As voice-over-IP matures to the point where more businesses see it as a cost-effective and flexible alternative to traditional phone services, CIOs may have to start paying greater attention to the possible security issues, according to IT executives who gathered for a roundtable discussion earlier this week.
Ned Zecevic, vice-president of information systems at Canaccord, told the Avema Corp.-hosted event that his firm switched to VoIP nine years ago and hasn’t looked back. However, the increased reach of such communications technology may open the door for greater risk exposure.
“We have never had any issues on VoIP where we needed to have more security. I think at this point, it’s a very solid system,” he said, adding that part of VoIP’s appeal is the ability to centralize and manage phone services from one location. On the other hand, the geographic reach of VoIP users is spreading as employees work remotely, which may require some double-checking.
“People may want to be able to change settings on the phone from home, but that needs to be secured. That’s the next generation that’s coming,” he said. “In that case, you need to talk more about security and make sure your network is set up to handle it. And you have to make sure if you’re at home and have Wi-FI on, to make sure it’s hidden, that no one can see those kind of things.”
Most people probably think of voice mail or phone conversations as being less important than e-mail and other confidential files that travel across corporate networks. That’s a mistake, suggested Eric Boehm, a partner in the IT practice at law firm Borden Ladner Gervais LLP. He said that in some cases, the legal liability around what gets discussed via VoIP can be huge.
“There are no particular rules based on privacy laws, but the law does say you have to take reasonable safeguards (to protect personal information). As we have more security breaches in organizations, the standard for what is reasonable is going up,” he said. “There’s considerable liability if you don’t meet that standard.”
Perhaps even more challenging are relatively new areas of legislation such as the Canadian Anti-Spam Law (CASL), which may influence the way VoIP calls are treated. Boehm pointed out that just as CASL tends to consider all e-mail as spam unless the recipient has given clear consent to receive a message, most mobile device management software has some kind of monitoring features to identify possible malware or other threats. That could mean a need for greater transparency towards end users, he said. “Vendors need to be disclosing this kind of stuff,” he said, citing the NSA wiretapping scandal in the U.S. as an example of the potential fallout. “Companies will have to start telling these people what’s happening, and be proactive in updating policies and describing the things that are going on.”
Aldo Fazzalari, sales engineering director at Avaya Canada, urged CIOs to treat voice apps as distinct from data applications, and securing the traffic separately. Session border controllers (SBCs) are a help in this area, he said, as they provide a greater ability to capture, prioritize and analyze voice traffic from a soft client.
“A big part of this is doing a network assessment to make sure your network will support the voice traffic you’re generating. Do you have holes in ports, in your firewalls?” he said. “That strikes at the heart of a change from legacy voice technology to new technology like VoIP.”
For Zecevic, it’s been more than worth the effort. He said VoIP has also brought Canaccord greater disaster recovery and business continuity planning, as well as a way to move beyond the old days of installing small private branch exchanges (PBXes) everywhere.
“The infrastructure is easier to run. You don’t need to have an expert in certain areas anymore,” he said. “You just don’t have a choice, I think. It’s not easy to make ROI initially, but it’s a case of making a strategic approach and a decision to go with VoIP and seeing the benefits over time.”