Using VoIP for your telephone needs has lots of benefits. Yet despite these benefits, many companies are stuck using old systems. Why? Security is among the biggest worries for companies thinking about switching to VoIP (it is even a concern for for businesses that have already made the switch) So, is VoIP secure?100% YES. This article explains why VoIP is a secure form of telephony, and how to make sure your VoIP solution is safe and effective.Internet security (and web-based telephony systems) is a concern from a broad perspective. Some people worry that:As shown above, calls pass through terminals that then (through switch boards) are route to the appropriate destination. VoIP is different. VoIP converts audio signals to digital data, and that data is then sent over the Internet. This is why it is a Voice over Internet Protocol.With VoIP, your voice call is sent over the same Internet infrastructure that you use for web browsing and e-mail. For additional information on how these two differ read our blog post: VoIP vs. PSTN.Make sure your VoIP implementation is secure. How can you do this? One way is to engage with a secure Voice over IP service provider such as Nextiva.With Nextiva, you can be sure that your VoIP solution is fully HIPAA compliant.Logs report a number of different things including usage. For example, how many calls are made from a number and the duration and destination of the calls. Also reported by logs is the point source of the user trying to access the VoIP system. It is cause for concern if you have a user located in another country making a large number of calls when, in fact, you have no employees in that country. Logs can also reveal repeated failed attempts to access your VoIP service. A brute-force password attack can show up in a log. Logs are the best way to reveal intrusion attempts and should be watched for evidence of a compromised VoIP system. You might also want to think about setting up automatic alerts. For example, set up an alert for usage above a certain threshold. That way, you will be alerted when a certain number is making excess calls.
Why Does VoIP Security Matter?Business leaders worry about the security of VoIP for the same reason they worry about online data security in lots of different use cases. A U.S. government survey even found that…
- Calls may be recorded without the user’s knowledge
- Call logs can escape into the wild
- VoIP accounts can get hacked, and criminals will run up huge bills that account holders will be forced to pay
- Regulation: Will my VoIP solution be compliant with the latest data protection regulation?
- Service disruptions thanks to a Denial of Service (or DoS) attack
- Concern that the software on VoIP phones will get infected with a virus
VoIP vs. Traditional Phone SystemsFor decades phone calls were made on the public switched telephone network (PSTN). Traditionally, PSTN uses circuits to connect audio signals over analog lines.
How VoIP Impacts PSTNA large chunk of the voice calls made over what you think is the traditional phone network is in fact carried over the Internet, at least part of the way. Pick up a PSTN-connected handset and likely some part of your call will be handled digitally. This is because VoIP often serves as a connecting backbone between networks. That call placed to your bank? It was most likely handled over an extensive, complicated VoIP network, stretching around the world. Your call may start on the PSTN network, but chances are it will switch to VoIP at some point.
PSTN SecurityIs PSTN more secure than VoIP? Not necessarily. Even if the first few miles of your call are carried over an old phone network, that does not mean this first stretch is secure. PSTN relies on analog signals, and there are ways to tap into these signals simply by tapping into the wires carrying the signal. Hacking such a signal requires physical effort and special equipment, but it is still possible. And, unlike VoIP, one of the only ways to mitigate this risk is by securing your building and blocking physical access to equipment. From this perspective, VoIP is no less secure than PSTN. In fact, thanks to encryption, VoIP can help you mitigate risk even more effectively than with PSTN.
Additional PSTN Security RisksOld phone systems brings other risks that are avoidable when using VoIP, such as:
- Old phone systems are seeing less and less development and support
- PBX components can break down with no easy fix
- The risk of PBX breakdown (and your entire voice network going down as a result) can be very costly for your business
How to Secure VoIPThe security of your VoIP system really comes down to implementation. VoIP can be as secure as PSTN, or it can be less secure. How can you make sure your VoIP is more secure? Consider these two important factors: First, be aware of the security protocols your VoIP provider has in place. Some VoIP applications will not put up any security hurdles, thereby leaving your business data vulnerable. Second, make sure to secure your own network. Ensure the secured VoIP system you choose relies on the security of the networks that carry the VoIP traffic. Securing your own network, for example, is therefore key.
VoIP ProvidersEnsuring VoIP security starts with checking out your hosted VoIP provider. As with any hosted service provision, make sure the provider meets security requirements. These requirements vary depending on your industry and specific needs. No matter your circumstances, the best way to begin this investigation is by asking your provider the following questions:
- What accreditations do you have?
- Do you use third party tools or software?
- If so, do you actively ensure those tools are secure as well?
- How do you do that?
AccreditationsOnce you’ve answered these initial questions you’ll need to dive deeper into your own industry standards and regulations. Check whether your provider is compliant with important laws and regulatory bodies such as HIPAA and SOX.
VoIP & HIPAA: Common Questions
- What’s the concern around HIPAA?
- Is VoIP compliant with HIPAA?
- Are you audited and certified for HIPAA compliance?
- Do you have notification rules in place for data breaches?
Other HIPAA considerationsSome VoIP users are unaware that they are required to turn off certain services to enable HIPAA compliance. For example, voicemail transcription is disabled by Nextiva to ensure HIPAA compliance. This is also the case with the emailing of a voicemail as an attachment, and the use of visual voicemail.
End-to-End EncryptionNow that you have ensured that you use a secure provider such as Nextiva, you need to make sure your own internal networks are sufficiently secure to avoid any possible VoIP risks. Unencrypted Internet networks are prone to hacker snooping. By contrast, Internet data that is encrypted is of no use to anyone who manages to record the data transmission. Encryption that runs end-to-end is therefore important. Data should be encrypted on every possible layer.
WiFi EncryptionData sent over your internal office WiFi should be encrypted because WiFi is easily susceptible to snooping. VoIP calls made over unencrypted WiFi can leave key data points exposed to anyone who cares to snoop. Your users should never connect their mobile devices to unsecured WiFi networks because doing so can expose network transmissions – including VoIP data.
User SecurityUser security is also an important factor when it comes to making sure your VoIP traffic stays out of prying hands. A few security tips:
- Enforce strong password rules for your VoIP sessions
- Always make sure default passwords are changed (including default passwords for handsets and user accounts)
- Set rules for all passwords (including character length and requirements for both symbols and capital letters)
- Change passwords every 12 months
- Restrict the use of insecure Wi-Fi networks
- Encourage users to report anomalies (often a hacker will leave a trace, like a deleted voicemail or a voicemail forwarded to an odd destination)
- Don’t store voicemails longer than you need to, as this increases the amount of information a hacker has access to