By combining reported data with internal detection results, we shortened the update cycle for blocking policies for anomalies from daily to every 10 minutes. We raised our defense rhythm to match the trend of attacks shifting to shorter cycles.
Son Young-gyu, SK Telecom Deputy Minister (executive vice president, 55), said this in an interview with ChosunBiz on the 12th. As voice phishing and spam become faster and more sophisticated with generative artificial intelligence (AI), SK Telecom is redesigning the entire detect-block-recover process for real-world operations, he said. Son joined SK Telecom in 2001, worked in IT development, and has handled security duties since 2014. He also serves as head of personal information protection.
The results show up in numbers. SK Telecom preemptively blocked about 1.1 billion telecom fraud attempts last year, including voice spam, voice phishing calls, and text messages. That was up 35% from a year earlier. It blocked 250 million voice and 850 million text attempts. Son said, This is not a one-year flash result but the cumulative effect of building organization and technology together starting to show.
Son also emphasized a shift in the security frame. We are moving from a firewall-centric approach to zero trust (a security principle of never trust, always verify), he said, adding, We are reauthenticating users and devices at each access point and reducing lateral movement with micro-segmentation controls by asset. He added that they are simultaneously strengthening account privilege management and advancing controls over source code vulnerabilities.
◇ Combining adot device-side analysis with network blocking
At customer touchpoints, PASS and the adot phone split security roles. PASS provides lure-text detection alerts, and the adot phone issues immediate warnings on suspicious signals or anomalies with AI Safe Block. Notably, the adot phone adopts an on-device structure that analyzes context during calls right on the device. Son explained, Instead of storing call content on servers and processing it there, on-device analysis reduces privacy concerns.
They also strengthened multilayer defense at the network level. SMS and voice filtering equipment first screens mass traffic, and context-based judgments are added at the device touchpoint. Speed of application is key. Son said, We shortened the time gap for reflecting threat intelligence into policy, reducing the response time to changing attack patterns.
◇ AI sorts at high speed; people verify high-difficulty cases
Operations combine AI and people. AI does the first classification on large volumes of data, and people make final determinations on malicious URLs, similar patterns, and false positives. Son said, What determines model accuracy is ultimately the quality of the answer key, adding, Rather than blindly increasing headcount, we should have AI do the sorting while people focus on high-difficulty verification to raise both productivity and precision.
Models are operated under an MLOps framework (an operating method that automates and standardizes training → validation → deployment → monitoring → retraining). Instead of fixing a single deployed model for a long period, they repeat training, deployment, validation, and retraining. Son said, The operating cycle, once centered on quarters and half-years, was pulled to monthly to match the speed of change in attack patterns.
◇ Shifting the organization to real-world operations with RACI, runbooks, and a red team
At the organizational level, they unified response lines. After creating a cyber threat response organization, they grouped the governance and technical response units around an integrated security center. Department-by-department distributed responses were realigned to the single goal of protecting customers.
They also overhauled rules. Reflecting cloud and supply chain threats, they revised information protection handling guidelines and applied a RACI (role and responsibility split) framework by control area to clearly define in advance who is responsible, accountable, consulted, and informed. They prepared runbooks by incident type to standardize execution across identification, detection, response, and recovery.
They also made routine the red team–blue team review loop and conducted drills based on ransomware, DDoS, and account-takeover attack scenarios. Son said, The goal is not the slogan of zero incidents but strengthening resilience to lower the likelihood of incidents and minimize damage spread when they occur.
He also pointed out the structural limits of telecom companies. Son said, Because a telecom company is a connection platform, it cannot by itself completely block every hacking crime at the source, adding, Effectiveness grows only when we link data and cooperate with the police, the Korea Internet & Security Agency (KISA), and the financial sector. Still, he added, We cannot retreat behind our limits; it is on telecom companies to further raise pre-detection and instant response capabilities.
Son said, Security succeeds or fails in field operations, adding, We will combine AI innovation on top of basics and principles to raise the safety level customers feel. He continued, SK Telecom's direction is clear: security is not a declaration but an operation updated every day.