Is VoIP Secure? How To Protect Your Business Phone System
Given the rise in the remote workforce, many business owners are concerned about how to protect their data when everyone is working in different places.
Even traditional office workers are dealing with new security risks, due in no small part to the rise in BYOD (bring-your-own-device) VoIP communication. Given that the average cyber attack can cost victims a shocking $40,000 per hour, keeping your office communication secure is top of mind for both small businesses and large enterprises.
Are traditional desk phones still safer than VoIP? How can you improve your VoIP security strategy? Most importantly of all, how do you know that the VoIP phone system you’re considering is truly secure?
Read on to learn how the right security strategies can lower your risk of cyberattack, protect your customer data, and help you to sleep better at night.
VoIP vs Traditional Phones: Which Is Safer?
The main difference between VoIP (Voice over Internet Protocol) phones and traditional landlines is that VoIP calls are made over the Internet, while traditional phone calls are made over the Public Switched Telephone Network (PSTN for short.)
Analog phone systems (landlines) send voice signals over fiber optic cables and copper wiring of the Plain Old Telephone Service (POTS), using circuit switching to connect phone calls endpoints.
Since landlines require a physical connection to operate, anyone wanting to listen in on your calls would have to hack into the POTS wiring to get access to your conversations (hence the name “wiretapping.”)
VoIP phones transform analog voice signals into numerous separate digital data packets that are then sent over the Internet and rejoined at their destination – the other end of the phone line. SIP (Session Initiation Protocol) is what connects, maintains, and terminates VoIP phone calls, regardless of the device you’re using.
IP phone calls are sent over private voice networks (unless you’re using public WiFi to power your PBX VoIP calls, which should be avoided.)
Many people mistakenly think that, because VoIP calls take place over the Internet, it’s inherently more dangerous than traditional phone systems.
However, this isn’t usually the case.
While neither option will ever be entirely free from the possibilities of hacking, eavesdropping, and other security threats, with VoIP, there are far more ways to secure your business phone system than with standard telephony. Because VoIP calling is based on an Internet connection, you can employ the same security tools that you use to protect your Internet, cloud storage devices, and digital personal data.
That just isn’t a possibility with traditional phones.
That being said, VoIP is certainly vulnerable to hackers if precautions and continual risk assessments are not taken into consideration. Below, we’ll take a look at some of the most common and most serious VoIP security vulnerabilities.
Though VoIP offers numerous advantages over traditional phone service like more advanced features, scalable and affordable pricing, and higher overall call quality, there are several security risks you need to be aware of.
Here, we’ll introduce you to some common VoIP threats and tell you what you can do to prevent them from wreaking havoc on your business.
Denial of Service (DoS for short) attacks are among the most common for VoIP systems.
Their goal is to make an excessive amount of VoIP network requests to your system so that the sudden influx in voice traffic either completely stops working or experiences other major VoIP problems like call latency, dropped calls, or poor call quality.
To avoid DoS attacks, opt for a Virtual Private Network (VPN) to keep VoIP traffic separate from the rest of your data network. Always ensure that your communications are encrypted, and if possible, keep an entirely separate Internet connection dedicated solely to VoIP communications. A VLAN (virtual local area network) to split up your devices among several different, but connected networks.
Given that close to 135 million attempted phishing hacks happen in a single day, it’s essential to know how to protect your VoIP system from this cyber attack.
In fact, these attacks are so common in the Internet telephony world that they’ve earned a VoIP-specific nickname: vishing.
In traditional phishing, cybercriminals send spoofing emails or text messages. These emails are made to look like they’ve been sent from familiar, reputable companies — but in reality, hackers use them to steal sensitive data or account information to use for themselves.
Vishing works in much the same way, except via phone call.
Hackers will pose as an employee from a well-known company, bank, or even government agency and insist that employees provide account passwords, social security numbers, credit card information, and more over the phone to avoid a fabricated emergency or fraudulent charge. Sometimes, these hackers even go as far as to use fake caller IDs.
To avoid a phishing attack, put a strict communication policy in place that trains employees to verify these requests for sensitive data or confirm with a higher-up before disclosing the information. Ask the caller how the information can be verified, and don’t confirm that any personal or financial data these callers seem to know.
Note that vishing calls purporting to be from the IRS, Social Security Administration, Medicare, and banks are especially common. According to a recent study, close to 40% of all robocalls claim to be from the IRS.
Viruses and Malware
Viruses can infect your network and, like DoS attacks, kick your phone system offline entirely.
While viruses and malware consume excessive amounts of bandwidth and slow things down, the biggest concern is that they can also install and transmit corrupt files, programs, and data on your network. As with phishing, viruses and malware often look like legitimate software programs, files, or application installations.
What’s worse is that malware can also create holes – sometimes known as Trojans or Trojan Horses – that make it easy for hackers to take complete control over your network and access all the sensitive data on your computer.
One of the best — and simplest — ways to avoid viruses and malware is to turn on automatic updates for your VoIP system. These updates don’t just provide new features and fix bugs. In many cases, they also offer protection or increased cybersecurity tools against new attacks.
You should also enable two-factor authentication and create a strong company-wide password policy. Some routers even have the capability to block at least some malware and suspicious websites from infecting your network.
Above all, install antivirus software and firewall protection to monitor inbound and outbound traffic and block suspicious data packets.
Unfortunately, those annoying spam phone calls and robocalls you get on your personal phone can also impact your business phone service.
SPIT, or spam over IP telephony, is usually made up of a high number of pre-recorded voice messages.
Not only do spam calls get in the way of your team’s ability to connect with customers and clog your voicemail, but they can also contain phishing attacks, be a front for phone scams, and cause other security issues. Once spam callers get a hold of your VoIP system’s IP address, they’ll call, text, or leave voicemails numerous times per day.
