Telephony continues to remain the dominant form of communication in business today. However, traditional telephony is now being joined by IP-based telephony options to reduce the cost of telecommunications and to increase communications options. In fact, the purchases of IP communications platforms in 2006 exceeded legacy phone systems for the first time in history and according to Synergy Research Group and InfoTech, IP platforms will comprise over 90% of all enterprise telephony purchases by 2010. Additionally, the small and medium-sized business (SMBs) market is expected to grow at a faster rate than the large enterprise market and is projected to represent 43% of total IP telephony shipments by the end of 2010.
Statistics like these are not surprising with benefits such as significant monetary savings, affordable long distance and international calls, free calling features and convenience, to mention a few – making IP telephony and, more so, VoIP a attractive alternative for business use. However, these benefits can quickly be erased should the VoIP network become compromised. With the plethora of threats and viruses currently making their mark, as well as a host of others in the making, businesses need to be aware of the security risks and the countermeasures that they can take to secure their telephony solutions.
In 2008, CompTIA undertook a survey* around VoIP security. Of the 350 SMBs polled, only 50% thought VoIP technology was safe enough to trust, lagging behind traditional telephony systems (82%), Ethernet data networks (72%) and wireless local area networks (60%) – due to the fact that people are much more sensitised to disruptions in voice communications than they are with data ones. Additionally, many pointed out that the world was embracing an emerging technology without taking the time to secure it.
When IP telephony was in its infancy, hackers had little interest in attacking these networks, but as the technology has gained broader acceptance, new and ever-more sophisticated security threats have arisen. Furthermore, SearchSecurity.com’s Senior News Writer Bill Brenner** borrowed a phrase from Malcolm Gladwell when he summed up the VoIP discussions at Black Hat 2007. Brenner stated that VoIP security is reaching a tipping point, with many easy-to-attack protocols in wide use – and to a certain extent, he was right. But like everything else, VoIP is only as secure as you make it!
The same types of attacks that plague the data environment – viruses, worms and Trojan horses, to name but are few are impacting the IP-based communications environment as well. As a result, the content of VoIP communications is vulnerable to being attacked, hacked, altered, intercepted or re-routed. Worse yet, because voice and data communications often run on the same infrastructure, an attack on the VoIP system could compromise the entire availability of the IP network, risking a business’ ability to communicate via either voice or data. In addition to external threats, internal negligence and abuse also needs to be curbed. Employees have to be educated about possible threats and made aware of their personal responsibility. Furthermore, policies need to be implemented to ensure that employees don’t abuse or misuse the telephony system to make expensive international calls for personal reasons. Therefore, developing a culture of security depends on a lot more than just physical security measures as security needs to be embedded in a company’s core values, ethics and leadership, not to mention the basis for all forms of communication, wired and wireless. Only an approach that takes into account the interests of all employees and the nature of their work, will deliver the fullest possible benefit to an organisation.
Consequently, it is evident that VoIP security is something that cannot be ignored, especially as it is integrated into every level of the organisation. Therefore don’t shy away from adopting VoIP due to security concerns, just make sure you are armed with the right information to take the proper steps to secure the system and ensure the benefits can be maximised.
Suggested preventative steps include:
• Be vigilant and stay up to date about new and changing threats
• Learn how to recognise a threat and more importantly, how to deal with it
• Follow best practices for VoIP network security
• Separate VoIP and data networks (Virtual Private Networks)
• Implement tools to monitor and report of telephone use
• Choose a provider who understands the industry and is able to configure the solution to your specific business need
As VoIP use continues to grow, it is likely that attackers will increasingly seek out ways to exploit this technology, but with the right mindset, the right technology and the right solution provider, the battle can be won and VoIP can take its rightful (and valuable) place in Corporate SA.
Director and Co-Founder of Connection Telecom
* Computing Technology Industry Association (CITA), Concerns Over IP Telephony Security Still Present in SMB Market, 2007
** Mike Chapple, CISA, CISSP, Enterprise security in 2008: Addressing emerging threats like VoIP and virtualization, http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1293693,00.html