Using VoIP internally is as secure as traditional phone lines, as long as the internal IT infrastructure is secure, So that’s relatively straightforward. The calls are being made within an internal system, and external hackers cannot easily intercept the data.
However when calls are made outside the internal infrastructure, they become more vulnerable. The features which make your Ringover phone system so powerful and versatile also make it attractive to potential hackers and exploiters, who particularly appreciate the way your phone system integrates with so many interesting databases — like your CRM, or your product catalogue. This combination of intellectual property and personal data of value to people who want to do bad things with it.
So, it’s vitally important to:
1. Use a VoIP business phone system which has industry-leading security features and inbuilt protections, just like Ringover.
2. Understand the risks and how to use business data and communications assets safely and responsibly at all times.
Who is trying to hack my business phone system and why?
If you do an image search for phone hackers, you’ll probably turn up a load of photos of young guys in hoodies, sitting alone in darkened rooms, while inexplicable reams of bright-green code leap from the screen and illuminate their faces.
The reality is both more mundane and more alarming: Data theft is big business, increasingly carried by highly organised and well-funded teams. They operate at state level in some cases, and in others have connections to global organised crime. Top practitioners are actively headhunted and handsomely rewarded, in the perpetual arms race between the bad guys and the agencies who try to stay one step ahead and protect users.
Much of the bad actors’ work is opportunistic, and so far as potential victims are concerned, completely random. That’s because it’s so easy to do what they do at scale — send a billion phishing emails or brute-force a million passwords, and they only need a tiny proportion of recipients to take the desired action for success.
Creating the automations and content around the backend of the scam takes all the effort and investment, much like the design of a legitimate marketing funnel, and sending it out to another million emails here and there is a marginal additional cost (the emails are doubtless stolen anyway). So if you are the unlucky victim, one small upside is that it’s unlikely to be anything personal.
Hardening your internal procedures
Fortunately, there is much that information security professionals can do to ensure that the security features of VoIP phone systems are protected by intelligent usage and strong protocols on the user side, making VoIP security a shared responsibility and goal at all times.
- Enforce a strong password policy, requiring all users to employ unique, strong passwords at all times, and store them only within an acceptably robust password manager specified by the IT security team. It used to be recommended that passwords were regularly changed, but this often led to compromises in other areas — so it’s more important that passwords are complex and long, and never reused.
- Make sure that remote or off-site users in particular are connecting securely, using VPNs, and encrypting their connections appropriately.
- Manage access intelligently. Within the Ringover dashboard it is the work of a moment to activate new inbound and outbound numbers, for example to permit local presence in a new campaign. But you should review usage and deactivate services no longer required on a regular basis, to save on subscriptions as well as increasing security.
- Manage usage by need: further to the above, consider each user account individually, and enable exactly what is needed and nothing more. If someone has no need to call a particular country, for example, lock it down — you can easily add services if that user’s needs change, and in the meanwhile they cannot be tricked into calling a scammer’s number there.
- Monitor actively. Review your call logs and set alerts to ensure your usage remains within expected parameters. Sales people need to make a load of outbound calls, an administrator maybe fewer… So, something is amiss, if they are suddenly hitting up a series of premium rate mobile lines on the other side of the world.
However well you manage things internally though, the single best thing you can do to protect your VoIP phone system and other cybersecurity protection is to outsource as much as possible — to a respected and established international provider like Ringover.
Consider — if you were installing an alarm system to protect your home, would you build it yourself from bought components, then monitor it round the clock to ensure it worked? Fix it up when better technology becomes available, and take on the personal responsibility for ensuring you were one step ahead of the burglar’s techniques at all times?
Of course not, you’d contact a local alarm firm and get them to instal their gear at your end, then take care of all the monitoring and patching and responding remotely. A monthly subscription would be well worth that peace of mind.
And that’s exactly how it works with a business cloud phone system too. You don’t have to worry about DTLS-SRTP encryption of your data in transit or at rest. You don’t have to worry about compliance with regulations like GDPR (all Ringover customer Information resides in secure EU-based data centres at all times.)
You don’t have to think about how your call gets routed — as a member of RIPE (European IP Network AS201188), Ringover calls are securely passed through the safest and biggest international telephone operators: Orange, SFR, COLT, BICS, etc. And whenever new threats emerge — as they continually do, in the information security environment — you can be confident of patches and solutions being swiftly in place, often before you even become aware of their existence.
Among the many advantages of moving your business communications into Ringover’s transparent per-user-per-month subscription service, is being able to outsource a significant part of the worry, about the technical aspects of security for your business phone systems.
