Security and privacy
Security and privacy are the cornerstones of our product proposition. We work to ensure that we have a common security baseline enforced for all our products and services. We emphasize sustainable design and underscore the importance of end-to-end product security testing. Security and privacy are part of everything that we do. From design through to delivery, we aim to ensure that customer networks are seamlessly secure.
Our commitment to privacy spans every facet of our decision making and product design
Our ‘Three lines of defense’ risk model consists of business groups and corporate functions forming the first line of defense, central privacy experts as the second line, and an independent audit team as the third.
The ASTAR 5G end-to-end testing lab, has a singular focus on cybersecurity
Security
Nokia has well-established cybersecurity processes built into its overall security risk management framework. This integration is achieved through the implementation of a robust Security Program set on various processes, such as cybersecurity risk management, third-party security risk management, security incident management and disaster recovery.
In 2023, Nokia conducted a security training program that included annual mandatory training, quarterly awareness campaigns, monthly phishing simulations, and expanded initiatives to safeguard key data such as our Zero-Trust and Critical Information Protection Program and our dedicated Application Security Program. In 2023, the mandatory training completion rate was 98%.
We have developed and maintain an actionable Cyber Resilience service, built on an assessment of the cyber risks Nokia is most likely to experience. This includes investments in our Cyber Defense Center and our Computer Emergency Response team, as well as the execution of regular incident simulations and tabletop exercises to ensure resilience in case of a cyber event.
We have also strengthened our third-party security process through improved supplier selection procedures, ensuring that security governance and compliance are embedded in our supplier selection processes and contracts.
Product and services security
At Nokia, we recognize the paramount importance of product and services security in the rapidly evolving landscape of telecommunications and technology. The number and frequency of DDoS attacks have grown from one or two a day to well over 100 per day in many networks, based on traffic monitored by Nokia from June 2023 to June 2024. In an era marked by digital transformation and interconnected ecosystems, the security of our offerings is crucial to our operations. We understand that our customers rely on Nokia for solutions that not only elevate performance but also guarantee the integrity and confidentiality of their critical data.
We continue to invest in security research and are dedicated to achieving a common security baseline enforced for all products and services. To accelerate our security ambitions, we are reinforcing the Nokia Design for Security framework, driving end-to-end product security testing initiatives like our Advanced Security Testing and Research (ASTaR) lab, and leveraging our own security innovations.
Secure products are our priority, supported by initiatives such as our Product Security Transformation Program, the pursuit of certifications for essential 5G products, and the evolution of our product security platforms. We have set up Service Security as a separate domain to cover the full-service lifecycle with a properly defined Service Security framework, and we remain focused on the continuous certification of services teams in the ISO 27001 standard. We also have a program dedicated to enhancing the security of Nokia service companies and joint ventures.
Third-Party Security
Nokia’s security ambition is also reflected in its supplier selection processes, contracts and supplier (re)assessments ensuring effective security to be in place in our supply chain and with our Third Parties.
Security & privacy examples
- End to end optimization Product life cycle
- Maintaining network security resilience
- Core Networks portfolio is in full compliance with all of the GSMA’s security requirements
- Nokia Threat Intelligence Report finds malicious IoT botnet activity has sharply increased
- Europe’s first live hybrid quantum encryption key trial
- Nokia ranked as a leader in fast-growing XDR security software market
- Advanced DDoS countermeasures for improved protection against botnet and application-level DDoS attacks
End to end optimization Product life cycle
Security and privacy are an intrinsic part of the product life cycle and fully integrated into our design process. It is present and evident at every level and every stage. We have developed a Nokia Design for Security process that enables product security features and controls to identify, mitigate and manage security vulnerabilities.
Making 5G networks secure demands end-to-end optimization of security operations from devices to radio sites and network core.
Security and privacy are an intrinsic part of the product life cycle and fully integrated into our design process. It is present and evident at every level and every stage. We have developed a Nokia Design for Security process that enables product security features and controls to identify, mitigate and manage security vulnerabilities.
Making 5G networks secure demands end-to-end optimization of security operations from devices to radio sites and network core.
In the 5G era, the nature and scale of information networks are evolving, as are the nature and scale of security threats. More avenues of attack are open to hackers, state actors and corporate espionage due to many types of interworking endpoints, extensive use of open-source software and large-scale use of 5G in a variety of industries. Network security resilience must be maintained as the attack scenarios are constantly changing. The Advanced Security Testing and Research (ASTaR) lab, located in Dallas, Texas, is the first end-to-end 5G testing lab in the U.S. focused solely on cybersecurity.
To find out more about the ASTaR lab, you can watch this short video.
Nokia’s Core Networks portfolio is in full compliance with all security requirements defined by the GSMA’s bi-annual Network Equipment Security Assurance Scheme (NESAS) audit. NESAS audits and tests network equipment across the telecommunications industry to ensure it conforms to a security benchmark and the requirements of regulators, governments, and mobile operators.
The Threat Intelligence Report is compiled by experts at the Threat Intelligence Center in Canada, the Nokia Cyber Security Center in France; the Nokia Security Operations Center in India; and Nokia Deep field, a part of Nokia focusing on software applications covering network analytics and DDoS security.
