Cybersecurity threats have increased dramatically in the past year, and they won't go away anytime soon. Cisco estimates that by 2023, there will be 15.4 million distributed denial-of-service attacks (DDoS) attacks alone.
Now consider all the other cyber threats that businesses face--your organization simply can't afford to ignore cybersecurity, and that includes threats to your communication system.
Security is probably your IT department's biggest concern. Security breaches are often costly, and they can affect your company’s assets and reputation. We often think of industries like healthcare and e-commerce as being more susceptible to security breaches; however, the reality is that just about every company bears a risk.
Prefer to receive a copy of this page via email?
Simply fill out the form at right, and you'll get a PDF version delivered directly to your inbox.
Get Your Electronic Copy
According to a recent report from IBM, the average data breach costs $3.86 million, making the United States the most expensive country for data breaches.
No phone system can prevent 100% of cyberattacks, but you can take steps to choose a secure provider.
VoIP Security Challenges
Many people focus on the liability, cost, and functionality of a VoIP system. Sometimes the security of the services is not thoroughly evaluated. However, it’s crucial to think about potential risks with VoIP security. Here's a look at some of the most common threats:
- Eavesdropping: Hackers can listen in on phone calls to steal information or gain valuable information about your business.
- ID spoofing: A cyberattacker can use a familiar caller ID against you. The number shows up as one you would trust, but it's actually a call from somewhere else.
- Vishing: Short for "VoIP phishing," it's similar to ID spoofing. Cybercriminals will act as trusted individuals to get you to click on a dangerous prompt or call a specific phone number. This is sometimes also called "audio spam."
- Denial of service (DoS): This kind of attack is on the rise. A cyberattacker blocks access to your network, usually demanding money to allow re-entry. For VoIP, a DoS attack involves continuously dropping or stopping services with call or message flooding.
- Call tampering: A less invasive attack, the purpose of call tampering is to ruin call quality. Attackers will insert noise packets into the data stream so that you will sound fuzzy or muffled to the end caller.
- Call hijacking: This is when a caller uses a WiFi hotspot to take over a call and steal sensitive information.
- Malware and viruses: Just like any other internet application, VoIP software can be susceptible to worms, malware, and viruses.
- Man-in-the-middle attacks: Hackers use unsecured WiFi connections to intercept calls and reroute them to their own servers. From there, they can place spyware and malware in the system.
How To Protect Your VoIP System Against Cybersecurity Threats
Security threats will inevitably happen, especially in today’s technology world. Threats can occur in all shapes and sizes. However, a few best practices can help protect your VoIP system.
- Virtual Private Network (VPN): Create a Virtual Private Network (VPN) for your remote team members. VPNs help provide a safe and secure work environment by encrypting traffic.
- Password Policy: It’s crucial to enforce a strong password policy for securing your phone system. A good tip is to use a password that involves upper case letters, lower case letters, numbers, and symbols. Ensure that all employees do not store their passwords in vulnerable places like a web document.
- Single Sign-On (SSO): Single Sign-On is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
- Multi-Factor Authentication (MFA): Multi-Factor Authentication offers an added layer of security that implements a two-step verification process for authenticating users accessing their VoIP account.
- Educate and Train Users: Attacks can occur because of employees’ lack of education on best security practices. It’s important that a company provides all employees with resources to help prevent hacker scams. Ensure you, train employees, to spot vulnerabilities against potential attacks. Lastly, ensure your team knows whom to contact in the case of a security breach.
- Deactivate Inactive Accounts: Be sure to notify your IT department once an employee leaves your organization. The VoIP account should no longer remain active without a real user.
- Evaluate Call Logs: Analyze your call logs to determine out-of-the-ordinary trends or behavior. Use a dashboard to help monitor call volume that can track analytics on a weekly and monthly basis.
- Remote Device Management: This step is essential to establish Cybersecurity for Remote Workers, Ensure remote devices can be tracked and wiped clean if a threat or compromise occurs to the team member.
- Restrict Calls: If your company does not do business internationally, restrict dialing to international numbers. To prevent toll fraud, have your VoIP service provider block 1-900 numbers and enable call blocking from restricted or private numbers.
