareness and education, including developing, approving and managing all training content. Elements of the program include:

• Code of Business Conduct: The AT&T Code of Business Conduct serves as a roadmap for how we do business and how we treat each other and our customers. It emphasizes the need for AT&T employees to properly safeguard our customers’ private data by following laws and regulations that stipulate how the data should be managed in alignment with network and data security standards. All AT&T employees are required to annually acknowledge their responsibility to adhere to our Code. 
• Communications: The Chief Security Office maintains an internal security awareness website and newsletter, in addition to employee- and department-specific bulletins, communications and job aids. It also hosts technology conferences and employee security awareness events.
• Training: All AT&T employees must complete an annual security awareness training course as part of our corporate compliance training. 
• Other Resources: We encourage employees to pursue further security training and accreditations and certifications when relevant to their roles. This training is conducted both within AT&T and through corporate training organizations.

Security Innovation Strategy

The AT&T Research & Innovation in Security Engineering (RISE) Team was created within the AT&T Chief Security Office to drive security innovation and develop tomorrow’s revolutionary security solutions. RISE researchers work on large-scale security problems in mobility, 5G, cloud computing, broadband, networking, Internet of Things (IoT), blockchain, non-fungible tokens (NFTs), quantum computing, and artificial intelligence, deep learning and machine learning (AI/DL/ML). The team searches for ways to leverage these technologies for new security solutions, architectures and mechanisms. The resulting innovations become part of new systems and services that AT&T can deploy for next-generation security.

Customer Solutions

We provide a variety of tools and supports that enable customers to take control of their data security, including:

• Robocall & Spam Text Mitigation: 
  • We block spam texts and fraud calls for everyone on our network. Customers can download the free AT&T ActiveArmor^SM mobile security app for even more controls. These controls include customization of how calls and texts are sorted, blocked or sent directly to voicemail. 
  • We identify suspected spam and fraud calls through data analytics, network intelligence and customer reports.
  • We work to protect customers from abusive, illegal and unwanted text messages through patented automatic scanning and filtering technology. In addition to our filters, customers can forward us suspected spam texts. This information helps us investigate and block similar spam messages and even take down malicious websites.
  • We have implemented STIR/SHAKEN call authentication protocols across our IP networks to verify that a phone number hasn’t been illegally spoofed. We continue to find new ways to use STIR/SHAKEN information to improve our ability to block scam calls.
  • Our Global Fraud Management organization works closely with the U.S. Telecom Industry Traceback Group and law enforcement to identify the source of illegal calls. This process provides information necessary to helping stop illegal robocall campaigns and places responsibility on service providers for traffic that originates on their networks.
• Home Internet Security:
  • With a compatible AT&T Wi-Fi Gateway, our Smart Home Manager app offers consumers advanced protection to monitor suspicious behavior across all connected devices, block malicious sites and scan their network for vulnerabilities.
• Business Cybersecurity Solutions:
  • o In 2024, we launched AT&T Dynamic Defense^TM, a new solution that detects and prevents cyberattacks in the network before they reach business customers’ devices and systems. It is a network security platform embedded in our global network infrastructure and does not require purchasing or installing additional equipment or software. It is available to select AT&T Dedicated Internet business customers.
• Contact Preferences:
  • Customers can manage how they want to be contacted by AT&T for marketing purposes, including opting out of marketing calls, mail, texts and email. When building marketing campaigns, AT&T honors a customer’s request to be added to AT&T’s internal Do Not Call list, in addition to the Federal Trade Commission’s National Do Not Call list and various state Do Not Call lists, as appropriate. Customers still receive billing statements, legal notices, product updates and service-related correspondence. For more information, visit AT&T Contact Preferences and the National Do Not Call Registry.

For more information on how to report and guard against fraud or security issues, please visit our Fraud & Security Resources website. For more details on the security and other features of our many services, please visit the AT&T Business Service Guide.

Customer Awareness & Education

AT&T Cyber Aware is a resource designed to educate customers about fraud protection and cybersecurity and empower them to improve their security. The Cyber Aware website explains in simple terms how many scams work, ways to recognize them and steps customers can take to help protect themselves, along with other information about security and privacy. The website is available to everyone, including non-AT&T customers. 

