VoIP security barely a blip on SMBs' radar

By Shamus McGillicuddy, News Writer 24 Jan 2007 | SearchSMB.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

Richard Ridolfo, CIO of Simat, Helliesen & Eichner Inc., a New York-based aviation consulting firm, said security concerns affected how he rolled out VoIP.

We prohibit the use of free commercial service because I don't believe the technology is mature yet. Richard Ridolfo CIO, Simat, Helliesen & Eichner Inc.

"We're using company-owned VoIP infrastructure, and we are using it on encrypted, controlled data paths," Ridolfo said. "And we prohibit the use of free commercial service because I don't believe the technology is mature yet."

But when Ridolfo was looking at VoIP offerings, he saw no mention of security in vendors' marketing messages.

"As with anything, the risk [of a security breach] is theoretical risk right now," Ridolfo said. He said today it's much easier to write a virus or steal data off a file-sharing system than it is to build an exploit for VoIP.

"Does that mean someone isn't working on it right now? No," Ridolfo said. "A high-profile attack, such as a single, crucially important phone call, that will be intercepted, whether it is commercial or government. Then you'll see a bunch of those in short succession. Then there will be a big push to introduce security."

In a recent survey by the Computing Technology Industry Association Inc. (CompTIA), an Oakbrook Terrace, Ill.-based provider of vendor-neutral certifications, 50% of 350 SMBs said they trust the security offered by IP telephony vendors. This number was up slightly from 48% last year.

Steven Ostrowski, director of corporate communications at CompTIA, said concerns about security should provide an opportunity for vendors and resellers who can show they have the expertise to protect customers.

Smaller businesses are relying on solution providers or value-added resellers and system integrators to provide guidance. "They're looking to them to make sure their total security solution is in place -- that not just email, but all voice and data communications are secure," he said. "On the one hand it's a challenge for solution providers to address the issue. On the other hand, it might be an opportunity for them to increase their business if they can show they have the expertise and can protect networks."

Voice is just as vulnerable to exploits as data communication, Ostrowski said, "because at the end of the day it's running over an IP network and it's 'packetized' data."

One analyst was surprised by how many SMBs said they felt VoIP was secure.

"I would say that number is extraordinarily high to me," said Gary Chen, an analyst at The Yankee Group, a Boston-based research firm. "Right now there is no VoIP security, because people haven't thought about it."

Chen said the population of VoIP users is still too small to attract the attention of hackers. But it's only a matter of time.

"It's going to come," he said. "When the population is there, hackers will go for it."

More on VoIP VoIP: The migration dilemma Secure VoIP in simple steps

Chen said some VoIP vendors and some third-party security vendors are helping secure VoIP installations, but it's still a new area for most of them. There is little incentive to sell it, since customers aren't demanding it.

"It's going to be a big attack that gets a lot of attention that drives the market forward," he said.

Chen said there are a variety of ways hackers could attack a VoIP phone system. A simple, but effective exploit would be an old-fashioned denial-of-service attack. A hacker could paralyze a company's IP phone system and demand a ransom.

"You could also take over people's accounts and make calls and charge it to someone else," he said. "You can also take over a number and use that in some sort of phishing scam, where people think they're calling and talking to a bank, but they're talking to someone else."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Tags: Information security management for the midmarket,  Risk management for the midmarket,  VoIP and unified messaging for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Risk management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money 10 must-have steps for an effective SMB information security program VoIP and unified messaging for the midmarket Midmarket data center management guides: Tips and best practices FAQ: What is unified communications, and why would I want it? Mobile unified communications options for the midmarket Fixed-mobile convergence saves firms costly mobile phone charges Unified communications plans should tap CIO CIOs grapple with tying Wi-Fi, VoIP into unified communications plan Unified communications: Savvy business move or security meltdown? Unified communications: Securing access to OCS Unified communications security: How safe is it? CIO Joseph Edward: In-house app ties parishes together

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary