With IT leaders initially focussing on audio quality, reliability, and cost, few were concerned about security when VoIP was first launched. However, with the changing world of business and technology, data security incidents are increasing, and security is taking centre stage. Data breaches can affect every aspect of a business and could result in exorbitant costs to repair, and extended periods of recovery.
Devices and systems with Internet access are vulnerable to security exploits including phone lines and consequently VoIP. While primary security concerns include cybersecurity related to digital systems like email and data management, VoIP systems are also vulnerable to cybercrime.
All organisations are vulnerable to cybercrime and although technology companies and e-commerce websites are mainly targeted. Financial, educational, and health care providers also frequently become victims through their VoIP systems.
Since VoIP calls use IP addresses, leaving it open to security threats and only securing data network and servers, may cause a vulnerability that could put all data and systems at risk. The following are threats to and vulnerabilities of VoIP:
Denial of service attacks
A denial-of-service attack involves offenders overwhelming services with false user requests and thus using all the bandwidth. This causes a resource to ultimately shut down due to being unable to cope with the overload.
A website, a VoIP phone service, or an email server is vulnerable to even inexperienced cybercriminals. The result is the deterioration of audio quality, denial of phone services and unanswered calls from customers.
Ways to mitigate the vulnerability involve the separation of voice and data communication and using encryption and a VPN. Using a dedicated Internet connection specifically for the VoIP phone system is an option to prevent the issues in one system from affecting other aspects of the business. DDoS protection is critical and it is recommended to ask your Internet Service Provider if they have this in place.
VoIP service theft
In addition to the potential consequences of a security breach such as the theft of confidential data such as credit card information or patent documents, attackers who break into a VoIP phone system, can use services for free leaving the subscriber to foot the bills. They can run up huge bills by making international calls to premium numbers and by stealing billing information.
Measures to protect your VoIP system include using strong passwords, limiting access to only those employees who need it, and updating all your software regularly.
VoIP phones and software are vulnerable to malware like any other Internet-based application or service. Hackers may target the phones or system which could become unusable as a side effect of some other virus/Trojan.
Methods such as using firewalls, monitoring traffic, and antivirus software are excellent ways of securing the phones. Network hardware can also block malware and prevent access to malicious websites.
Man in the middle attacks
Man in the middle attacks is an advanced and sophisticated threat which involves hackers researching an organisation and the phone system weeks before attacking. Custom tools and websites that mimic real software are normally used. The attackers mislead employees or customers to enter confidential data like passwords on the fake website and capture that information.
Train staff to identify inconsistencies in emails, links, and social media is the most effective protection measure. Employees should be educated on when and where it is appropriate to give out sensitive data and often limited access to sensitive data is so they cannot accidentally reveal information.
Vishing and ID spoofing
Vishing and ID spoofing are generally committed at the same time and involves apparent trusted sources such as the IT department requesting staff to follow a link and update their password or provide personal and sensitive information. The criminal may also have other data on the staff member such as their employee ID to make the request seem legitimate. Attackers use numbers and services outside a country making the origin untraceable.
Verifying phone requests and incoming requests may prevent these attempts. The education of staff on company policies which should specify that staff will not be asked for sensitive information over the phone. Train frontline agents to ask for a contact number and then call back as an additional layer of security.
VoIP phone systems are also vulnerable to eavesdropping since attackers could capture phone calls and get access to data such as address, and credit card details provided over the phone. End-to-end encryption of calls may prevent these attacks since attackers will not be able to decipher messages.
Hackers may slow down systems by sending large data packets over the network causing dropped calls and degraded audio quality. Criminals may also, among others, change passwords to lock legitimate users out.
Although considered a minor annoyance, it can lead to serious consequences and security measures such as frequently changing passwords, using long and secure passwords as well as closely monitoring the phone system and mitigate the vulnerability.
Spam over IP telephony (called SPIT) is like email spam and clogs up company inboxes and often contains malicious links, viruses, and unwanted solicitation. Hackers may send recorded messages to phone numbers to prevent legitimate users’ access. SPIT may also contain malware, viruses, and fraudulent links. Using firewalls may ensure that fewer messages travel over the network and training and awareness programs should highlight security risks.
Education, awareness, and training are key aspects in ensuring VoIP security.
Take your business connectivity guide to find the perfect solution for your business!