Businesses are aware of the importance of securing data held on corporate networks and beyond. But too often they overlook the importance of securing their communications and voice networks says Colin Tankard, MD of Digital Pathways.
The convenience and reduced cost of making calls over the internet appeals to businesses large and small. Voice over IP (VoIP) to give its technical name ranges from modest Skype apps on smartphones right up to enterprise wide, fully featured unified communications networks.
While conventional voice calls can obviously be bugged or hacked many users of VoIP forget that a data based voice system is also vulnerable from cyber attacks. Unauthorised access to VoIP data servers can even provide a backdoor into the company’s main networks if not protected.
Yet, in my experience it’s not unusual for VoIP servers to be left unprotected against hackers searching for and finding vulnerabilities. Why is this? Is it ignorance of the dangers or a reluctance to invest in VoIP protection? Perhaps we, as an industry, have done a poor job of raising awareness of the dangers of unsecured VoIP in the workplace.
But the dangers are very real and as serious as an unsecured data network. Hackers poking around VoIP can potentially overload the system causing it to fail, better known as a denial of service attack. More likely they will be looking to steal customer data, eavesdrop and record conversations. Like other cyber attacks, some are done as acts of digital hooliganism simply for kicks, but a growing number are committed by organised gangs with specific criminal intent.
Companies with badly protected VoIP systems are vulnerable to the growing problem of call fraud. Internal calls are rerouted by criminals to hugely expensive premium rate numbers set up by the criminals - they manage to hack the system and automate dial-outs when no-one is in the office. According to a recent report in the New York Times, a small architecture firm in San Francisco ran up a $166,000 phone bill in one weekend. It would have normally taken the firm 34 years to spend that much on phone calls. According to the same story this type of fraud cost $4.73bn worldwide in 2014 - quite an astonishing figure.
Call centres using VoIP are a particular favourite of hackers and cyber criminals. Remember these are the places where conversations between the center and the customer will often include all sorts of confidential information: names, addresses, PINs, passwords maiden names etc. This is nectar to your average cyber criminal.
The rising challenge of so-called “shadow IT” in the enterprise, where employees buy and use unauthorised hardware or software that uses a VoiP application can also be a backdoor into the network and undermines traditional privilege management.
So how can businesses reduce the risks? The obvious answer is to remember that just because the systems seems to work like conventional copper based voice systems, the infrastructure behind it is fully digital and IP based, and should be subject to the same precautions as the rest of the network.
At the very minimum, you need a firewall and intrusion protection system to monitor for suspicious activity. All voice data servers should be protected with two-factor based access and administration.
However to really protect your VoIP infrastructure you need to think about encryption. All voice data that is directed through your business on VoIP should be encrypted and this can be done on devices and servers, but it needs to be done expertly so that you don’t end up slowing down the network.
This is key. Modern VoiP systems are largely free of the dropouts and distortions of the past, so you don’t want to introduce them again by choosing a poorly configured encryption service.
Fortunately there are security providers out there that understand this and will happily work with you to determine your level of protection and build an encryption based, fully VoIP compatible security service tailored to your business.
If you already use VoIP, or are thinking of switching you should seriously consider security and the implications of an inadequate level of protection. Not all attacks can be stopped but we owe it to ourselves not to give the cyber attackers an easy ride by inviting them in over the phone!