Is VOIP secure? Can VOIP be hacked? Read our guide to learn why VOIP security is important and what best practices you should consider for your business.
Voice over IP systems handle critical communication functions such as business phone calls, conferencing, chat and voicemail over on-premises or cloud-based environments. These systems have proven particularly useful as the remote workforce has gained momentum as they are often not tied to traditional landlines and can be used from any internet connection.
SEE Mobile Device Security Policy (TechRepublic Premium)
However, as with any technology that businesses depend on, VOIP has security risks that companies must be aware of to protect their operations, employees and data.
Why is VOIP security important?
Security is important for any system that is used to carry out business operations. It’s not just about protecting business confidential data from falling into unauthorized hands, any disruption or impact to services and resources can disrupt a company’s business, reduce staff productivity and potentially damage a company’s reputation.
What are common VOIP security risks?
Fraudsters and cybercriminals are the most sinister threats in the VOIP environment. At a direct level, VOIP systems can be hacked if they are not properly secure or vulnerable, giving these malicious actors the keys to the kingdom. Data can be stolen directly or calls can be tapped to obtain sensitive information. A hacked VOIP system can be used for malicious purposes, wasting company resources and reducing the availability of services to legitimate users.
A typical threat is distributed denial-of-service attacks, in which massive amounts of Internet traffic are directed at targeted VOIP systems to disrupt their operations, and then demand a ransom to stop the attack in exchange for payment.
On an indirect level, malware is another typical risk for VOIP operations. Malware can exploit security holes or inadequately protected systems, so no direct human intervention is required to launch such an attack.
Direct or indirect access is not necessarily required to leverage VOIP for fraudulent activity. While traditional “POTS” (Plain Old Telephone Systems) communications are equally vulnerable to people using tricks and scams to trick unsuspecting call recipients into sending money, revealing personal information or credit card numbers, phishing calls are still a common threat.
In these scenarios, recipients are often tricked into believing that their accounts have been hacked or show signs of suspicious activity, and the caller then demands to verify the accounts by obtaining the recipient’s confidential information.
Spam is also a common problem. The technology allows spammers to send a barrage of automated messages to various systems or spoof a local number to trick recipients into answering calls and subjecting them to marketing calls.
9 Best Practices for VOIP Security
1. Ensure that clear and comprehensive documentation is created and up-to-date
It is impossible to protect an environment that is not clearly defined. Track all in-house or external systems that your VOIP relies on, as well as the end-user devices (including smartphones) and software involved. Ensure that all licenses, support information and vendor contact information are updated and available to appropriate personnel so that security incidents can be quickly addressed and the extent of the impact determined.
2. Use end-to-end data encryption
All services using VOIP must include encryption both in transit (eg phone calls or conference calls) and at rest (eg voicemails and chat history).
3. Use segmented subnets, firewalls, and network address translation for on-site equipment
Place all VOIP systems on dedicated subnets with firewall access that only allows appropriate traffic through the minimum number of ports. Network address translation, so that all traffic is based on public-to-private IP addresses, can help protect in-house systems from attack by allowing only necessary access to VOIP functions.
4. Mandate the use of complex passwords and multi-factor authentication for all VOIP-connected devices
Restricting access to VOIP devices ensures that only appropriate personnel can use them, and that if they are lost or stolen, they cannot be accessed by unauthorized persons. Remote device management tools are also highly recommended as they can ensure compliance, locate devices or wipe them completely.
Choosing complex passwords can be difficult, but tools like password managers that can create and store customizable passwords make the process much easier.
5. Update all VOIP software regularly
All software updates, whether for VOIP systems or end-user devices, should be applied when available to ensure the best security and functionality.
6. Apply all security hotfixes, patches, and firmware updates
IT staff should subscribe to VOIP vendor alerts and security bulletins to regularly apply the latest hotfixes, patches, and firmware to prevent exploits and ensure VOIP security compliance.
7. Regularly test your VOIP systems for security holes
Whether you do it in-house or hire an outside resource, you need to run penetration tests on your VOIP environment to make sure all the hatches are properly removed. Also consider using a DDOS protection service for high-volume enterprise-level systems that would cause significant disruption to use in the event of an attack.
8. Avoid using public Wi-Fi on VOIP devices
Public Wi-Fi can pose a real risk to end-user devices running on these networks, as traffic can potentially be intercepted or vulnerabilities exploited in real-time. Employees should only use secure private Wi-Fi or VPN over known, trusted public Wi-Fi networks (like a relative’s house, not a coffee shop).
9. Train your employees on how to respond to attempted or successful security breaches
All of the above safeguards are useless without user training. Even the most locked-down VOIP device can still lead to a data breach if the user is convinced to give up security-sensitive information or allow access to an attacker posing as a legitimate IT resource.
Conduct training for employees to teach them how to:
- Identifying and reporting phishing attacks. End users should ensure that any contact attempts by a person claiming to be from IT are legitimate (e.g., look them up in the address book or ensure that they are using secure corporate resources to communicate), and otherwise report the incident to the IT hotline.
- Recognize potential threat environments where devices can be stolen, such as airports, train stations, and hotels, and protect devices accordingly.
- Detects device behavior abnormalities, such as extreme slowness or suspicious activity.
- Report any attempted or successful breach to a source that can be accessed separately from the potentially compromised VOIP device (eg, company website or phone number).
- Do not allow non-company personnel to use VOIP devices for any reason.
If you use VOIP devices in a BYOD environment, make sure they are securely wiped and/or given to your IT department to ensure that there is no additional VOIP functionality before discarding them.