Keeping your business calls strictly your business.

Owen Kirwan
On: 14 Mar 2019
Share this post

VoIP Security, VoIP, Unified Communications

Many Irish businesses have now made the leap from legacy PBX to VoIP, but how important is VoIP security? Let’s take a look at the latest threats and what businesses can do to protect their sensitive voice data.

Know the risks.

There are security risks with both PBX and VoIP systems and the threats are essentially no different: third-party hacking, DDOS attacks (distributed denial-of-service) and voice data breaches.

Third-party hacking.

Just like PBX, VoIP is susceptible to toll fraud, i.e. a third-party hacking into your phone system and piggybacking on it to make outgoing calls at your expense. You may not realise your system has been compromised until an unexpectedly expensive phone bill arrives.

DDOS attacks.

A DDOS attack is a way of a hostile third-party completely taking down your phone system, leaving you with no way to make or receive calls and sabotaging your ability to do business. They typically involve a flood of traffic aimed at disrupting service rather than a data breach, and any IP-based platform is susceptible. With cloud-based VoIP, various layers of protection will be in place to protect from this kind of attack.

Voice data breaches.

If your data network is not secure, then your voice network isn’t either. Vulnerabilities in your system security may allow a third-party to access your voice data, in other words, to listen to your calls. If your staff discuss sensitive customer and financial data over the phone this is a significant risk, especially with GDPR and PCI compliance.

If you record voice calls for any purpose, this data also comes under GDPR legislation and you need to be able to state and prove where this data is stored. This is much easier and quicker to do when using a local communications provider rather than a global one.

While none of these threats may come as news to you, what you may not realise is that depending on how your VoIP system is set up, it can be relatively easy to protect your calls and keep your sensitive business information secure.

A cloud of security.

Cloud-based VoIP is the most efficient business option because it is open to access from anywhere by anyone with authorisation (i.e. a password). The flip-side however is the security risk that comes with this openness. The risk is heightened if you opt for an on-premise solution, with the server based at your site and the responsibility of security on your shoulders. Hosted solutions place the onus of security onto the provider and if they are reputable, well-established and local, they will deliver a higher level of security than would be possible to do yourself.

Securing your voice network.

VoIP security is not a dark art. VoIP is simply data in another form, so VoIP security is simply data security by another name. If you are already good at securing your IT network, then VoIP security should be second nature. All the usual IT security hygiene factors apply to VoIP, e.g. don’t set your voicemail PIN to 1234, don’t set your login as “Password1”, and don’t write down or share passwords with anyone.

There are extra measures available to further secure your VoIP. Most cloud-based VoIP systems have automatic call profiling and analytics based on AI algorithms known as ‘traffic profiling’. This is an automated process that categorises voice network traffic according to various parameters. If any abnormal voice traffic is detected, automatic alerts will notify administrators. For example, if international calls usually only make up 5% of your call traffic and this suddenly increases to 80%, it is a red flag and can be caught before large bills accumulate.

You can also prevent third-parties piggybacking on your system by segregating your VoIP traffic from the rest of your data and applying strong security measures, e.g. allowing calls only from a VoIP phone that is physically plugged-in to the system.

Alternatively, you could restrict international calling rights to certain staff members. As long as your local network for both data and voice is protected with an up-to-date and patched firewall, unauthorised call monitoring by a third-party is not that much of a risk; particularly if your VoIP is cloud-based and hosted as there will be many layers of security preventing unauthorised access.

An additional, usually optional layer of security to add to VoIP is TLS (Transport Layer Security), which will encrypt your voice traffic back into the provider, so it is protected in the unlikely event it is intercepted.

As with all IT security, physical security is just as important, e.g. locked comms rooms and disabling unused patch points around your building.

Although you may not have considered the security of your phone system, it is as vulnerable as your IT system. It is also as easy to secure.

You may also be interested in Owen’s previous blog: A telephony disaster is one problem you don’t need to own.

For more information, call our Business Advice team on 1800 200 017 or