Be aware that many spam calls come from unknown numbers.
These spam calls can result in stolen customer or company information, a loss of network connection, identity theft, fraud, and more.
The good news is that many VoIP solutions today offer spam call filtering (also known as reputation filtering) to cut down on these irritating messages. Spam filters use algorithms to “score” the phone number and determine the legitimacy of the caller.
Call screening tools can also recognize likely spam numbers, while the caller ID feature may also be able to let agents know when to reject a suspicious phone call. Call blocking can be used to block these spam calls for good. As with malware protection, a firewall can also help to guard against spam attacks.
Additional VoIP Security Best Practices
In addition to the advice above, there are several more best practices to consider when it comes to keeping your VoIP safe, secure, and running smoothly.
Conduct Regular Security Assessments
It’s always a good idea to conduct regular in-house and third-party security assessments.
These assessments will examine VoIP gateways, perform application-based security scans and hacking simulations, and will reconfigure firewall protection when necessary.
Some VoIP services may include security assessments as a part of their SLA contract.
Whitelisting and Blacklisting Phone Numbers
Blacklisting phone numbers permanently blocks spam callers, suspicious phone numbers, and other unwanted callers, meaning they’ll no longer be able to contact your business via phone.
However, if you’re dealing with a larger-scale security threat, you may wish to choose to whitelist certain numbers while blocking all others. Whitelisting means that only the contacts/phone numbers you specify will be able to contact you. Though likely not a viable option for a main business phone number, individual team members that only have permission to speak to existing customers may benefit from whitelisting.
Create a Strong Password Policy
If you’re using any of the options on this list of the most common passwords, it’s past time to implement a new password strategy.
Improve your password policy by:
- Changing your password every two weeks
- Avoiding using the same password for multiple accounts (whether business or personal)
- Using uppercase and lowercase letters, special characters, and numbers (avoid repeating patterns) in passwords
- Choosing a password that’s at least 8 characters long
- Avoiding writing down your password
- Restricting password reuse
Avoid Using Public WiFi
Public WiFi may be convenient when it comes to connection flexibility and Internet access – but it’s also a very convenient way for hackers and other cybercriminals to get ahold of your information.
Because public WiFi networks are unsecured, it’s easy for hackers close to you to intercept your data via a Man-In-The-Middle attack. Plus, there’s no guarantee that the hotspot you’re using isn’t a rogue Internet access point, set up by hackers to intentionally lure in unsuspecting users.
If you absolutely have to use public WiFi, do so via a VPN.
Encrypt Business Communications
Encrypting your business communication tools is another essential step in guarding your data.
Encryption scrambles data so that, even if it’s intercepted by a hacker, they wouldn’t be able to decipher it. However, not all encryption is created equal. Look for service providers offering end-to-end encryption, which protects data while both in transit and at rest.
Quality providers will offer both TLS and SRTP call encryption.
Select a Secure VoIP Provider
Even if you follow all of the above steps, if you select a VoIP platform that doesn’t prioritize secure communications, you’ll still be quite vulnerable to an attack.
Below, we’ll discuss what to look for in a secure provider.
To ensure that the VoIP solution you’re considering takes security as seriously as you do, there are a few things you need to find out.
Ask About Security Accreditations and Certifications
First, ask what accreditations they have.
SOC (Service Organization Compliance) 2 Compliance is one of the most basic must-haves. It was created by the American Institute of CPAs to clearly define criteria for secure data management. It’s made of 5 primary components: security, processing integrity, privacy, availability, and confidentiality.
PCI Compliance (Payment Card Industry) is required for any business that accepts payment via card. It ensures that the provider uses secure VLANs, requires frequent penetration testing to protect your IP address, and keeps your system up-to-date.
HIPAA compliance ensures that patient health data is properly secured, whether it’s being stored on a cloud-based platform or in relation to call recordings and voicemail.
Companies should also have ISO/IEC 20071 certification, which ensures that the provider has strong and current security controls in place.
Get to Know the Third Parties
Many VoIP companies pair up with third-party software companies to offer certain features or tools. Be certain that you know not only which outside software solutions your VoIP provider works with, but also how they’ve evaluated every third-party security plan to make sure it’s up to snuff.
Additionally, ask if the provider has engaged third-party security testing services to highlight any potential vulnerabilities and assess the company’s ability to properly respond to/prevent cyber attacks.
After all, security policies created by the company selling the software will undoubtedly be designed to protect the provider — at the cost of your data’s security.
Understand How They Respond to an Attack
Make sure you have a solid understanding of how exactly the provider responds to a threat like an attempted eavesdrop or a DoS attack.
What sort of preventative measures do they take? For example, do they send you real-time alerts in the event of a suspicious login or unusual activity? Do they offer session border controllers?
How often do they back up your data to ensure that you have a copy of it in the event of a major attack? How long will it take to restore your service? How long does it take them to respond to an attack?
Also, don’t forget to ask about how they secure physical access to their servers.
Ensure They Offer a Guaranteed Uptime
Finally, make sure the provider offers a guaranteed uptime at least 99.9% of the time — and get it in writing.
This isn’t just about ensuring that you’ll be able to use your VoIP system without worrying about it getting kicked offline. It also proves that the provider has strong enough security measures in place to prevent DoS attacks and other threats.
You should also take a look at the provider’s Status Page, which tells you whether or not all systems are currently operational.
While no communication device is impenetrable, VoIP is a much more secure option than a traditional phone service.
Plus, quality providers not only have the features and credentials you need to protect your network but also frequently audit and update their own security policies.
Remember, however, that security and compliance — industry-specific privacy and security regulations your company must follow — are two different things. When researching providers, be certain that they are in compliance with the requirements, such as HIPAA, PCI, and HITECH regulations.