Internet-based telephony lets employees communicate with anyone at anytime, anywhere. While these modern voice services make workplaces more efficient and flexible, they also open a potential minefield of voice security issues. In this tip, we'll explore several potential voice threats generated by modern enterprise collaboration platforms and discuss methods to address them.
Voice security challenges in modern collaboration platforms
Ironically, many of today's voice threats stem from the technologies that make enterprise collaboration voice accessible from everywhere. While these collaboration systems are no doubt convenient, they create risks that were not plausible on traditional closed systems:
1. Compromised BYOD. Desktop and smartphone apps are now the de facto method of making and receiving internal and external business calls. In many cases, employees and contractors can use their personal laptops, phones and tablets to connect to business collaboration platforms. What keeps many cybersecurity professionals up at night is the potential that a hacker could access the corporate network through a voice collaboration app loaded on an unsecure personal device. Because organizations don't own these devices, they can't adequately manage BYOD OS and application updates.
2. SaaS platform compromises. SaaS voice applications can hamstring the ability of companies to oversee call manager platforms. Having a third party handle the responsibility of building, maintaining and securing voice and collaboration services is both a blessing and a curse. On one hand, outsourcing these operations frees up the organization from managing servers, network operating systems and voice/collaboration services. On the other, it requires companies to place a tremendous trust in that service provider to properly manage and secure the service.
Additionally, large collaboration providers are a much bigger and potentially more lucrative target for bad actors. Thus, these providers are likely to be threatened with zero day vulnerabilities, DDoS attacks, malware and social engineering attempts. And because these companies serve a multitude of customers, a successful attack on a single provider has the potential to affect many users.
3. End user lapses in judgment. Business phones are accessible by employees around the clock, which means there are more opportunities for hackers to exploit end-users' lapses in judgment. Consider vishing, a voice-centric social engineering tactic where threat actors leave voice messages purporting to be from reliable sources. These messages lower employees' guard and trick them into sharing personal or business-related information. Vishing has become more prominent over the past few years, especially when these messages are delivered after working hours when employees may not be as focused on protecting important information.
IT strategies to mitigate collaboration voice threats
Despite the voice security issues organizations face when overseeing collaboration services, there are ways to fight back:
1. Endpoint management for BYOD. While IT and security administrators have limited visibility and control over personal endpoints, there are ways mitigate the risks using enterprise-grade endpoint management tools. Depending on the platform used, some threat risk mitigation features may include:
- App data encryption and copy/paste/export protections;
- Enforcement of two-factor or multi-factor authentication (MFA);
- Restricting voice/collaboration capabilities during non-working hours; and
- Application remote wiping capabilities.
2. Lock down administration and user profile access. Use MFA to strictly limit and secure cloud-based voice and collaboration administrative access. This tactic keeps bad actors from using a cloud-based exploit or administrator username/password compromise to abuse or destroy collaboration configuration services. User collaboration profiles should also be carefully constructed to only allow the voice/collaboration services they require for their work and nothing more. This limits how much damage a compromised account can potentially cause.
3. Usage and BYOD policy. Rework BYOD policies and train employees so they understand the new voice security standards. New policies could include requiring employees to frequently change their voicemail passwords as well as simplifying how employees flag security teams about usage anomalies and attempts from unknown users to obtain personal or business information.