Corporate VoIP systems are gaining ground as companies see benefit in routing calls over the Internet rather than using plain old telephone service (POTS) providers. According to WhaTech, while the number of corporate VoIP subscribers hit 98.9 billion in 2012, this should more than double to more than 200 billion by 2020 and generate $86.2 billion in revenue. However, with increased adoption comes increased attacks and more attractive targets for hackers. Here are five best practices to help keep your VoIP network secure.
No free passes
Want better VoIP security? Start with passwords and authentication. As noted by Business Bee, weak passwords are like “rolling out the red carpet” for attackers since almost no effort is required to hack the system and start making long-distance calls or eavesdropping on company conversations. Solving the password problem means changing the default admin password and updating it regularly along with enforcing clear password rules for employees — such as no number sequences, repetitions or the use of common words.
This best practice is made better with the use of multi-factor authentication — for example, the use of a USB device or one-time code that grants employees session-based access. You can also minimize eavesdropping by implementing VoIP-to-VoIP authentication, which requires identification from devices at both ends of the connection.
It’s also important to control user access once they’re in the VoIP system. This means setting limits on call type — local, long distance, etc. — and how calls can be made. For example, you may want to restrict long distance calls to landlines, and never allow mobile devices to make anything but local connections. It’s also a good idea to limit call privileges by role. Front-line employees, for example, may not need to call overseas while project managers may need to communicate with global satellite offices. Also bear in mind that these access policies should be fluid; when users no longer need the ability to call internationally or make conference calls from their mobile device, scaling back permissions helps increase security.
Firewalls and other automatic security measures are also an important step in securing your VoIP network. Consider recent attacks on Canadian government Web services. A number of federal websites went dark during the month of June with hacker collective Anonymous claiming responsibility. Security expert David Skillcorn of Queen’s University says that the government’s burgeoning VoIP network is also under threat, since it’s “a little bit easier to hack” than POTS systems. As a result, automatic threat detection and response tools are critical to help detect potential threats before they bring down VoIP systems.
Whenever your VoIP system is in use, data is at risk. To maximize security, therefore, it’s critical to effectively and consistently encrypt information traveling across your network. This means choosing an encryption strategy — by device, user or data type — and applying it companywide, in addition to encrypting media packets as they travel. It’s also worth considering the use of virtual private networks (VPNs) if your system supports a large number of mobile devices.
Verify your VoIP provider
The final piece of best practice advice is to take a hard look at your VoIP provider. Ask specific questions about security — how is data stored, transmitted and handled at both the signaling and receiving ends of the connection? In addition, it’s worth digging into compliance standards. Does the provider support HIPAA, SOX or PCI requirements? Up-front discovery gives you the power of informed decision making rather than trying to patch a problematic VoIP system months or years later.
Going VoIP? Then get on board with best practices: Make passwords a priority and always control access, use firewalls and encryption to lower the chances of an attack and call in a verified VoIP provider.
Sheldon Smith is a senior product manager at XO Communications. XO is a telecommunications and technology company that provides solutions such as Cloud PBX, SIP, VoIP and conferencing. Sheldon has an extensive background in unified communications, and he specializes in process management.