Some Thoughts on Security

Phone systems have their security issues that go back to companies owning their own PBXs.  In the early 90s our PBX was hacked and we became an international phone system. We paid the costs and some unknown person collected the profits. And the dangers of someone hacking into your voicemail system. Today the dangers are worse. Thanks Internet.

Security issues can be broken down to the following issues:

  • Business continuity. What happens if your PBX dies, your building burns down, terrorism makes your city uninhabitable, or a backhoe operator goes "pops." 
  • Become someone else's phone company. Someone hacking into your system so they can use your PBX to offer cheap international calling to their customers. Or using your PBX to impersonate you or your company.
  • Stealing information. Voicemails and recorded conservations can hold confidential information.
  • Just plain embarrass you. Some people enjoy reprogramming you systems and making new outgoing messages.

Hosted vs Premise Based PBX

Business continuity

    Hosted phone providers promise improved business continuity. If your building burns down, they are still up and running. If their building burns down, they have backup facilities. I will let the hosting providers fight among themselves who offers the best business continuity plans. All I can advise is to get as much information as possibly about their own business continuity plans and if the backup facilities are automatically updated.
    Even if the phone line is cut between their facility and yours, you are covered. Staff can access their phone accounts from any location with a fast Internet connection. Smart phone apps turn your iPhone or Android or BlackBerry into an extension of your phone system. Even a lowly landline phone can pick up your voicemail.
    But if your company has multiple offices you can have multiple PBX's that replicate each other. Or you can put a backup PBX in rented space. Our Cisco system can do this if we buy a second PBX. I remember Avaya enterprises systems having this feature at least 6 years ago. All it takes is money.
    For a smaller budget some phone carriers offer services where calls can be forwarded to backup numbers, often cell phones, if they can't reach your PBX. No access to voicemail but at least you can deal with incoming and outgoing calls.
    So advantage to hosted systems but think what you really want. Just depending on your employee's cell phones might be sufficient.

Hacking

    But what about unauthorized people accessing your system? If the hosted provided does all administration that can cut down on concerns. They will keep the phone system software up to date, as I've mentioned elsewhere the last time our current system's software was updated was 1993 because no one was paying attention. And updated software often includes security fixes.
    But what about protecting user accounts. No hosted provided offered VPN only access to their systems. I'm nervous about any system that allows staff to access their accounts from home with a name and passwords, most staff have awful passwords and tend to write them somewhere easy to find. Even if that staff has no admin rights, their voicemail can be hacked and an exploiter might be able to use that account to exploit a security weakness.
    I prefer a system where people outside of the office can only access the phone system with a dumb phone or through a Virtual Private Network (VPN). I feel that VPN adds a necessary level of security. Staff who don't care about remote access via computers or smart phones don't get VPN access. If someone takes a VoIP phone home it connects via a VPN. If they use their smart phone to get visual voicemail or reprogram their phone, it goes over the VPN. Our Cisco system will provide this security. None of the hosted providers mentioned VPN only remote access to their systems.
    Many premise based resellers will offer to manage your system for you, so like the hosted provider they take care of the software updates and even adds, deletes and moves. So you might even avoid having any staff having admin rights. I prefer administering my own system but some companies might prefer outsourcing all of that work.

Voicemail via email

    One of the big selling points of any modern system is the ability to e-mail voicemail to staff. We decided against this feature, WAV files going across e-mail isn't a good security move. We will have e-mail notifications when voicemail arrives, but users will have to log into the system or use their phones to access voicemail.

The computer interface

    Is the computer interface for the average user a weak point? This didn't occur to me until we were close to selecting a proposal, but do you want a system that depends on running Java in the web browser? I'm not talking about administrators, who we assume will practise safe computer, but the average staffer who doesn't care that much? I am trying to move my office towards not having Java running in the browser. The Avaya One-X console, which is well liked, works in this manner. Are stand alone programs safer overall than browser based access? I do not know the safest approach but this is worth thinking about.

And for G-d's sake, change your default passwords

    Our system was hacked in the early 90s because no one changed the default administrator's password. Make sure that you have a system that requires staff to change from their default passwords. Change all of the administrator passwords. Just do good computer security practices. You know, all of those recommendations to keep your computer data secure that most people don't follow.

What do you think?

    Most phone people know more about phone security than me. Please post a comment or send me an e-mail about best practices or anything I've missed.