Is VoIP Putting Your Network at Risk?
VoIP-related threats are evolving faster than you're able to handle, and until you understand the nature of these threats, you won't know what's truly at risk.
For many of you, VoIP is old hat, and when it comes to innovations in communications, you're focusing on other things these days. Even UC may feel very 2013, and now you're more granular, becoming immersed in things like WebRTC, desktop video, BYOD and Big Data--along with anything that produces a tangible ROI for collaboration.
IT's job is getting harder, not easier, and with a near-impossible set of priorities to manage (juggle, really), you hardly ever get the chance to revisit things once they're up and running. This brings me to VoIP, and based on the research done for my latest white paper, I would advocate some second thoughts on that. Whether you deployed VoIP last year or many years ago, you're facing a tougher environment today regarding network security.
The Root of the Problem
No doubt you have rock-solid security to protect your data assets, and for many of you this is mandated for compliance purposes. When it's time for a security audit, the checklist is pretty daunting, and once you get through that, there aren't too many stones left unturned.
More often than not, however, VoIP isn't part of that audit. There are two implications here, and I need to get both of them on the table. First is the fact that VoIP is barely, if at all, part of the security compliance envelope. The technology is too new and not well understood by the audit community in terms of the risks posed by VoIP-enabled security threats. As such, it's not on their general radar, and if VoIP isn't on the audit checklist, the auditors won't likely be looking there.
If this was the only stakeholder group regarding network security, the solution would be easy. However, IT is another key stakeholder--arguably the most important one – and is as much a part of the problem as the solution. To whatever extent IT knows or believes their network is protected from VoIP-enabled security threats, my position is that enterprises are woefully misinformed.
This isn't to say that VoIP cannot be very effectively secured in your network. In many cases, security was not much of a concern when VoIP was initially deployed, and once it becomes hard-baked into your network, you move on to other things. With VoIP becoming a commodity and telephony becoming a smaller line item in your budget, higher priorities take over. If VoIP hasn't led to any notable security breaches yet, you're probably not thinking too much about it as a source of network risk.
A Bigger Picture to Consider: VoIP Isn't Just Telephony
All of the newer, granular factors cited above are far more pertinent to today's needs, and there's only so much time in your day to plug holes in the security dike. Not only does each of these have financial implications for IT, but they pose major security challenges independent of VoIP. These realities may rule the day for IT right now, but a common thread runs through all of them. To varying degrees, they are all touched by VoIP, so if your VoIP security framework is lacking, these higher-order issues will be as well.
Making that connection may not be obvious, especially if you only view VoIP as telephony. At face value, this is certainly true, but that isn't the issue here. Of greater consequence is the fact that VoIP is a form of data, and rides over the same network that is the lifeblood of your business. This is a fundamental shift from legacy systems in which voice never touched your data network--and by extension, telephony was hardly seen as a security threat.
As IP networks become the common fabric for data transport, VoIP is poised to become the weak link in your security chain, especially if it has never been given proper attention this way. For the most part, any form of VoIP security is voluntary, and if the associated threats are not viewed as either imminent or real, getting adequate resources for a solution will be a real challenge.
Network security is a lot like insurance, and to the extent that risks are understood and can be quantified, measures will be taken accordingly. Large scale VoIP-related security breaches are either uncommon or not reported, and when toll fraud occurs, it's more expedient to treat it as a cost of doing business rather than overhauling your IT security framework.
The Need for a New Conversation
This is usually where the conversation ends with VoIP security, but my research says this is where it should start. If toll fraud was the only VoIP-related threat, I wouldn't be writing this article. This will always be a target for small-time operators, but when you think about NSA, WikiLeaks, Stuxnet, or even the recent credit card fraud that hit Target, the major league hackers are after any and all forms of corporate data.
I'm not here to tell you what that milieu looks like, but as I noted earlier, think about the weak link in your security chain. In many cases, it's going to be VoIP, and when you look at the bigger picture, this is what those hackers see. Time and again, the culprit is the IP-PBX, mainly due to lax or nonexistent security practices. A lot of this is basic human error, so employee training is actually a big part of the solution.
Beyond that, though, the network itself needs help--not just the technology; a more holistic view from IT about VoIP security is necessary. For the vast majority of businesses, VoIP-related threats are evolving faster than you're able to handle, and until you understand the nature of these threats, you won't know what's truly at risk.
I explore these issues in greater depth in a white paper, titled "VoIP Security--More Than IT Risk". The paper was sponsored by VoIPshield Systems, but the focus is very much on the problem set, as well as on various paths IT can take to address the risks. My research covered the gamut of stakeholders related to VoIP security, and given the consensus found, I believe this speaks to some real issues in our space, and I'm happy to share the findings with No Jitter readers. I'd love to hear your thoughts and move this discussion forward.