Voice over IP systems handle critical communication features such as business phone calls, conferencing, chat and voicemail through on-premises or cloud-based environments. These systems have proven especially useful as remote workforces have gained momentum, as they are often not tethered to traditional landlines and can be used from any internet connection.
SEE: Mobile device security policy (TechRepublic Premium)
However, as with all technology upon which businesses depend, there are security risks related to VoIP which companies must be aware of in order to protect their operations, employees and data.
Why is VoIP security important?
Security is important for any system utilized to conduct company operations. It’s not just a matter of protecting business-confidential data to keep it out of the wrong hands, but any disruption or impact upon services and resources can interrupt company business, decrease staff productivity and potentially damage company reputation.
What are common VoIP security risks?
Scammers and cybercriminals pose the most ominous threats in the VoIP landscape. On a direct level, VoIP systems can be hacked if improperly insecure or vulnerable, giving these malicious actors the keys to the kingdom, so to speak. Data can be directly stolen or calls eavesdropped upon to obtain sensitive information. A compromised VoIP system can be used for malicious purposes, wasting company resources and reducing availability of services to legitimate users.
Distributed denial of service attacks are a typical threat, whereby massive amounts of internet traffic are directed at target VoIP systems to disrupt their functionality, then followed by a ransom demand to stop the attack in exchange for payment.
On an indirect level, malware is another typical risk for VoIP operations. Malware can capitalize upon vulnerabilities or improperly protected systems such that human intervention isn’t directly needed to launch such an attack.
It doesn’t necessarily take direct or indirect access to capitalize upon VoIP to engage in fraudulent activity. While traditional “POTS” (Plain Old Telephone Systems) communications were equally vulnerable to people duping unsuspecting call recipients with gimmicks and con artist endeavors in order to entice money transfers, reveal personal information or credit card numbers, phishing calls remain a common threat.
In these scenarios, recipients are often duped into thinking their accounts have been compromised or show signs of suspicious activity, and the caller then demands to verify these accounts by obtaining confidential information from the recipient.
Spam is also a prevalent concern. Technology allows spammers to send untold amounts of automated messages to different systems or spoof a local number in order to trick recipients into answering calls and being subjected to a marketing pitch.
Top 9 best practices for VoIP security
1. Ensure clear and comprehensive documentation is established and kept up to date
It’s impossible to protect an environment which isn’t clearly spelled out. Keep track of all in-house or external systems that VoIP relies on, as well as end user devices (including smartphones) and the software involved. Ensure all licenses, support information and vendor contact information is updated and made available to appropriate staff so that security incidents can be quickly addressed and a scope of impact established.
2. Utilize end-to-end data encryption
All services utilizing VoIP should entail encryption both on information in transit (e.g. phone calls or conferencing activities) and at rest (e.g. voicemails and chat histories).
3. Utilize segmented subnets, firewalls and network address translation for on-premise equipment
Put all VoIP systems on dedicated subnets with firewall access only permitting appropriate traffic via the bare minimum of ports involved. Using network address translation so all traffic relies on a public-to-private IP address can help shield in-house systems from attack, as only the necessary access is permitted for VoIP functionality.
4. Mandate the use of complex passwords and multifactor authentication for all VoIP related devices
Tightening access to VoIP devices will ensure these can only be utilized by appropriate personnel and if they are lost or stolen, unauthorized individuals cannot gain access to them. Remote device management tools are also highly recommended as these can ensure compliance, locate devices or wipe them entirely.
Choosing complex passwords can be a chore, but tools such as password managers that can create and store customizable passwords makes this process much easier.
5. Keep all VoIP software regularly updated
All software updates whether for VoIP systems or end user devices should be applied when available to ensure the best security and functionality across the board.
6. Apply all security hotfixes, patches and firmware updates
IT staff should subscribe to VoIP vendor alerts and security bulletins to ensure the latest hotfixes, patches and firmware are routinely applied to help prevent any vulnerability exploits and ensure VoIP security compliance.
7. Regularly test your VoIP systems for security vulnerabilities
Whether you conduct it in-house or hire an external resource, you should run penetration tests against your VoIP environment to make sure you have all the hatches properly battened down. Also consider the use of a DDoS protection service for high-volume enterprise class systems, which would cause a massive disruption in usage if attacked.
8. Discourage the use of public Wi-Fi for VoIP devices
Public Wi-Fi can pose a real risk to end user devices running over these networks, as traffic can potentially be eavesdropped upon or vulnerabilities exploited in real time. Employees should only use secure, private Wi-Fi or utilize a VPN over known trustworthy public Wi-Fi networks (such a relative’s house rather than a coffee shop).
9. Train your employees on how to react to attempted or successful security breaches
All of the above safeguards are useless without user training. The most tightly locked down VoIP device can still lead to a data breach if a user is convinced to give up security sensitive information or allow access to an attacker posing as a legitimate IT resource.
Conduct training for employees to educate them on how to:
- Recognize and report phishing attacks. End users should ensure any attempted contact by someone purporting to be from the IT department is legitimate (e.g. look them up in the address book or ensure they are using secure company resources to communicate) and if otherwise report the incident to the IT hotline.
- Recognize potentially threatening environments where devices might be stolen, such as airports, train stations and hotels, and safeguard devices accordingly.
- Recognize device behavioral anomalies such as extreme slowness or suspicious activity.
- Report any attempted or successful breaches to a resource that is separately available from any potentially compromised VoIP device (e.g. a company website or phone number).
- Do not allow non-company personnel to utilize VoIP devices for any reason.
If using VoIP devices in a BYOD environment, make sure these are securely wiped and/or handed off to the IT department to confirm no further VoIP functionality exists before discarding them.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays