While your telephony solution may not immediately spring to mind when you think about security risks, you could inadvertently be giving hackers the keys to the kingdom.
Modern, voice over IP (VoIP) telephony solutions run on the same kinds of networks that your computing systems do. Unfortunately, says Euphoria Telecom chief technology officer Nic Laschinger, they are seldom secured as tightly as your computer systems and this makes them vulnerable.
“It’s important to realise that if someone can get to your telephony system they can get to your IT systems. A lot of people define their security at the perimeter. For example they deploy a firewall to keep people out. Once someone is inside, however, it’s relatively easy for them to get anywhere else, including to your operational IT systems and data,” he says. “People tend to ignore security on telephony systems as they don’t recognise them as fully-fledged computer systems. This can be a costly omission.”
Operational technology, like telephony systems and the systems running factories, power plants and such, are increasingly being recognised as weak areas by attackers.
According to the Fortinet 2022 State of Operational Technology and Cybersecurity Report, 93% of organisations surveyed had an intrusion in the past year, 61% of those intrusions impacted OT systems. Worse, says Fortinet, it took hours to restore service in ninety percent of those cases.
Weakness in voice over IP systems and network or device compromises are increasing resulting in losses for businesses globally. The 2021 CFCA Global Telecommunications Fraud Loss Survey highlighted that IP PBX hacking resulted in $1,82-billion worth of fraud that year. Spoofing, the most common telephony fraud method, cost businesses some $2,63-billion.
In addition to standard security measures like implementing IPSec (which secures data traffic across networks) and secure authentication, your cloud telephony provider should be implementing additional features and functions that help keep your telephone system secure. Laschinger outlines some of these.
* Ability to block international traffic granularly – While your business may need to make international calls, you likely only need to reach a selected handful of countries. Your telephone system should enable you to block calls to any destination that your teams have no reason to be calling, says Laschinger, rather than blocking by region, or blocking international dialling entirely.
* Ability to set dialling restrictions – Dialling restrictions allow you to block outbound calls from extensions that don’t need to call externally – for example extensions in kitchens or other common areas that only need to be reached by other people inside the business.
* Centrally controlled global contact lists – A centrally managed contact list makes it much easier to spot fraud because you can rapidly identify calls to numbers that are not on your contact list, or are personal calls. Your telephony system should provide a range of reports, which list not just the numbers called but the names of the people called. Spotting abuse is very difficult otherwise, Laschinger notes.
Reports should highlight the top ten most expensive calls, most dialled numbers, most dialled destinations and the user making the most calls to help you to spot call traffic that is fraudulent or abusive.