Many Irish businesses have now made the leap
from legacy PBX to VoIP, but how important is VoIP security? Let’s take a look
at the latest threats and what businesses can do to protect their sensitive
Know the risks.
There are security risks with both PBX and
VoIP systems and the threats are essentially no different: third-party hacking,
DDOS attacks (distributed denial-of-service) and voice data breaches.
Just like PBX, VoIP is susceptible to toll
fraud, i.e. a third-party hacking into your phone system and piggybacking on it
to make outgoing calls at your expense. You may not realise your system has
been compromised until an unexpectedly expensive phone bill arrives.
A DDOS attack is a way of a hostile third-party completely taking down your phone system, leaving you with no way to make or receive calls and sabotaging your ability to do business. They typically involve a flood of traffic aimed at disrupting service rather than a data breach, and any IP-based platform is susceptible. With cloud-based VoIP, various layers of protection will be in place to protect from this kind of attack.
Voice data breaches.
If your data network is not secure, then your
voice network isn’t either. Vulnerabilities in your system security may allow a
third-party to access your voice data, in other words, to listen to your calls.
If your staff discuss sensitive customer and financial data over the phone this
is a significant risk, especially with GDPR and PCI compliance.
If you record voice calls for any purpose,
this data also comes under GDPR legislation and you need to be able to state
and prove where this data is stored. This is much easier and quicker to do when
using a local communications provider rather than a global one.
While none of these threats may come as news
to you, what you may not realise is that depending on how your VoIP system is
set up, it can be relatively easy to protect your calls and keep your sensitive
business information secure.
A cloud of security.
Cloud-based VoIP is the most efficient business
option because it is open to access from anywhere by anyone with authorisation
(i.e. a password). The flip-side however is the security risk that comes with
this openness. The risk is heightened if you opt for an on-premise solution,
with the server based at your site and the responsibility of security on your
shoulders. Hosted solutions place the onus of security onto the provider and if
they are reputable, well-established and local, they will deliver a higher
level of security than would be possible to do yourself.
Securing your voice network.
VoIP security is not a dark art. VoIP is
simply data in another form, so VoIP security is simply data security by
another name. If you are already good at securing your IT network, then VoIP
security should be second nature. All the usual IT security hygiene factors
apply to VoIP, e.g. don’t set your voicemail PIN to 1234, don’t set your login
as “Password1”, and don’t write down or share passwords with anyone.
There are extra measures available to further secure
your VoIP. Most cloud-based VoIP systems have automatic call profiling and
analytics based on AI algorithms known as ‘traffic profiling’. This is an automated
process that categorises voice network traffic according to various
parameters. If any abnormal voice traffic is detected, automatic alerts will
notify administrators. For example, if international calls usually only make up
5% of your call traffic and this suddenly increases to 80%, it is a red flag and
can be caught before large bills accumulate.
You can also prevent third-parties piggybacking on your system by segregating your VoIP traffic from the rest of your data and applying strong security measures, e.g. allowing calls only from a VoIP phone that is physically plugged-in to the system.
Alternatively, you could restrict international calling rights to certain staff members. As long as your local network for both data and voice is protected with an up-to-date and patched firewall, unauthorised call monitoring by a third-party is not that much of a risk; particularly if your VoIP is cloud-based and hosted as there will be many layers of security preventing unauthorised access.
An additional, usually optional layer of security to add to VoIP is TLS (Transport Layer Security), which will encrypt your voice traffic back into the provider, so it is protected in the unlikely event it is intercepted.
As with all IT security, physical security is just as important, e.g. locked comms rooms and disabling unused patch points around your building.
Although you may not have considered the security of your phone system, it is as vulnerable as your IT system. It is also as easy to secure.
You may also be interested in Owen’s previous blog: A telephony disaster is one problem you don’t need to own.
For more information, call our Business Advice team on 1800 200 017 or