Using VoIP for your telephone needs has lots of benefits, yet despite proven benefits, many companies are stuck using old systems.
Security is among the biggest worries for companies thinking about switching to VoIP (it is even a concern for for businesses that have already made the switch).
So, can you trust a VoIP system?
100% YES. This article explains why VoIP is a secure form of telephony, and how to make sure your VoIP solution is safe and effective.
Table of Contents
– Why does VoIP security matter?
– VoIP vs. traditional phone systems
– How VoIP impacts PSTN
– PSTN security
– Additional PSTN security risks
– How to secure VoIP
– VoIP providers
– HIPAA compliance
– Other HIPAA Considerations
– End-to-end encryption
– WiFi encryption
– User security
– Mobile device management policies
– Firmware on VoIP phones
– Call and access logs
– Choosing a secure provider
Business leaders worry about the security of VoIP for the same reason they worry about online data security in lots of different use cases.
A U.S. government survey even found that…
Internet security (and web-based telephony systems) is a concern from a broad perspective.
Some people worry that:
- Calls may be recorded without the user’s knowledge
- Call logs can escape into the wild
- VoIP accounts can get hacked, and criminals will run up huge bills that account holders will be forced to pay
- Regulation: Will my VoIP solution be compliant with the latest data protection regulation?
- Service disruptions thanks to a Denial of Service (or DoS) attack
- Concern that the software on VoIP phones will get infected with a virus
The good news?
Security risks can always be mitigated, and professionally installed VoIP networks are highly secure.
Let’s look first at how VoIP compares with the old, PSTN (public switched telephone network) systems.
For decades phone calls were made on the public switched telephone network (PSTN). Traditionally, PSTN uses circuits to connect audio signals over analog lines.
As shown above, calls pass through terminals that then (through switch boards) are routed to the appropriate destination.
VoIP is different. VoIP converts audio signals to digital data, and that data is then sent over the Internet. This is why it is called Voice over Internet Protocol.
With VoIP, your voice call is sent over the same Internet infrastructure that you use for web browsing and e-mail. For additional information on how these two differ read our blog post: VoIP vs. PSTN.
A large chunk of the voice calls made over what you think is the traditional phone network is in fact carried over the Internet, at least part of the way.
Pick up a PSTN-connected handset and likely some part of your call will be handled digitally. This is because VoIP often serves as a connecting backbone between networks.
That call placed to your bank? It was most likely handled over an extensive, complicated VoIP network, stretching around the world. Your call may start on the PSTN network, but chances are it will switch to VoIP at some point.
Is PSTN more secure than VoIP?
Even if the first few miles of your call are carried over an old phone network, that does not mean this first stretch is secure. PSTN relies on analog signals, and there are ways to tap into these signals simply by tapping into the wires carrying the signal. Hacking such a signal requires physical effort and special equipment, but it is still possible. And, unlike VoIP, one of the only ways to mitigate this risk is by securing your building and blocking physical access to equipment.
From this perspective, VoIP is no less secure than PSTN. In fact, thanks to encryption, VoIP can help you mitigate risk even more effectively than with PSTN.
Old phone systems brings other risks that are avoidable when using VoIP, such as:
- Old phone systems are seeing less and less development and support
- PBX components can break down with no easy fix
- The risk of PBX breakdown (and your entire voice network going down as a result) can be very costly for your business
In short, when your PBX breaks down, you could face a crisis.
The security of your VoIP system really comes down to implementation. VoIP can be as secure as PSTN, or it can be less secure.
How can you make sure your VoIP is more secure?
Consider these two important factors:
First, be aware of the security protocols your VoIP provider has in place. Some VoIP applications will not put up any security hurdles, thereby leaving your business data vulnerable.
Second, make sure to secure your own network. Ensure the secured VoIP system you choose relies on the security of the networks that carry the VoIP traffic. Securing your own network, for example, is therefore key.
Make sure your VoIP implementation is secure. How can you do this? One way is to engage with a secure Voice over IP service provider such as Nextiva.
Ensuring VoIP security starts with checking out your hosted VoIP provider. As with any hosted service provision, make sure the provider meets security requirements. These requirements vary depending on your industry and specific needs. No matter your circumstances, the best way to begin this investigation is by asking your provider the following questions:
- What accreditations do you have?
- Do you use third party tools or software?
- If so, do you actively ensure those tools are secure as well?
- How do you do that?
Once you’ve answered these initial questions you’ll need to dive deeper into your own industry standards and regulations. Check whether your provider is compliant with important laws and regulatory bodies such as HIPAA and SOX.
- What’s the concern around HIPAA?
If your company handles medical information, you need to be concerned about the Health Insurance Portability and Accountability Act (or HIPAA). HIPAA deals with the privacy and security of personal medical records, and this has a bearing on the VoIP system you choose.
If your company works with patient records, all of your systems need to be HIPAA compliant, including your business phone service. So you will need a HIPAA-compliant VoIP system.
- Is VoIP compliant with HIPAA?
This depends on the provider you choose for your VoIP network. VoIP networks can be fully compliant with HIPAA requirements if the provider implements the right security measures. Your VoIP phone system needs to ensure the service providers they use are also compliant with HIPAA regulations. Make sure your VoIP provider has a comprehensive agreement with their business associates to ensure that the services are HIPAA compliant end-end.