- Report Unusual Call Behavior: Allow your team to report suspicious behavior like missing voicemails and ghost calls. Ensure your team does not store voice messages for longer than needed.
- WiFi Encryption: Require WiFi encryption and activate WPA2 on your company’s network. Have employees use this encryption for their remote WiFi network connection. It is an excellent tip to update your encrypted WiFi yearly.
- System Updates: Apply frequent operating system updates. Encourage your team members to update their phones and smart devices when they use these for work. The updates will help protect against malicious software vulnerabilities.
Be Sure to Choose a Secure Provider
When choosing a VoIP provider, security requirements should be at the top of your list.
Do Your Research
Read reviews and analyze audit reports from potential VoIP providers. Gather questions you may have regarding the security of their system. Providers should be willing to answer all of your security concerns. Watch for any red flags; for example, when the provider can not address your security questions, they should provide answers. Use resources like customer review sites to find the right provider. It’s always a great idea to follow Gartner’s annual Magic Quadrant Report to discover industry trends.
Does the VoIP Provider Comply With Federal Guidelines?
Be sure not to sign a contract with a VoIP provider without knowing if they have all credentials and are compliant with the required federal security guidelines. In the United States, the Federal Communications Commission (FCC) is responsible for creating the security guidelines for both the Public Switched Telephone Network (PSTN) and VoIP services. The FCC protects both customers and providers; their main regulations of VoIP services include:
- Emergency Services: VoIP must comply with the emergency 911 system for both landline routing and location transmission.
- Portability: ITSPs (Internet Telephone Service Provider) must follow their Local Number Portability (LNP) regulations.
- Calling Records: The FCC limits call recording, and companies can not disclose their calls with people outside of their company.
- Universal Service and Accessibility: ITSPs must contribute funds to support services to low-income phone subscribers, persons with speech or hearing disabilities, and high-cost remote areas.
Ask the Right Questions
Not only should you ask general questions to a potential VoIP provider, but ensure to ask fatal security questions. Figure out if the VoIP provider uses encryption. If they do not, this is a red flag; however, that’s a good sign if they do. The right VoIP providers will offer end-to-end encryption for fully secure voice and video calls. Usually, those providers are more expensive, and the cheaper ones may not provide these services.
To go into more detail, ask the VoIP provider the exact encryption they use. Look for acronyms like TLS or SRTP and if their VoIP is part of their core services, or is it just an add-on service? You would want a company that prioritizes the security of its product. This is also important to know who is in charge of responsibilities with regard to security. For example, who manages the firmware and software on your VoIP phones, you, or the service provider?
Top Tactics to Protect Your VoIP from Phishing and Vishing Attacks
Vishing attacks often make the news. Recently, scammers impersonated online retail giant Amazon, sending emails about fake orders and then demanding credit card numbers when individuals called to get a refund.
These scams are on the rise, and they pose a threat not only to individuals, but also to businesses. The FBI even issued a warning in January 2021, encouraging businesses to be more vigilant about security risks associated with vishing attacks.
The FBI noted that vishing scammers have moved beyond targeting only high-level employees with more extensive access. Vishing attacks might now focus on convincing any employee to share credentials, which can then be used to gain greater access to those in the employee’s network.
Although vishing certainly poses a threat to organizations, the right security measures can help protect your company and employees.
What Is Vishing?
Most of us are familiar with phishing, which uses email to lure unsuspecting people to share sensitive information like bank account and credit card numbers, or usernames and passwords. Vishing adds a voice component to that strategy. The perpetrator might either call people directly, or send an email with a spoof contact number.
Vishing relies on social engineering to manipulate people into sharing that sensitive information. These tactics are common:
- False urgency: The caller insists that the target must comply or face immediate, dire consequences. For example, in one vishing attack, scammers impersonated the United States Internal Revenue Service and insisted that people must immediately pay a fake tax bill or face a lawsuit.
- Impossible promises: We’re all familiar with get-rich-quick schemes, which are still a favorite tactic for vishing attacks. These are less common in the context of businesses, but it’s important for employees to remain aware.
- Pretexting: The caller pretends to need critical information to perform some critical task. This starts with the impersonation of a trusted authority--which might even include someone from inside the organization, such as an IT or help-desk employee.
