When VoIP first launched, few people were concerned about security. IT leaders were rightly more interested in audio quality, reliability, and cost. But the world of business and technology has changed since then. With data security incidents rising across the board, CTOs cannot afford to ignore security any longer. A serious breach can affect every aspect of your business, cost millions of dollars to fix, and take a long time to recover from.
Cybersecurity Ventures estimates the cost of cybercrime to cross USD 6 trillion by 2021 and USD 10.5 trillion by 2025. While that primarily includes cybersecurity incidents related to digital systems like email and data management, VoIP systems are also vulnerable to cybercrime. Any system that uses the public internet is vulnerable to security exploits and your phone lines are no exception.
VoIP security
Network security is part of your responsibilities as a CTO. So how worried should you be about VoIP security? VoIP calls use your IP address, so a vulnerability here can put all your data and systems at risk. There’s not much point in securing your data network and servers, only to leave the VoIP system open to security threats.
Contrary to popular belief, technology companies and e-commerce websites are not the only victims. Financial, educational, and health care providers are also frequently targeted through their VoIP systems. IT leaders do not have to worry about the details but you should be aware of the risks and how to avoid them for your organization. The goal here is to make the cost of breaking in greater than the value of doing so.
1- Denial of service attacks
A denial-of-service attack is when attackers use up all the bandwidth on your resource, overwhelming it with spurious user requests. The resource will eventually shut down when it is unable to cope with the overload.
The resource can be anything – a website, the VoIP phone service, or an email server. It doesn’t require much knowledge or expertise to pull this off either. Even if your phones do not shut down, the audio quality will deteriorate, calls will not go through and customers will have a bad experience.
What can you do to mitigate a denial-of-service attack? One idea is to separate your data and voice communication. You can also use encryption and mandate using a VPN by all employees to keep things secure. If you have the resources, you can even use a dedicated internet connection specifically for the VoIP phone system. While expensive, it allows you to prevent the issues in one system from affecting other aspects of your business.
2- VoIP service theft
As a CTO, you are aware of the potential consequences of a security breach. Attackers can steal confidential data such as credit card information or patent documents. You may think this is not such a big risk with the phones, as there is nothing to steal there. But there is.
Once attackers break into your VoIP phone system, they can do anything for free and leave you to pay the bills. They can make international calls to premium numbers racking up huge bills over a single weekend. They can steal billing information and use it to pay for other expensive services.
Protecting your systems from VoIP service theft requires several measures including using strong passwords, limiting access to only those employees who need it, and updating all your software.
3- Malware
Similar to any other internet-based application or service, your VoIP phones and software are vulnerable to malware of all sorts. If your organization uses softphones on mobile devices and computers, it could be affected by a malware attack. Hackers may target the phones or your system could become unusable as a side effect of some other virus/Trojan.
Fortunately, you do not need any special tools or measures to protect your phone network. Existing methods such as using firewalls, monitoring traffic, and antivirus software are excellent ways of securing the phones. You can also buy network hardware that blocks malware and prevents access to malicious websites.
4- Man in the middle attacks
Man in the middle attacks is more sophisticated and involved than using other security exploits. Hackers may take weeks or even months to research an organization and the phone system before attacking. It typically involves using custom tools and websites that mimic real software. The attackers mislead your employees or customers to enter confidential data like passwords on the fake website and capture that information.
Such attacks are harder to set up but the payoff can be huge. The most effective protection measure is to train staff to spot inconsistencies in emails, links, and social media. Educate them on when and where it is appropriate to give out sensitive data. Even better, limit access to sensitive data as needed. Employees cannot accidentally reveal information they don’t have in the first place.
5- Vishing and ID spoofing
Vishing and ID spoofing generally go hand in hand. Imagine one of your service agents gets a call from your IT department asking them to go to a link and update their password. The staff looks at the familiar phone number and decides to follow instructions. The caller may also have other data on the agent such as their employee ID to make the call seem legitimate.
A manager or supervisor may even get calls purporting to be from HR, payroll, or a government agency. The caller asks them to clear outstanding dues or send employee records for an audit etc. Vishing can be hard to counter as ID spoofing does not need much equipment to get going. Attackers use numbers and services outside your country so you cannot trace the origin.
What you can do is verify phone requests and make sure incoming requests are valid, similar to spam filters. Educate employees on company policies which should specify that staff will not be asked for sensitive information over the phone. Train frontline agents to ask for a contact number and then call back as an additional layer of security.
6- Eavesdropping
Eavesdropping is also a real risk associated with VoIP phone systems. Companies transmit a lot of sensitive information over the phone. An agent may ask customers for their address and credit card data. A salesperson may verbally confirm contract details with a client. Imagine if attackers could capture phone calls and get access to all that data.
What can you do to prevent eavesdropping on your phone network? One thing you can do is to make sure calls are encrypted end-to-end. This means that even if a hacker records calls or breaks into the system, they cannot decipher it. If you are looking for a VoIP service provider, ensure they offer encryption before signing up for service.
7- Call tampering
Call tampering happens when a hacker wants to cause issues with your phone system. They send large data packets over the network, slowing things down. It leads to dropped calls and degraded audio quality. Criminals may also:
- Change passwords locking legitimate users out
- Edit authorization lists so employees cannot use the phones
- Divert calls to outside numbers
- Disable necessary features or add premium services
IT leaders often consider call tampering as a minor annoyance but it can lead to serious consequences. Basic security measures – such as frequently changing passwords, using long and secure passwords as well as closely monitoring the phone system – can help you identify and mitigate the consequences quickly.
8- Audio spam
Everyone is familiar with email spam. It clogs up company inboxes and often contains malicious links, viruses, and unwanted solicitations. Spam over IP telephony (called SPIT) is similar. Hackers will send recorded messages to your phone numbers. They are widely seen as a nuisance but they can tie up your system so legitimate users cannot access it. Similar to email spam, SPIT can also accompany malware, viruses, and fraudulent links.
You may not be able to stop audio spam completely but you can use firewalls to make sure fewer messages travel over the network. Training and awareness programs should also highlight this security risk, so employees know what to watch out for.
Reduce VoIP risks
You may have noticed a common theme so far. The most common source of VoIP security risks is human agents. In the same vein, your employees are the most effective way to spot and prevent security breaches. General best practices to ensure data security will go a long way towards protecting your phone systems as well. Some ways to protect your digital systems are:
- Education, awareness, and training. Make sure your staff knows how to spot security risks and report them to the appropriate team.
- Update your IT policies as and when new security risks are identified. Make changes frequently, especially when you see something is not working correctly.
- Make sure your hardware and software are updated and protected with the necessary security tools. Outdated software is the reason for many security incidents.
- Monitor your systems for unusual activity such as high traffic on weekends, suspicious data flows across country borders, and new users logging in. The quicker you find the breach, the better you can contain the consequences.