The trial with Proximus highlights how quantum cryptography can be implemented in a live network to help protect against malicious hacks or attacks from future quantum computers. Using Nokia’s Quantum-Safe Networks solution alongside hardware and software from ID Quantique and evolutionQ which create, distribute and manage the quantum keys, Proximus was able to encrypt data running over its live optical network and use photonic properties to ensure the safety of the data transmitted. Adding an additional layer of security, Nokia’s SMS (Security Management Server), a quantum-safe key generator and orchestrator, provided classic quantum-safe encryption using symmetric key distribution in instances where the stability of data using QKD were compromised or altered.
Nokia is ranked as an industry leader in network security by analysts at GigaOm for the company’s extended detection response market (XDR)security platform that provides communication service providers (CSPs) and enterprises with strong, 5G network defenses through a variety of AI and machine learning capabilities.
GigaOm said it had positioned Nokia as a “fast moving leader” in the rapidly growing XDR security software market, citing the company’s technical capabilities and software expertise. “Nokia demonstrates clarity in its vision and features with its highly capable XDR platform. This solution includes the ability to collect data from a diverse set of sources, a power automation engine, and intuitive dashboards and reporting.
Distributed Denial of Service (DDoS) attacks have become more frequent, sophisticated, and potent. Nokia provides advanced DDoS countermeasures for improved protection against botnet and application-level DDoS attacks. At the heart of the Nokia DDoS security solution is Deepfield Defender – an “all-seeing, all-knowing” AI-driven big data processing platform that analyzes network telemetry information obtained from the network and correlates it with the “security map of the internet,” the Deepfield Secure Genome® data feed.
Data privacy
Privacy approach
We have rolled out a comprehensive Privacy Framework across Nokia, and to improve awareness and understanding of privacy requirements throughout the company, we have rolled out mandatory privacy training for all employees. In 2023, the mandatory training completion rate was 98%.
Given the rapidly changing privacy regulatory landscape, we apply a comprehensive company-wide privacy program to ensure accountability for privacy at all levels of Nokia. We use a ‘Three lines of defense’ risk model with business groups and corporate functions forming the first line of defense. A multi-skilled central team of privacy experts forms the second line, and an independent audit team forming the third line, to provide assurance with oversight by the Audit Committee.
We have established the practice of having a privacy steering committee with relevant senior executives representing business groups and central functions, who all have privacy responsibilities and accountability as part of their role for the organization they represent. Privacy updates are also regularly provided to Nokia’s Board of Directors and to the Audit Committee.
The Privacy Program builds privacy into our processes, products, and services. We have established core principles based on relevant laws and best practices to enable us to exercise the highest standards of integrity in dealing with and protecting personal data. We assess new privacy laws to ensure that we implement the requirements into our program and related processes. We have matured our central solution for documentation and reporting to catalogue how we use data and conduct privacy assessments that aim to mitigate privacy risk.
We are transparent about how we use personal data and how individuals can contact us with questions about their data that we hold in our systems or to share any concerns. We observe the concept of data minimization, meaning we endeavor only to collect personal data that is necessary for the purposes for which it is collected and to retain such data for no longer than is necessary.
We implement appropriate controls to ensure that only persons with a clear and justifiable need to know can access personal data. We also have formal processes and procedures in place to manage and mitigate any risk related to data subjects in the event of a personal data breach. These processes also include mechanisms to communicate in a timely fashion with supervisory authorities, should that be required.
In 2023 we initiated a review dedicated to ensuring that privacy by design is built into our products and services. We also launched a new central privacy hub on Nokia.com to ensure we are transparent and share our privacy principles and privacy notices. We updated our process for receiving data subject access requests.
A continuous program of privacy awareness, training, and enablement ensures we effectively address areas of the highest privacy impact. This includes targeted role-based training, and a network of certified privacy professionals that regularly provide coaching on privacy topics.
In 2023, there were no substantiated complaints regarding breaches of customer data. For the latest information on our security and privacy visit our website.
Standards and Principles
Contributing and driving security standards
We take an active role in security standards such as GSMA SECAG which defined NESAS (security assurance scheme for networks), GSMA Fraud and Security group, 3GPP SA3 (defining security standards for 5G), in ETSI and others. The development and maintenance of our products and services are sustained by a company-wide Information Security Framework to reduce business risks by protecting and managing information in a consistent way, protecting Nokia’s customer data, and enabling transparency and accountability with respect to the handling of all information:
- Our security controls and processes follow the ISO/IEC 27001 standard and NIST Cybersecurity Framework to ensure we identify and detect security threats and risks to our systems
- A critical information protection program protects Nokia’s and its customers’ information
- Our security awareness program drives cultural knowledge of security best practices and avoids potential threats to Nokia’s information
- A Third-party Security Risk Management process for Nokia suppliers ensures supply chain security and complies with legal and regulatory requirements
- Continuous internal and external auditing and external and internal simulated attacks activities validate the security implementation
- ISO/IEC 27001 certifications for selected sites assure security compliance is attained. The scope of the certification is continuously expanded
For further information on the Nokia approach to Security and Privacy you can also visit the dedicated Nokia web page.