subscribe: Daily Newsletter


Human factor the weakest link in VoIP security chain


The contact centre organisation’s first and most important step to maximise security is in the hiring process says Dave Paulding, Interactive Intelligence’s regional sales manager for UK and Africa.

In spite of the negative publicity around voice over IP (VoIP) security issues, the truth is that current safeguards for IP communications are providing a tighter wall of protection for contact centres than ever before in the history of telecommunications.  Industry standards such as Session Initiation Protocol (SIP) offer rigorous criteria for user authentication and message encryption in a VoIP environment.
However, experts agree that no amount of sophisticated technology can ensure secure voice and data interactions without the proper processes and committed personnel to abide by them. Even if the technology is the “most encrypted in the world”, the security of a system is only as good as the policies in place to enforce it, and the staff’s discipline to follow security processes.
While traditional telephony systems were as vulnerable to malicious attacks as VoIP systems, the proliferation of VoIP – as well as some recent high-profile security breaches – has brightened the spotlight on security.  One of the results is that businesses are now far more aware of the human-related vulnerabilities in the security chain.
Employees can put an entire company at risk when they ignore security processes or deliberately circumvent them for personal gain.  One of the most important paths an organisation can take is during the hiring process.  A thorough personal background check on a potential employee is the best defense against potential security violations should the candidate be hired.
Companies also need to ensure that security processes are integrated throughout the business.  Done correctly, an organisation’s workforce can actually strengthen security measures, but if it is not executed across the enterprise, employees can be the security system’s greatest weakness.
While people and processes are critical links in the security chain, there is no doubt that top-class technology is as important.  While the standards themselves provide extremely effective security measures, IT teams must focus systems security on three crucial objectives: fraud prevention, availability of the system, and protection of confidentiality.
As much as possible, the system should be configured to prevent fraud or malicious use.  Should an attack occur, IP servers, data servers, phones and other devices must remain functional to provide the required business continuity and keep the door open to the organisation and employees.  The system should also preserve the confidentiality of any audio or stored data.
In South Africa, the confidentiality of stored data is increasingly becoming an issue.  Regulations require many companies to record and log calls as evidence of the contract between a customer and the company.  Historically, contracts were always written and signed documents, but because many contracts are now made verbally via a call centre, these need to be recorded.
South African companies, particularly large financial institutions are driving the demand for technology to encrypt the voice recording.  Currently, this data is not encrypted, leaving organisations open to employees tampering with the recording – either blanking a part of the call, editing the data (like changing R3 000.00 to R300 000.00), etc.  
Companies should work with vendors who can provide this level of encryption, as well as check how reliably its solution integrates standards, processes and people for a more fail-safe security system.