Reliable communication is the lifeblood of any business, but in this digital age, security cannot be neglected either. Moving your phone service to the cloud from a legacy telephone system using copper wires brings some of the same risks and benefits as anything else done on the Internet. Once you understand the risks and how to manage them, the benefits of VoIP communication technology become more attractive. But, understanding the requirements for secure communication and why they exist requires some knowledge of how IP (Internet Protocol) telephony works.

Background

As with any device connected to the Internet, VoIP phones are vulnerable to hacking attempts and malware, along with other malicious attempts to steal information or hi-jack elements of a company’s computer network. These cyberattacks hit thousands of American businesses every month and do billions in damage through lost files, corrupted data, and stolen funds. Because a VoIP phone transmits a digital voice signal across the Internet, these devices are vulnerable to different cyberattacks.

Beyond the phones themselves, any IP phone system will be vulnerable to attack in other ways. For example, an instant message tool could be used to share an attachment containing malicious code. An attacker could trick an employee into giving them access to the “control panel” that operates your company’s VoIP system, allowing them to cause all kinds of trouble. So, while VoIP telephony is secure, it also brings security challenges.

Security Risks

Anything that is on the Web is theoretically vulnerable to different forms of attack. A VoIP system that transmits voice signals across the internet is obviously not going to be immune to various threats, but a couple of things hackers can do with a VoIP system are not really options for a website or cloud-based app. Here is a summary of some familiar, and a couple of unusual, risks faced by the VoIP phone user:

  • Phishing – A hacker will contact people in the organization in hopes of tricking them into revealing login credentials for the email service, payment gateway, customer database, and so on.
  • Phreaking – Back in the days of rotary telephones, nefarious individuals could make free long-distance calls by reproducing the tones the phone companies used to direct those calls to their intended destination. Now, phreaks hack VoIP networks to make free calls.
  • Toll fraud – Hackers may want to make money by tricking employees into calling a number, which redirects them to an expensive international or pay-per-minute line.
  • Malware – IP telecom systems are vulnerable to worms, viruses, keyloggers, ransomware, and Trojan horses.
  • War dialing – This type of attack is unique to phones. It involves a hacker using a company’s PBX to search for phone numbers to call and other phone networks to potentially exploit for illegal purposes.
  • Denial of service attacks – We tend to associate denial of service attacks with websites, where hackers overwhelm a Web server with a flood of bogus requests. This type of cyberattack floods the telecom system with traffic, blocking legitimate callers.
  • Call interception – A hacker might be able to tap unencrypted session initiation protocol (SIP) traffic to eavesdrop on voice and video calls.

Spam calls are not necessarily a security risk, but they can waste bandwidth and storage space if the callers leave messages. Some automated spam tools can leave canned voicemail messages. Other “spam” calls might be attempts at fraud or at phishing. Have you ever received a call from Microsoft Technical Support about your computer?

Just as you would take steps to secure your business network and IT assets from attack, you also want to secure your IP telecommunications tools and software against cyberthreats.

Securing Your Communications

Business owners need to take some steps to protect their network and their digital assets from theft or alteration and misuse, in the case of equipment being hijacked to launch DDOS attacks. Here are some steps you can take to secure your network and your VoIP system from attack:

  • Train your staff on cybersecurity risks and topics like phishing.
  • Enforce a strong password policy and do not let employees stay permanently logged into systems.
  • Encrypt all communication.
  • Ensure software is up-to-date, including browsers, anti-malware software, and operating systems.

Finally, look for a security conscious VoIP provider. When screening potential vendors, you want to ask questions that logically mirror some of the same steps you would take internally to ensure data and network security. Specifically, you want to ask about:

  • Certifications – Look for PCI, SOC 2, HIPAA (Health Insurance Portability and Accountability) or ISO certification.
  • Encryption – Do they use TLS and SRTP encryption?
  • Training – What cybersecurity training have the staff received? What third party tools (software and hardware) are they using to prevent cyberattacks?
  • Malware Protection – Ask about the third-party tools for preventing viruses and other threats from getting loose in your network.

A trustworthy VoIP services provider will advertise good security and prove it by providing this type of information.

VoIP Security Risks are Manageable

By understanding the risks, instituting good cybersecurity practices in your organization, and asking the right questions of VoIP providers, you can minimize any future problems and reap the benefits of fast and efficient IP-based telephony. If you would like to know more about setting up cloud-based VoIP services, contact us to schedule a free consultation.