All you have to worry about is your internal side, of the security jigsaw puzzle:
Always the weakest link...
While you can protect yourself through your choice of VoIP phone system, the safest business phone system available would theoretically be one that had no human operators involved in it at all...
But while Ringover’s powerful IVR and messaging features amplify and enhance the presence of human operators to unexpected levels, you do still need both inbound and outbound callers to be able to use the phone sometimes!
And as always, it’s those humans who are the most vulnerable to being tricked and deceived.
Therefore, as well as installing a VoIP business phone system with industrial grade security features, it’s essential that all users receive regular awareness training in its safest use, and that this is underpinned by robust internal procedures.
Those international hacker networks don’t only employ some of the world’s most advanced information security people, they have a lot of less technically specialised people on the payroll as well, whose job it is to work on the human side. Trawling through publicly available information, and combining different snippets of data together, to create a matching set of credentials which unlocks access to precious private accounts.
Regular data protection training in-house should include:
- Awareness of over-sharing in social media quizzes and similar: “your pet’s name followed by the name of the first street you ever lived in, is your gullible fool name!” Just don’t do it! All these kinds of questions are typically used to recover access to accounts in password resets, and should never be casually commented on in the public domain.
- How to secure personal devices appropriately, if they are used for business communications. Ringover’s range of apps is great for enabling BYOD working and supporting users to collaborate from anywhere via their favourite tools, but with this versatility comes some user responsibility, in managing those endpoints securely.
- Awareness of how to handle casual requests for information, about themselves, the business, or their customers. It is illegal to disclose personal information to a third party without a specific reason for doing so under relevant data protection law — so, no, you can’t confirm your boyfriend’s registered birthday so as to help someone plan a surprise treat.
- Understanding of how to verify requests for information, and confirm that enquirers are who they say they are.
This final point can be actively tested and mystery shopped, and this is a good way to put theory into practise and identify remediation training needs.
For example, a caller says they are from the IT department and need to check your password, or your bank phones to confirm details of a recent transaction — how does the recipient respond?
They should be aware that no one will EVER ask them to share a password by phone or any other way, and that if someone says they are from your bank or other trusted third party, the only way to verify this is to call them back on a publicly available number. If a patient phones to request results of a sensitive health screening, then they should be asked to provide proof of identity via pre-established security questions (preferably ones they haven’t shared in a Facebook quiz), before the result is disclosed.
It’s exactly these awkward, personal situations, where people are at their most vulnerable to manipulation and coercion, as they have to indicate a lack of trust to the caller. It’s much easier to go along with what they say about who they are, not to break the established rapport, and wind up breaking a customer’s confidentiality — or blowing their employer’s carefully constructed security protocols wide open — by accidentally giving a bad actor the last piece of info they need to compromise their recovery email settings.
Work from anywhere, and secure from anywhere
As different parts of the world unevenly emerge from restrictions on where we can work and travel, it’s particularly important to bear in mind the impact that also has on security awareness and behaviour.
For example, it’s only natural for everyone’s guard to be lowered when they are working from home unexpectedly, because home is a place identified with safety. It feels like the most secure place you know…
But perhaps you don’t even realise that you have walked too far down the garden while on a call, and your personal mobile has defaulted over to the Wi-Fi at the pub over the road, which is completely unsecured with no password at all. Suddenly, the advice you followed from your office IT guide to secure your own router and Wi-Fi connection is completely invalid, and despite the Ringover end of the call being securely routed via encrypted servers, the last few yards of the connection via your own handset is wide open to the world.
Another thing to bear in mind, is that sadly, bad actors are opportunists.
Situations like a global health crisis are a gold mine for them, and in 2020 Covid-related scams proliferated: Click this link to see who you’ve been exposed to as a risky contact, enter your date of birth here to book your vaccination. High-speed PCR testing for travel? Enter your bank details now (a tiny proportion of the millions who got that SMS had just booked emergency travel for compassionate reasons, and were distracted enough to assume that message had come straight from their airline).
Continual vigilance is the only solution.
The safest VoIP phone system: A shared commitment
Ensuring we move forward into the new reality with robust and secure business communications will require responsibility to be shared, between the cloud phone provider, the business and its information security systems, and ultimately — every end user.
This will make certain we can continue to work safely and flexibly, wherever the new normal takes us, and on any approved device. Effective cybersecurity depends on every link in the chain being maintained in an aware and intelligent way, and we all have a part to play.