Questions to ask your provider:
- Are you audited and certified for HIPAA compliance?
- Do you have notification rules in place for data breaches?
Nextiva complies with these requirements and will advise you on other important factors around HIPAA.
Some VoIP users are unaware that they are required to turn off certain services to enable HIPAA compliance. For example, voicemail transcription is disabled by Nextiva to ensure HIPAA compliance. This is also the case with the emailing of a voicemail as an attachment, and the use of visual voicemail.
With Nextiva, you can be sure that your VoIP solution is fully HIPAA compliant.
Now that you have ensured that you use a secure provider such as Nextiva, you need to make sure your own internal networks are sufficiently secure to avoid any possible VoIP risks.
Unencrypted Internet networks are prone to hacker snooping. By contrast, Internet data that is encrypted is of no use to anyone who manages to record the data transmission. Encryption that runs end-to-end is therefore important. Data should be encrypted on every possible layer.
Data sent over your internal office WiFi should be encrypted because WiFi is easily susceptible to snooping. VoIP calls made over unencrypted WiFi can leave key data points exposed to anyone who cares to snoop. Your users should never connect their mobile devices to unsecured WiFi networks because doing so can expose network transmissions – including VoIP data.
User security is also an important factor when it comes to making sure your VoIP traffic stays out of prying hands.
A few security tips:
- Enforce strong password rules for your VoIP sessions
- Always make sure default passwords are changed (including default passwords for handsets and user accounts)
- Set rules for all passwords (including character length and requirements for both symbols and capital letters)
- Change passwords every 12 months
- Restrict the use of insecure Wi-Fi networks
- Encourage users to report anomalies (often a hacker will leave a trace, like a deleted voicemail or a voicemail forwarded to an odd destination)
- Don’t store voicemails longer than you need to, as this increases the amount of information a hacker has access to
User security also pushes through to device security on a number of layers. For example, passwords are important. Users should pay attention to the password they use on their devices. Many users use hosted VoIP via apps for Android and iOS handsets. These handsets are only as secure as the passwords used to protect them. Make sure users use strong passwords for their devices.
On an enterprise level, it is important to secure VoIP devices by enforcing secure passwords and having the ability to remotely wipe a device.
Still, many calls inside enterprises will be made from a traditional phone-like handset. VoIP handsets may look and feel like a normal phone, but they carry sophisticated software.
Any software-driven device is prone to intrusion attempts, and the chance of success often depends on how up to date the software is.
This is why it is so important to always update the firmware on your VoIP handsets. These updates are regularly released by manufacturers when vulnerabilities are discovered. In turn, hackers tend to seize on known vulnerabilities, so if you don’t keep your hardware up to date the chance of handsets getting hacked increases.
The same concerns apply to companies who prefer to keep VoIP infrastructure hardware on-premise; VoIP servers should also be patched regularly. Device security is an important layer when it comes to making sure your VoIP network is secure against intrusion.
Intrusions can only continue to cause damage as long as they remain undetected. For this reason, intrusion detection is one of the most important parts of VoIP security. Analyzing logs is one of the best ways to detect intrusions as soon as they occur. You should always keep an eye on your VoIP logs.
Logs report a number of different things including usage – how many calls were made from a number and the duration and destination of the calls.
Also reported by logs is the point source of the user trying to access the VoIP system. It is cause for concern if you have a user located in another country making a large number of calls when, in fact, you have no employees in that country.
Logs can also reveal repeated failed attempts to access your VoIP service. A brute-force password attack can show up in a log. Logs are the best way to reveal intrusion attempts and should be watched for evidence of a compromised VoIP system.
You might also want to think about setting up automatic alerts. For example, set up an alert for usage above a certain threshold. That way, you will be alerted when a certain number is making excess calls.
A good VoIP provider will help you to put in place the right security measures to make sure your VoIP infrastructure meets the necessary security requirements. When thinking about how to secure VoIP, it is just a matter of putting the right measures in place and selecting the right provider. In doing so, your VoIP solution can be far more secure than a PSTN solution.
You can rest assured that your VoIP solution, when acquired from a provider such as Nextiva, will meet all the important regulatory obligations, including HIPAA compliance.
In summary, VoIP is secure in the same way many other activities are secure if precautions are taken, and if a reliable supplier is utilized. The reliability of your VoIP supplier is your first concern when it comes to security. An established supplier such as Nextiva is key to ensuring that you avoid VoIP security issues.
Much of the security responsibilities lie with your VoIP provider and are simply beyond your control. That’s why it is so important to work with a VoIP provider that you can trust. Your VoIP solution will be secure if in addition to making use of a secure VoIP provider you also take your own security precautions, including securing your internal network and making sure user practices are in line with security requirements.
An ultimate layer of protection is, of course, making use of encrypted VoIP. With encrypted VoIP, other issues such as network security protocols will simply play less of a role.
Cameron Johnson is a market segment leader at Nextiva. Along with his articles on Nextiva’s blog, Cameron has written for a variety of publications including Inc. and Business.com. Cameron was recently recognized as Utah’s Marketer of the Year.