To enhance legitimacy, perpetrators might imitate the email or phone number of a trusted source. This practice is known as spoofing. For instance, in the Amazon vishing attacks, emails that closely resembled actual Amazon email addresses were used.
Phone numbers can also be spoofed, a practice that is illegal in the United States. But it isn’t as regulated elsewhere, so perpetrators might call from overseas using VoIP. The same low-cost international calling that makes VoIP appealing for your business also makes it attractive for vishing scammers.
How to Protect Your Organization Against Vishing Attacks
Vishing attacks have gotten more sophisticated, so everyone in an organization must be vigilant about security. These seven strategies can help protect your company and your employees.
#1. Segment the Network
The standard network is one giant, interconnected system, where every member belongs to the same “pool.” That might be the easiest to set up and monitor; however it’s also quite vulnerable because everyone is open to an attack via any user.
Instead, consider segmenting your network. This way, if the network is infiltrated, it will only put a limited number of members or users at risk, rather than the entire organization. Each segment should be closely monitored for unusual activity or unauthorized access.
#2. Use the Principle of Least Privilege
Many organizations still use role-based access to their networks and applications, that is, anyone who’s a manager gets certain access privileges. This means that people often have more access than they need, unnecessarily increasing risk.
In contrast, the principle of least privilege dictates that employees get the least amount of access needed to do their jobs. This approach means that access is assigned dynamically, as a response to changing responsibilities, workloads, and risk factors.
#3. Monitor VPN Access
Following the principle of least privilege, VPN access would ideally be limited to certain users. But that often isn’t possible in today’s remote work environment. Closely monitor VPN certificates to ensure that only authorized users are accessing the network via VPN.
Another way to limit the risk of unauthorized VPN access is to limit the hours when VPN is available. Blocking VPN access overnight, for example, can help prevent attacks from overseas.
#4. Implement Multi-Factor Authentication
Multi-Factor Authentication requires a user to provide at least two verification factors to access an account or resource. For instance, the second authentication might be a one-time code that a user receives via automated text or email upon entering the correct username and password.
Because that second authentication factor can’t be “stolen” like a password, Multi-Factor Authentication can help prevent a wide variety of cybersecurity attacks.
#5. Train Employees to Spot Vishing and Other Cybersecurity Attacks
Best practices in cybersecurity are constantly evolving in response to new threats. Employees need to keep up! This is especially important in a remote work setting, where employees might not have immediate access to the IT team to address security concerns.
Ensure that your cybersecurity training curriculum includes an overview of good password management, along with how to identify potential phishing and vishing attacks. Consider video conferencing to conduct training, so that employees have opportunities to ask questions and interact with the IT team.
#6. Encourage a “No-Trust” Mindset
A “no-trust” mindset sounds like the opposite of what you’d want to foster in your organization, but it’s important for security. Teach employees not to trust unexpected phone calls from people they don’t know, even if the person claims to be part of your organization. Instruct them to hang up and call back from an independently verified phone number--not the one provided by the caller.
After all, vishing scammers have been known to impersonate an organization’s own employees using a spoofed phone number.
#7. Choose the Right VoIP Provider
While your VoIP provider can’t stop your employees from answering vishing calls, it can help protect your organization in other ways. Look for a provider that embraces high standards for maintaining security.
The best VoIP providers also implement additional security options from managed firewalls and Intrusion Detection Prevention Systems (IDPS), to Distributed Denial of Service (DDoS) and Security Information and Event Management (SIEM) to protect their underlying network. Seek a VoIP solution that includes Security Operations Center (SOC) support for event notification and remediation.
Cybersecurity Tips for Remote Workers
Thanks to Covid-19, many organizations now face the additional security vulnerabilities that come with a remote workforce.
Here are a few basic questions/tips to consider within your remote environment to ensure your systems and data remain secure:
- Is your WIFI connection secure?
- Do you have an anti-virus software loaded and fully updated?
- Is your security software current, and set-up properly? Check those patches and make sure your privacy tools, add-ons for browsers etc. are effective and in place.
- Are you regularly backing up your work?
- Is the connection to your work environment secure?
