When a company upgrades its network system, it is highly likely that it will add a Voice over IP (“VoIP) capability to the corporate network. The advantages of so-doing are first and foremost reduced costs, and second, access to a range of applications and functions that are not available on a traditional phone system. WhatsApp and Skype allow voice and video calls to be made at significantly reduced cost. In some cases, video conferencing systems use VoIP techniques.
However, slack VoIP security can lead to an attack by thieves and hackers. Users might generate substantial bills through service abuse, and hackers might use lax security to gain access to the corporate network via the VoIP system. There have also been instances of Identity Fraud perpetrated over a VoIP network.
Here are seven suggestions for essential measures to put in place to remove or reduce the security risks associated with VoIP systems:
- Implement access controls to the VoIP system itself and the VoIP network.
- Make sure all VoIP system passwords are immediately changed from the installation default and are updated regularly. Make sure that they are strong passwords. A strong password requires a combination of lower and upper-case letters, numbers and symbols, usually of a minimum length of 8 characters. A brute-force attack by a hacker can find a weak password in seconds.
- Make sure users must enter a PIN code or password to be able to make and receive calls. If the system allows for it, and most do, force the user to change their PIN or password regularly. Again, passwords should be strong passwords.
- If users have access to VoIP over the corporate WiFi system and smartphones, implement device recognition to ensure that only authorised devices can connect to the WiFi and VoIP systems.
- Data Encryption. Ensure that data, including voice data travelling over your corporate and VoIP networks in and between corporate sites, is encrypted. Standards have been defined and implemented by most VoIP systems suppliers that will provide encryption services.
- User Management.
- If uncontrolled, users will make calls to unauthorised numbers, typically International and premium voice or data numbers. Ensure that authority levels are set for all users, limiting them to an appropriate range of services, for example, local calls only. Make sure that calls to cellular services and to premium rated and International calls are barred by default and require appropriate authorisation to be unbarred.
- Use normal network protocols so that even if users link to a data service provider via VoIP, they are unable to download data. If they can, this potentially bypasses corporate protocols and virus and malware detection systems.
- Monitoring. Nettitude have reported that 88% of all attacks on VoIP system occur outside normal working hours. If you need a fully functional 24/7/365 VoIP system, you will need to arrange for support to ensure that any problems can be immediately rectified, including those occurring out of hours.
- Device management. Users can perpetrate a fraud by making an unauthorised call from a different handset than the one allocated to them. Typically, a clerk uses the phone in a manager’s office to make a long distance call when the manager leaves the office and forgets to log off the VoIP system. Have an inactivity timeout on user logon, logging users off the VoIP system if they have not made a call for a specified length of time.
- Internal Audit and Security need access to call records showing who is calling whom, when, and for how long. Most VoIP systems have integral or add-on reporting systems producing a selection of management reports.
- Ghost Calls. A user picks up a call to find that it immediately hangs up, or it is silent. These can be errors in the system, but are often an indication that hackers are seeing if there is a way into your corporate network via the VoIP system. The calls are made by automated scanning software used to gain access to a vulnerable phone network. If you have a high incidence of ghost calls, you need technical assistance to change some of the default settings of your VoIP system to block ghost calls.