VoIP may deliver great savings over traditional telephony, but with call-jacking over unsecured lines costing UK businesses – not the telephony providers – around $1.2 billion a year, the cost/benefit argument is perhaps more complex than many SMEs realise according to Paul German, CTO & Founder, VoipSec.
The UK’s SMEs are increasingly using Voice over Internet Protocol (VoIP) in order to cut call costs. Alongside cloud computing, VoIP is a key component in today’s flexible, low cost infrastructure that is supporting business agility and growth. Yet while businesses are increasingly confident to deploy these technologies, far too many are failing to understand the associated risks. The clue is in the name – Internet Protocol. VoIP is not just a new, lower cost telephone system; it is using the Internet data connection to provide a voice service – and should be treated as such in terms of security and usage policies.
Only the most naïve companies would ignore the need for firewalls and anti-virus and all the other essential products required for a robust, multi-layered data security model on the core infrastructure. So why are most companies blithely deploying VoIP without even considering the security implications?
The result is a door wide open onto the server, which is used to host the VoIP service – the same one that is probably used for the rest of the business (indeed, the voice function may actually be integrated with essential applications such as ERP) – and a fundamentally compromised business infrastructure.
In fact, the risk goes far beyond hackers using this unsecured route into the business to access corporate data; the biggest problem associated with VoIP today is so called toll fraud – or more to the point call-jacking. Essentially, a hacking team sets up a number of premium rate lines – typically the 0900 numbers often located in the Philippines or Malaysia; gains access to an unsecured VoIP network; and sets up automated dial-ups to these £5 per minute numbers. And while the network operator takes some of that call revenue, the hackers are typically raking in around 60% – a pretty nice earner that leaves the SME with a bill which can run into the £10,000s.
Typically these events occur over a weekend, which means they are extremely unlikely to be detected in time – and in some cases companies do not discover the problem until the bill arrives at month end. Who pays the bill? Check the small print: the telephone network provider has no liability in such cases; it is all down to the SME – although most providers will work out a payment plan rather than demand the full sum up front. Either way, a single weekend’s call jacking can leave a business facing a debt that could easily tip it over the edge.
So why are resellers not bundling security solutions into the overall product set?
Quite simply, cost. VoIP connections can be secured, of course, using a Session Border Controller (SBC), which acts as a voice firewall. However, traditionally these voice firewalls have been expensive solutions that require dedicated hardware implementation. As a result, SMEs aware of the risk have generally ignored it; while resellers have felt compelled to downplay the risk because bundling security into the VoIP package resulted in an uncompetitive offer.
Organisations have got to change their thinking. They need to challenge the VoIP providers to provide an accurate picture of the true cost/risk argument and demand that the reseller community begins to explore the latest generation of freemium voice firewall products now available. This new cloud based technology finally provides SMEs with the essential first tier in the voice security model, at a fraction of the cost of traditional products. A simple download and install virtual SBC enables businesses to secure the voice network within minutes – without impacting the compelling cost benefits argument.
The great news is that in a business environment awash with unsecured VoIP connections, any hacker will be deterred by even the most basic security solutions and will rapidly move on to an easier target. Furthermore, once the voice firewall is in place, an SME has the foundation for the multi-layered security model required for every aspect of the infrastructure, including voice. This includes determining how VoIP should be used, what polices should be implemented to improve control over the environment and deploying application level security to implement these policies quickly and effectively.
Essentially, the voice firewall is the foundation for the defence-in-depth model that has been applied to secure data networks over the last decade.