As they adopt Voice over Internet Protocol (VoIP) , companies should beware that the technology will draw more attention from hackers, spammers and other threats. Industry experts said investing in VoIP today could be opening the door for trouble tomorrow -- unless users are prepared.
VoIP technology allows users to route voice calls through the Internet. This can reduce costs by eliminating toll charges, among other possible benefits. But ripping out an existing phone system and replacing it with VoIP ties the phone system into the data network, exposing the phones to the same kinds of security risks as the data network. The spamming, phishing and denial-of-service attacks that keep network administrators tossing and turning in bed at night could also affect VoIP phones.
Without a large IT staff and backup systems of larger companies, SMBs might be at even more risk.
VoIP by the numbers
IT research firm Info-Tech Research Group estimates that 50% of small and midsized businesses will adopt VoIP technology within the next three years, up from 23% now. Lower prices, easier implementation and smaller security risks will drive the growth, said George Goodall, a research analyst at Ontario, Canada-based Info-Tech.
"The risks will increase, but the benefits will outweigh the risks," Goodall said. "It's going to get a lot more attention, a lot more development attention and be supported more ubiquitously."
To stave off a new set of threats, a group of VoIP industry leaders this year formed the VoIP Security Alliance. The group intends to help organizations understand and prevent VoIP security risks through research and education. Members include 3Com Corp., Alcatel, Avaya Inc., Columbia University, Ernst & Young and Symantec Corp.
Knowing that security measures historically lag behind IT advances, the group's short-term goal is to develop a dictionary and taxonomy of threats and document security requirements for VoIP networks, according to its Web site.
Because VoIP connects through the Internet, it requires the same safeguards as a data network, like identity management, encryption, patch management, traffic segregation, intrusion detection and antivirus measures, said Jeffery Stutzman, director of threat and vulnerability services for PricewaterhouseCoopers LLP. Chief information officers then have to think about managing the lifecycles of these safeguards, which Stutzman estimated to be two to three years.
Easy does it
Short-staffed SMBs should be aware that they could have trouble fitting the skills of employees dedicated to either the data network or the phone system to a new, converged VoIP system, Stutzman said.
Goodall advises SMBs to implement VoIP in stages, possibly starting with internal company use over a LAN as a way of testing the waters, when a new office branch opens or instead of performing costly repairs. This will help minimize security risks.
"Hedge your risks, install inside the organization first," Goodall said. "Use it for a PBX [private branch exchange] overlay or augmentation. Expand your system, play around a little bit before you go for a full forklift upgrade."
For example, most companies would never notice an e-mail delayed by five seconds because of an overloaded network, but phone conversations delayed by five seconds could spell disaster for business. Businesses can be caught by surprise this way if they move too quickly, Goodall said.
"We learned a lot of lessons from traditional IP, so VoIP will piggyback on that," Goodall said. "The same sort of rigor is going in to VoIP."
Lower costs drives VoIP choice
John Lovejoy, CIO of Santa Clara, Calif.-based industrial laser manufacturer Coherent Inc., has taken a baby-steps approach to implementing VoIP.
His company opened a new 18-person office in Ely, England, earlier this year. The combination of potential cost savings, his views of the future direction of phone technology and the opportunity to test drive a new technology without having to replace legacy systems gave him the perfect opportunity to try it out.
He is also pleased that the trial period gives him a better sense of what to expect if he plans a companywide rollout for all 2,400 employees.
Switching to VoIP can cost a lot in terms of new hardware expenditures, Lovejoy said, so companies shouldn't expect a large savings right out of the gate. Instead, reduced maintenance costs and streamlined systems will lead to savings over time, he said.