VoIP Security: Best Practices

Plenty of businesses make much of VoIP, but you don’t often hear much about security. According to the FSB, small businesses in the UK collectively suffer up to 10,000 cyberattacks per day. The last thing any business wants is to move over to a telephone system that leaves them more vulnerable to attacks.

The problem with VoIP is that it is only as secure as you make it. Depending on your deployment, either your business or your provider would be responsible for the security of your business telephone system.

With that in mind, let’s take a look at some of the VoIP security best practices.

VoIP Security: Best Practices

When you’re using VoIP, voice data is transmitted over a data connection rather than a traditional phone line. Without the right security procedures in place, the data can be intercepted. Security breaches can cripple a business, so it’s important to make sure you follow these security best practices.

  • Use secure user credentials
  • Keep firmware up to date
  • Ensure your network is robust
  • Control unnecessary access to onsite equipment
  • Educate users on cybersecurity
  • Use a provider with accreditations and a good security track record

Use Secure User Credentials

It’s demonstrable that even the securest of networks can be vulnerable if an end user doesn’t take security seriously. It is very important that you have a credential management policy in place. More importantly, you must make sure that your employees pay attention to the policy and follow the conditions that it sets out.

If you don’t have a credential management policy, you need one. If you do, modify it and apply it to VoIP.

A credential management policy is essentially a set of rules that all of your employees should follow regarding passwords. It’s possible that you already have a credential management policy in place for other business processes, such as CRM access. In layman’s terms, this policy will set out conditions such as:

  • How often employees should change their passwords
  • How complex passwords should be (for example, saying all passwords should contain punctuation and numbers)
  • How many times an employee can use the same password

If you have this policy in place, you need to also apply it to VoIP. For example, this policy could state that your employees should change their VoIP portal login details every 30 or 60 days.

If you don’t have a credentials management policy in place, it’s time to create one. According to Shred-it, more than 40% of senior executives and small business owners report that employee negligence or accidental loss was the root cause of their most recent data breach. Such a damning statistic highlights the importance of having policies in place that instruct your staff on how to keep their software and hardware secure.

Keep Firmware Up To Date

We all, hopefully, appreciate the importance of updating our computers, mobile phones, and network hardware if a security update is released. Did you know that your IP phones also need to be updated? According to Michael Fontana, Director of telecommunications company Optionbox, some businesses have never updated their IP phones because they don’t know they need to be updated.

“In many deployments, the VoIP provider can push updates to IP phones without the customer’s involvement. This isn’t always possible, so businesses may need to manually update their devices,” Michael Fontana says. “Because of a lack of education around how IP phones function, businesses may not know their devices need to be updated. This can leave them at risk, as firmware updates often include crucial security patches.”

Regularly check for the latest firmware to ensure your IP phones don’t miss out on important security patches.

Remembering to regularly check for firmware updates probably isn’t at the top of your mind with all the other tasks on your plate. Put an update schedule into place to make sure this isn’t something that gets forgotten, considering how much a breach could cost your business.

Ensure Your Network Is Robust

Previously, your IT network and telephone system would be entirely separate things. You would have different teams looking after them. If you use VoIP, your IT team can look after everything as VoIP will use your IT network. As VoIP uses your network, the security of VoIP depends greatly on how secure your network is.

How secure is your network? If your network isn’t as secure as it could be, that is a big risk. If you’re unsure about how secure your network is, a good starting point is a network audit. A network audit will help you identify and assess possible security vulnerabilities, as well as how effective your firewall and anti-virus software are.

Some tips for network security.

Protecting your network is challenging and doesn’t guarantee your business cannot be affected by hackers. However, the more security you have in place, the harder it is for threat actors looking to attack your company.

On the infographic above, I’ve detailed some tips for securing your network and keeping it protected against hackers.

