Consider Security When Implementing Voice Over IP At Your Institution
If your institution is considering a move to â€œVoice over Internet Protocolâ€ (VoIP) phone systems, youâ€™ve already been doing some research on the subject. VoIP is on its way to becoming the default technology choice for many financial institutionsâ€™ voice services, maintaining call quality and ensuring security still present many challenges. While other businesses can easily move their phone systems over to this cost-saving technology, financial institutions must realize thereâ€™s a great deal of work that must be done before implementing VoIP.
Maintaining a balance of service and security is important, said Juan Deaton, Cellular Systems Engineer at the Idaho National Lab's Next Generation Wireless Test Bed. â€œThe emphasis for financial institutions needs to be on security, then quality of service, because VoIP introduces a great many new vulnerabilities to your network.â€ Deaton added the increased vulnerabilities opens the institutions to possible â€œman-in-the-middle attacksâ€ where hackers would be able to eavesdrop on
customer calls, and capture account information.
Both the National Institute of Standards and Technology and the FDIC have issued information regarding VoIP technology and the security implications that should be considered prior to implementation. Institutions need to research the regulations regarding VoIP and any record retention rules. Keep in mind these may be different from regular phone systems.
Financial institutions contemplating the use of VoIP technology should consider the following best practices:
Ensure that the institution has examined and can acceptably manage and mitigate the risks to information, systems operations and continuity of essential operations when implementing VoIP systems.
Assess the level of concern about security and privacy. If warranted and practical, do not use â€œsoftphoneâ€ systems, which implement VoIP using an ordinary PC with a headset and special software.
Carefully review statutory requirements for privacy and record retention with competent legal advisors.
Develop appropriate network architecture.
Use VoIP-ready firewalls and other appropriate protection mechanisms. Financial institutions should enable, use and routinely test security features included in VoIP systems.
Properly implement physical controls in a VoIP environment.
Evaluate costs for additional backup systems that may be required to ensure continued operation during power outages.
Consider the need to integrate mobile telephone units with the VoIP system. If the need exists, consider using products implementing WiFi Protected Access (WPA), rather than Wired Equivalent Privacy (WEP).
Give special consideration to emergency service communications. Automatic location services are not always as available with VoIP as they are with phone calls made through the PSTN. (from â€œGuidance on the Security Risk of VoIPâ€ issued by FDIC.
Nine best practices cited by NIST were included in the same FDIC document. NIST noted that â€œthe integration of voice and data in a single network, establishing a secure VoIP and data network is a complex process that requires greater effort than that required for data-only networks.â€ Click here to read NIST'sNine Best Practices