Cybersecurity

Monitoring our network to effectively — and proactively — secure it against cyber threats.

Click through to learn about our 2024 impact in action.

Cybersecurity is one of the biggest challenges facing the connected world. With the rise of ever-more sophisticated threat and nation-state actors and accessible hacking technologies, attacks are growing in both volume and complexity. To protect businesses and customers, organizations must adopt a robust proactive approach to identifying and mitigating cyberattack risks.

We defend the AT&T network with a multi-layered approach, including monitoring, active prevention and rapid response to security threats. We leverage tools, where available, that include near-real-time data correlation, situational awareness reporting, active incident investigation, case management, trend analysis and predictive security alerting.

Our network and information security program is designed to protect the confidentiality, integrity and availability of our information and that of our customers. It encompasses the Chief Security Office (CSO) and its policies, platforms, procedures and processes for assessing, identifying and managing risks from cybersecurity threats. This includes third-party risk from vendors and suppliers. The program is designed to identify, respond to and resolve security incidents and threats in a timely manner to minimize the loss or compromise of information assets. We also take an “all hands on deck” approach to cybersecurity — all AT&T employees receive annual security training on their responsibilities as the first line of defense for cybersecurity. Educational materials are also available to customers, suppliers and everyone who works with AT&T.

Risk Management

We assess, identify and manage risks from cybersecurity threats through various mechanisms. These include vulnerability testing, attack simulation and tabletop exercises to examine our preparedness and incident response process, penetration tests, threat modeling, a Bug Bounty program, large scale data correlation and alerting, and internal and external audits. We conduct vulnerability testing and assess identified vulnerabilities for severity, the potential impact to AT&T and our customers, and likelihood of occurrence. Our security teams work with application and system owners to remediate those vulnerabilities. We regularly evaluate security controls to maintain their functionality in accordance with our security policy. We also obtain cybersecurity threat intelligence from recognized forums, third parties and other sources as part of our risk assessment process. In addition, as a critical infrastructure entity, we collaborate with numerous agencies in the U.S. government to help protect U.S. communications networks and critical infrastructure. This in turn informs our cybersecurity threat intelligence.

Learn more about our network security monitoring, testing and reporting in the AT&T Information & Network Security Customer Reference Guide.

Cybersecurity Governance

Cybersecurity is a significant priority for AT&T. To ensure ongoing focus, oversight is focused through three internal oversight bodies:

• Board of Directors Audit Committee: Has oversight responsibility to review and discuss with management the company’s privacy and data security. This includes cybersecurity, risk exposures, policies and practices, and the steps management has taken to detect, monitor and control such risks and the potential impact of those exposures on our business, financial results, operations and reputation. The full Board and Audit Committee regularly receives presentations on privacy and data security which address relevant cybersecurity issues and risks and span a wide range of topics. These reports and presentations are provided by officers with responsibility for privacy and data security, including our CISO, Chief Technology Officer and AT&T’s Legal team. In addition to regular reports to the Audit Committee, we have protocols by which certain security incidents are escalated within the company and, where appropriate, reported in a timely manner to the Audit Committee.
• Chief Information Security Officer (CISO): Plays the key management role in assessing and managing our material risks from cybersecurity threats. The CISO also works closely with AT&T Legal to oversee compliance with legal, regulatory and contractual security requirements.
• Chief Security Office: Charged with management-level responsibility for all aspects of network and information security within the company. Led by our CISO and comprising a large team of highly trained security professionals across multiple countries, the CSO is responsible for:
  • Establishing the policies, standards and requirements for the security of AT&T’s computing and network environments.
  • Protecting AT&T-owned and -managed assets and resources against unauthorized access by monitoring potential security threats, correlating network events and overseeing the execution of corrective actions.
  • Promoting compliance with AT&T’s security policies and network and information security program in a consistent manner on network systems and applications.
  • Providing security thought leadership in the global security arena.

Security Policies and Standards

We have dedicated security policies and standards that apply to all AT&T employees, contractors and suppliers and are informed by industry-leading standards, including:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST 800-53 Rev. 5.
• External certification and assessment requirements, such as PCI DSS, SOX, SSAE18/ISAE3402 SOC and ISO 27001.
• Privacy and data security laws and regulations, such as the California Consumer Privacy Act, the European Union’s General Data Protection Regulations and the New York Department of Financial Services Part 500 Cybersecurity requirements.

Our supplier contracts require strict adherence to our information security standards. For commercially available products or applications, AT&T conducts thorough risk assessments based on industry standards and best practices, such as NIST, ISO and CIS, before granting approval for use.

Learn more about our security policies and standards on our Security at AT&T webpage.

Compliance Reviews

Third-party assessors audit our security controls annually, including:

• Information Security Standard (ISO/IEC 27001) recertification: AT&T maintains two global ISO/IEC 27001 certifications which cover our global IP infrastructure and certain customer-facing managed services.
• Quality Management Standard (ISO 9001)¹: AT&T achieved ISO 9001 certification, demonstrating our belief that customer satisfaction and expectations are the most important factors in the work we do.
• Third-party audits for certain services: AT&T is audited for services such as those for the Payment Card Industry Data Security Standard, the Sarbanes-Oxley Act and the Statement on Standards for Attestation Engagements 18/International Standard on Assurance Engagements 3402.

We also regularly analyze our operations and applications for security compliance, guided by our CSO.

Customer Awareness and Education

In 2024, AT&T CSO became a Board Member of the National Cybersecurity Alliance (NCA), a nonprofit focused on creating a more secure and interconnected world through various public awareness and educational efforts.

We empower customers to take their security into their own hands with AT&T Cyber Aware. This website explains how various scams work, how to recognize them and how customers can protect themselves, along with other security and privacy information.

Learn more about our processes for reporting on, and guarding against, fraud or security issues on our Fraud & Security Resources website. Learn more about our service security and features in the AT&T Business Service Guide.

Stakeholder Engagement

We must harness the collective power of our industry to advance network and data security. Recognizing this, we participate in security organizations, including:

• Forum of Incident Response and Security Teams
• Internet Engineering Task Force
• U.S. Telecom and Cellular Telecommunications Industry Association Cybersecurity Working Groups
• Council to Secure the Digital Economy
• National Cyber-Forensics and Training Alliance
• The President’s National Security Telecommunications Advisory Committee
• CISA Joint Cyber Defense Collaborative
• NSA Cybersecurity Collaboration Center

We also participate in the Critical Infrastructure Partnership Advisory Council to protect U.S. communications networks and other infrastructure.

Through the AT&T Secure Connections Conference, we convene AT&T, government and security experts to explore the current and future security landscape.

In 2024, our security team set ambitious goals to rise to growing cybersecurity challenges. We significantly increased our rates of device and database scanning and significantly decreased our average age of internet-facing and payment card industry vulnerabilities. We increased our password character requirement to 16 characters. We strengthened our use of MFA, adding best-in-class phish-resistant authentication security.

We began to use Artificial Intelligence to enable our developers and workforce. Developers can now use our AI chatbot to more easily implement security policies and standards in their projects and decision-making processes.

As part of our transformation to post quantum cryptography, AT&T started analyzing company applications to identify risk impacts from quantum computing enabled cryptography attacks. These risk scores are used to prioritize transformation to next-generation quantum resistant encryption.