First things first: Know the security differences between POTS (plain old telephone service) and VoIP, particularly cloud VoIP. If you have PSTN service or an on-premise PBX system, then you, the customer, are in charge of its security. A cloud phone system, like OnSIP hosted VoIP, splits the responsibility. Yes, the bulk of it is under the provider’s care, but as a subscriber to that service, you too share responsibility for closing that security loop.
When anything is connected in the cloud, including UCaaS, it requires a shared security model. Unfortunately, there’s no standard out there for shared security, so it comes down to individual service-level agreements between the customer and provider. So how do you go about choosing a VoIP provider in light of this knowledge, and what steps should you take in the workplace(s) once you’re set up?
We know that choosing a business service provider usually focuses on pricing and specific feature needs. However, as with any cloud service, it’s imperative that you prioritize VoIP network security when browsing vendors. Here are some key steps to take:
For enterprise companies, put your expanded resources to work! Review audit reports from potential VoIP providers. Develop a list of questions to ask them, as if you were preparing for an interview. Vendors should be happy to discuss your concerns. If they dodge security questions, happily move on from that bright red flag.
For the more bootstrapped SMB, dive into resources freely available online. Search the company on Trustpilot or other customer review sites. Look up industry reports like Gartner’s annual Magic Quadrant Report. Even check out platforms like Glassdoor to see how employees feel about their workplace: a revolving door isn’t the best sign.
There are the general questions you should ask a potential VoIP provider. And then there are the security questions. Find out if the VoIP service uses encryption. If yes, read on! If no, look elsewhere. VoIP providers like OnSIP offer end-to-end encryption for fully secure voice and video calls. Not all providers do! Unfortunately, many of the cheaper options out there are inexpensive because they don’t have encrypted services or only offer it on a premium plan. Ask about the specific VoIP encryption used (look for these acronyms: TLS or SRTP) and if it’s part of the core service or an add-on. With clear security terms, you’ll know exactly which elements in the shared responsibility model are under your care and which are the vendor’s responsibility. An example could be firmware and software patches on your VoIP phones: Does the vendor manage those or do you?
Don’t stop when you reach the contract negotiation stage. A crucial step here is nailing down security agreements in writing. Ask everything about the terms; even if you’re a smaller business without much sway, it’s always better to ask and see than to accept what’s given. That interview scenario we mentioned earlier? This is the part where you negotiate the salary you’re worth instead of accepting the first offer.
Once you’ve settled on a VoIP provider and are all set up, here are the top things to track in order to maintain the system security you painstakingly researched and chose:
This should be your first step with any new hardware or software. Factory default passwords and broad permissions are the stuff of hackers’ dreams. Change everything immediately (perhaps using a secure password generator?), and while you’re at it, run through security permissions. There’s absolutely no reason why everyone in your company should have access to every level. Limit access to a need-only basis to protect yourself against security breaches. Maybe your staff writer has terrible password habits or never updates her computer. It takes one good phishing attempt to compromise her credentials, so close off any doors she doesn’t need open to do her job.
VoIP phones aren’t automatically behind your corporate firewall. On the bright side, they do have user- and admin-accessible interfaces to configure those exact security settings. Before you think you couldn’t be bothered, remember this: Nearly every password-protected account and device you own locks itself after a few failed login attempts—VoIP phones don’t. Unfortunately, this makes them particularly susceptible to brute-force attacks if left unconfigured.
Security updates go out regularly for a reason, folks! Software and firmware updates are your friend. But it’s in your best interest to vet those updates before installing willy-nilly. Check the security terms in your contract. If your vendor handles update testing and deployment for your phones, be aware of the update cycle so that you can check in when it’s been a while.
If you had a shudder-filled flashback while reading that header, good—tap into that fear. VoIP fraud is sneaky and can go unnoticed for a long time, leaving you with the kind of phone bill that had you dodging dinnertime in high school. The best way to stop it in its tracks is to keep tabs on your usage and learn the typical highs and lows so that you can spot abnormalities. Hopefully you chose a properly secure VoIP provider so you’re protected from major hacks like this one. But cyber threats constantly evolve, and as we mentioned before, just one human error can leave your system vulnerable.
These tips and tricks are a good start to VoIP network security. For a full rundown on keeping your system secure, check out our VoIP security checklist.