- Have you installed encryption tools?
Beware of Social Engineering
One tactic being leveraged by cybercriminals is social engineering. This involves manipulating a person or persons in order to access company systems and private information. Social engineering plays into your natural inclination to trust and is the easiest method for setting the stage for a ransomware attack.
4 Types of Social Engineering Scams
- Phishing: This is the leading tactic leveraged by today’s ransomware hackers, typically delivered in the form of an email, chat, web ad, or website designed to impersonate a real system and organization. Often crafted to deliver a sense of urgency and importance, the message within these emails often appears to be from the government or a major corporation and can include logos and branding.
- Baiting: Similar to phishing, baiting involves offering something enticing to an end user in exchange for private data. The “bait” comes in many forms, both digital, such as a music or movie download, and physical, such as a flash drive labeled “State of Virginia - Confidential Salary Analysis, Q4 2020” that is left out in public for an end user to find. Once the bait is taken, malicious software is delivered directly into the victim’s computer.
- Quid Pro Quo: Similar to baiting, quid pro quo involves a request for the exchange of private data, but for a service. For example, an employee might receive a phone call from the hacker posed as a technology expert offering free IT assistance in exchange for login credentials.
- Pretexting: This is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority within the company in order to gain access to private data. For example, a hacker may send an email or a chat message posing as the head of IT Support who needs private data in order to comply with a corporate audit (that isn’t real).
If you have concerns about any of the basic questions above or are unsure of the validity of emails and credential requests, reach out to your IT department, employer or service provider for support.
VoIP Security during a Crisis
One business aspect that is often overlooked is disaster recovery. Many businesses rely on connectivity to function as normal during an emergency or natural disaster. So organizations often fail to recognize the dangers of not planning for backup communications when disaster strikes.
Disasters for companies aren’t always as severe as natural disasters like floods or fires. It could be something trivial like software failing, internet connection failure, or a power outage that could bring down VoIP services. With a hosted VoIP service, many organizations are conscious that they can use mobile devices when needed outside the organization's walls. SIP trunking, however, requires disaster recovery strategies, and having a wireless backup plan in place is wise.
Companies have two types of disasters they need to be prepared for: disaster strikes the business or a service interruption strikes the communications vendor. It is even possible that the company and the vendor are affected by the same disaster (think earthquake, hurricane, etc.). Preparation is critical, and there must be plans in place in case this occurs.
Disaster and the Business
From a business perspective, what counts as a “disaster” can range from minor problems to major calamities. There are processes with any place of business that could cause minor problems like network congestion, software issues, or hardware failure. Larger catastrophes may include complete loss of the internet or a natural disaster. However big or small, they all can bring down your company’s voice system, which hurts your business.
If any of these issues bring down your phone system, it can be up and running from mobile devices or alternate locations in a matter of minutes. Many organizations maintain two internet connections from different ISPs so that each can act as a backup for the other.
Disaster and Your VoIP Provider
Some disasters can be controlled within the business itself. Some catastrophes, though, are up to the vendor to address. The vendor should have a disaster recovery plan in place for themselves and their clients. It is possible that the vendor could be experiencing problems on their end, which is preventing your company from completing calls and conducting business as usual.
SIP trunking services are often delivered via data centers, but many providers do not have the redundant infrastructure. However, some VoIP providers have data centers in multiple locations worldwide that can act as backup centers for others in case of an emergency. This can reduce latency for clients and route calls to the nearest point possible. Be sure to ask any prospective provider about their own security, redundancies, and disaster recovery provisions.
SIP Trunking and Disaster Recovery Plans
SIP trunking is gaining popularity because of its enhanced flexibility. SIP is well suited to handle disasters and recover quickly. Being IP-based, SIP trunks are far more flexible than any traditionally “fixed” communication solutions or circuits. Users can work with their vendors to program SIP lines how they want.
Suppose a specific user is out of the office or the entire office is out of commission. In that case, the lines can roll over to backup sites, alternate phones, or even mobile devices within the company’s network (or at a predetermined backup facility). It can be set up before a catastrophic event occurs.