Stakeholder Engagement

We are proud to be a participant, and in many cases a leader, in several industry and academic organizations focused on network and data security. Doing so helps us to be part of setting security standards and enables us to keep pace with industry developments. This engagement includes:

• Security Organizations: Our employees participate in several U.S. and international security organizations, such as:
  • Forum of Incident Response and Security Teams
  • Internet Engineering Task Force
  • U.S. Telecom and Cellular Telecommunications Industry Association Cybersecurity Working Group
  • Council to Secure the Digital Economy
  • National Cyber-Forensics and Training Alliance
• Government Collaboration: We participate in the U.S. government’s Critical Infrastructure Partnership Advisory Council (CIPAC), collaborating with several agencies to protect U.S. communications networks and other infrastructure. Participating agencies include:
  • Cybersecurity and Infrastructure Security Agency, National Coordinating Center for Communications and Joint Cyber Defense Collaborative at the U.S. Department of Homeland Security (DHS).
  • National Security Telecommunications Advisory Committee, a federal advisory council to the President of the United States on issues of national security and emergency preparedness
  • Enduring Security Frameworks, a public-private partnership between industry and various federal agencies intended to improve cybersecurity
  • National Security Agency Cybersecurity Collaboration Center, an engagement hub that harnesses the power of industry partnerships to prevent and eradicate foreign cyber threats to National Security Systems, the Department of Defense and the Defense Industrial Base
  • DHS Internet and Communications Technology (ICT) Supply Chain Risk Management Task Force, a public-private partnership charged with identifying challenges and developing actionable solutions to enhance global ICT supply chain resilience
• AT&T Secure Connections Conference: We gathered experts from AT&T, government, industry and across the security spectrum to share perspectives on today’s threat landscape at the AT&T Secure Connections Conference. Participants heard from top security thinkers and practitioners on the latest security innovation and implementation strategies to help bring industry security solutions to the next level.

For more information on our stakeholder engagement and our perspective on cybersecurity policy news, visit AT&T Connects.

AT&T will continue to enhance the security of our network, without overly burdening authorized users with obstacles to access. Among our leading-edge efforts:

• We are working on quantum safe encryption by increasing awareness of and obtaining support for the technology within AT&T; collaborating with NIST, Quantum Economic Development Consortium and Alliance for Telecommunications Industry Solutions on Next Gen Cybersecurity Standards; and automatically changing algorithms when they are found to be vulnerable to quantum attacks. We are also conducting a quantum risk analysis to evaluate which AT&T assets may be susceptible to quantum attacks.
• We are evolving our security ecosystem from perimeter-based architecture to zero trust controls. The zero trust security model holds that users and devices are never trusted by default, even if they are connected to a permissioned network such as a corporate LAN or were previously verified. Instead, all networks, users and devices must always be verified. Zero trust controls can sharply decrease the risk of inappropriate access to the network.

• Alliance for Telecommunications Industry Solutions
• AT&T ActiveArmor^SM
• AT&T Business Service Guide
• AT&T Code of Business Conduct
• AT&T Connects
• AT&T Contact Preferences
• AT&T Cyber Aware
• AT&T Fraud & Security Resources website
• AT&T Information & Network Security Customer Reference Guide
• AT&T Secure Connections Conference
• California Consumer Privacy Act
• Council to Secure the Digital Economy
• Cybersecurity and Infrastructure Security Agency
• DHS Internet and Communications Technology (ICT) Supply Chain Risk Management Task Force
• Enduring Security Framework
• Forum of Incident Response and Security Teams
• Industry Traceback Group
• Internet Engineering Task Force
• Joint Cyber Defense Collaborative
• National Coordinating Center for Communications
• National Cyber-Forensics and Training Alliance
• National Do Not Call Registry
• National Institute of Standards and Technology
• National Security Agency Cybersecurity Collaboration Center
• National Security Telecommunications Advisory Committee
• Quantum Economic Development Consortium
• STIR/SHAKEN
• U.S. Department of Homeland Security Critical Infrastructure Partnership Advisory Council
• U.S. Telecom and Cellular Telecommunications Industry Association Cybersecurity Working Group