The uptake of VoIP by businesses large and small has been happening at a staggering rate, so compelling are its advantages. Facilities that were previously only available to large corporations are now available to almost anyone, together with a lot of features nobody had even thought of a few years ago.

This change has happened so swiftly that inevitably some enterprises will not have taken time to consider in depth all the possible security risks that accompany new telecommunication technologies.

Just how safe is VoIP?

As everyone now knows, VoIP communications are carried across the internet in data packets just like other forms of internet traffic and can, therefore, be exposed to the same kinds of risk – such as hacking, interception, spoofing, counterfeiting or denial of service attacks. Internet attacks are notoriously hard, or even impossible, to trace and therefore very difficult to deter.

When VoIP technologies were only being used by large corporations, communications were often confined within a local intranet or WAN. These were already relatively well protected from outside intrusions. But of course, now that VoIP data is transmitted over the internet at large, it could be vulnerable to the same kinds of risk, and subject to the same data and privacy protection laws as any other form of internet traffic or digital information.

This is a double risk exposure – to the dangers of deliberate abuse or attack and to the risk of being prosecuted under the GDPR, DPA or other legislation if an incident is deemed to have been partially caused by poor precautions on the part of any party involved.

Most VoIP traffic still goes across the net unencrypted. Anyone with the appropriate packet-sniffing setup can listen in to those calls. Spying on phone calls is a serious security issue in itself, but the information gleaned from monitoring calls can then be used in other damaging ways. Hackers can potentially assume the identity of a caller and use the information in order to extract confidential personal, financial or business information from a third party. If a thief spoofs your phone numbers to take credit card payments from your customers, who will get the blame?

A hacker with access into a VoIP system can cause a host of problems, from making free calls at your expense to corrupting stored messages or simply swapping phone numbers around to cause chaos. Activists or blackmailers can launch denial of service attacks by inserting a torrent of invalid packets that take the VoIP server offline, leaving your business no means of operating at all.

How business VoIP providers can help

None of the risks to which VoIP exposes a business or network are technically new. VoIP is carried as a form of digital data and therefore suffers the same risks and benefits from the same precautions as previous forms of digital data. Firewalls, anti-viral and anti-malware security suites and network monitoring (for example an IPS system) will all help to make your network safer for VoIP as they already do for emails, applications and browsing. However, there are many businesses that in the past had few reasons to worry about their internet access and traffic – but will now need to review the additional risks.

Responsible business VoIP providers such as IDT encourage their clients to be aware of these dangers and suggest ways to protect themselves. When a provider is pro-active in this way, it also demonstrates to their clients that they are a company that takes security seriously. Many of the precautions are familiar and straightforward; regular firmware and security updates, changing passwords regularly, using VPNs for connection to remote devices, domain restrictions, deleting recorded messages and of course employee training in the new risks.

Other safeguards are more technical. If the provider doesn’t address these topics first, educated clients should make a point of asking them if they have addressed security issues such as user authentication, device certificates, VLAN configuration settings and the use of encryption algorithms to secure both their network signalling methods and the voice transmissions (e.g. SRTP).

A good provider will provide the client with the means to blacklist and whitelist the types of call and destination that are allowed on their network.

By providing technology of this type, both the client and provider benefit. The system will be less open to abuse, but even if an incident occurs, both will be able to demonstrate to statutory authorities that they took reasonable precautions to avoid it.

The many benefits of VoIP sell themselves with little effort from providers. Nothing is more likely to compromise that growth than a major security scare. Most VoIP providers have secured their own networks adequately, but now they must help their clients do the same.

For further information and advice, why not contact the expert team at IDT.