SIP trunks complement existing lines because they allow companies to choose whether they use an IP connection as their primary solution and ISDN as a backup or the other way around. Hosted communication solutions can dramatically reduce the costs associated with hardware and software maintenance and can backup important contact data to the cloud.
The enhanced resilience factor associated with using SIP is evident. On any event or reason, calls can easily be programmed to be forwarded to other destinations nearly instantaneously, with no forwarding costs or middle man to deal with. Some ISDN services can take up to 48 hours and with multiple people in the middle handling it. In both forms of communication (SIP or Hosted), numbers can be deflected individually, which is extremely important for a call center where many different numbers are being utilized.
The Basics of a Disaster Recovery Plan
A simple recovery plan to implement would be to order a small group of SIP trunks to cover your most used or critical phone numbers for routing in the case of a disaster. You can simply forward those trunks back to your T1 or PRI in minutes. If or when your PRI goes down, just turn off the forwarding and you will have no interruption in service. Calls will still be conducted, although at a temporarily reduced capacity. If the outage turns into an extended one, you can add trunks quickly as needed.
Some SIP Trunk providers can provision additional trunks almost instantly. Now that the trunks are living in the cloud, calls can be answered anywhere. Thus, utilizing the disaster recovery plan that was put in place long before you needed it. Stress is limited, costs are saved, and workday productivity is maintained.
Investing in a SIP trunk allows businesses to run optimally every day but be prepared for a disaster if it were to occur (with minimal service disruption). SIP technology allows organizations to have a backup communication system if the primary strategy fails. SIP trunks can transform a business, support growth, boost productivity, cut costs, and have a disaster recovery plan in place.
STIR/SHAKEN Call Authentication Reduces Risk and Promotes Trust
Americans received more than 4.2 billion robocalls in July 2021 according to a recent national survey. The calls are more than just a nuisance and approximately 42% of these calls were scams. To combat these unwanted calls, the FCC has mandated a new industry standard: Secure Telephony Identity Revisited (STIR) and Signature-based Handling of Asserted Information using toKENs (SHAKEN).
The STIR/SHAKEN framework ensures that caller identities are more accurately authenticated and verified. As each phone call passes all the segments of our complex communication network, STIR/SHAKEN allows the communication provider to digitally validate the call “handoff,” so that it can verify that the caller’s identity actually matches the number showing on the caller ID.
This prevents call spoofing, a popular technique that scammers use to imitate legitimate callers. This means not only more confidence for consumers, but also better security for businesses. Although STIR/SHAKEN will not completely eliminate robocalls and unwanted calls, it promises to dramatically reduce the number of scam calls that consumers receive every day.
9 Must-Have VoIP Security Features
Every business has unique security needs, but everyone should choose a VoIP provider that can deliver these security tests and features.
#1. Pen Test: This test creates an attempt to gain access to a network or application via simulated attack; often required for compliance such as PCI.
#2. Risk Assessment: The practice of evaluating an organization or IT environment’s current security posture with suggested recommendations for improvement. These are often performed in reference to a specific security standard or compliance regulations.
#3. Managed SIEM: A real-time, managed solution for Security Information & Event Management, designed to provide a holistic view of a customer’s environment and correlate various data sources to identify threats.
#4. DDoS mitigation: A solution designed to block Distributed Denial of Service attacks from taking down a network or online application; especially relevant for businesses who conduct business online.
#5. Access Control: A technique to regulate who or what can use resources or applications on a network. This includes Single Sign-On and Identity Access Management.
#6. Perimeter Security: A broad approach to fortify the boundaries of a network; may include firewalls, Virtual Private Networks, intrusion detection, and intrusions prevention.
#7. Endpoint Protection: A unified solution to protect desktops, laptops, and mobile devices with features like anti-virus, anti-spyware, and personal firewall.
#8. Incident Response: An organized, forensic approach to investigate and remediate a security breach. This can be on-demand or via a monthly retainer.
#9. Compliance with STIR/SHAKEN regulations: These new regulations protect against call spoofing and related cyberattacks. Look for a provider that has already achieved compliance.
To best review your business needs and goals, consult with an agnostic technology advisor or consultant to gain a deeper overview of the range of solutions and providers available to you. In addition to assisting you with procurement, the consultant can also handle ongoing support.