  • Use a firewall: You should set up firewalls on all your devices, as well as a web application firewall.  A firewall is an essential network security feature.
  • Update antivirus: Most computers will have antivirus on them – if not, that’s cause for concern. But antivirus needs to be updated regularly to effectively protect your devices. 
  • Keep equipment secure: Where is your network equipment in your office? Is it in a secure place, or is it accessible to all? No matter how much you trust your staff, keep your equipment in a secure place where only the appropriate people can access it.
  • Train your team: Employees are often at fault for security breaches. That’s why educating your team is just as important as keeping your software updated and your hardware secure.
  • Use a VPN: A VPN prevents hackers from being able to see your activities, communications, and browsing history.  If you have employees who work outside of the office, a VPN is essential. 

Control Unnecessary Access To Onsite Equipment

This all comes back to keeping your network secure. Regardless of how much you trust your employees, you must limit access to your onsite equipment.

Your network equipment should be stored somewhere that is only accessible to your IT department, or whoever is responsible for maintaining your hardware. This is vital to keeping your network uncompromised.

If your network equipment is in a location accessible to many, secure the area with solutions such as an access log or CCTV cameras. Whatever you have to do, you must ensure that your equipment is protected and only accessible to people who actually need access.

Educate Users On Cyber Security

All the security solutions in the world are useless if the people using your VoIP system aren’t educated on cyber security and more specifically, VoIP security. Educated users are the first line of defence and, alone, they are not enough to keep your VoIP system secure. However, cyber security-aware employees are savvy enough to do their part when it comes to keeping your system secure.

Educating users on keeping VoIP secure is as simple as:

  • Explaining what secure credentials are and why they are so important
  • Demonstrating signs that would suggest abnormal and potentially dangerous activity
  • Instructing on how to deal with phone calls where confidential data will be exchanged

According to several studies, human error tends to be the biggest reason for cyber security breaches. With this in mind, it is important that your staff understand cyber security. Understanding cyber security is paramount to keeping your voice over IP telephone system secure.

Choose A Provider With Accreditations and A Good Track Record

Depending on your VoIP deployment, you may be dependent on your provider to take security seriously. For example, if you have a cloud PBX, you rely on your provider’s security more than you would with a on-premises PBX.

If your voice over IP deployment is dependent on the security of your business, choosing the right provider is a very important decision. You’ll need to know:

  • What accreditations does the provider have?
  • How has the provider previously responded to security breaches?
  • Does the provider offer call encryption?

If you are choosing a provider based on their accreditations and certifications, here are the most important things to look out for:

  • ISO/IEC 20071: This accreditation is offered to businesses that have demonstrable evidence that they assess security threats and suitably respond to them. If you see a VoIP provider with this accreditation, it means that the company has implemented effective security protocols.
  • SOC 2: If you choose a provider that is SOC 2 compliant, it means the business has practices in place to guarantee customer trust. For example, a SOC 2 compliant business will have rigorous protocols when it comes to security, data integrity and privacy.

As you can probably tell, these certifications will offer you peace of mind that you are working with a company that takes VoIP security seriously. On the other hand, businesses without these accreditations might not. If you need to ensure that your phone system is secure, you must choose a provider with these accreditations.

Furthermore, you must also know how your provider has dealt with security breaches in the past. If the provider hasn’t dealt with security breaches, you need to know how they plan to deal with them in the future.

Lastly, you want to ask your provider about call encryption. There are several VoIP protocols that are used for VoIP encryption, including TLS and SRTP. Depending on the industry that your business operates in, call encryption might be essential to the way you operate. If that is the case, you need to make sure you choose a provider that offers encrypted calls.

Jack Mitchell

Jack Mitchell has been the Operations manager at telecoms and MSP Optionbox for more than 4 years. He has played a crucial role in the company, from marketing to helpdesk, and ensures that the IT requirements of over 300 clients are continuously met. With his innate passion for technology and troubleshooting and a particular interest in Apple products, Jack now delivers the most comprehensive tech guides to make your life easier. You can connect with Jack on LinkedIn.

Recent Posts