How to combat voice security issues in collaboration platforms
Internet-based telephony allows employees to communicate with anyone anytime, anywhere. While these modern voice services make workplaces more efficient and flexible, they also open up a potential minefield for voice security issues. In this tip, we examine several potential voice threats generated by modern enterprise collaboration platforms and discuss methods to deal with them.
Challenges for language security in modern collaboration platforms
Ironically, many of today’s voice threats stem from the technologies that make enterprise voice communications accessible from anywhere. While these collaboration systems are undoubtedly convenient, they pose risks that were implausible on traditional closed systems:
1. Compromised BYOD. Desktop and smartphone apps are now the de facto way to make and receive internal and external business calls. In many cases, employees and contractors can use their personal laptops, phones, and tablets to connect to business collaboration platforms. What keeps many cybersecurity professionals up at night is the possibility that a hacker could gain access to the corporate network through a voice collaboration app loaded on an insecure personal device. Because organizations do not own these devices, they cannot adequately manage BYOD operating system and application updates.
2. Tradeoffs in the SaaS platform. SaaS voice applications can impact organizations’ ability to monitor call manager platforms. When a third party takes on the responsibility of building, maintaining, and securing voice and collaboration services, it’s both a blessing and a curse. On the one hand, outsourcing these operations frees the organization from managing servers, network operating systems, and voice/collaboration services. On the other hand, companies need to place tremendous trust in this service provider to properly manage and secure the service.
Additionally, large collaborators are a much larger and potentially more lucrative target for bad actors. As such, these providers are likely to be threatened with zero-day vulnerabilities, DDoS attacks, malware, and social engineering attempts. And because these companies serve a variety of customers, a successful attack on a single vendor can affect many users.
3. The end user lacks judgment. Employees have 24/7 access to business phones, which means hackers have more opportunities to exploit end-user misperceptions. Consider vishing, a language-centric social engineering tactic in which threat actors leave voice messages claiming to be from reliable sources. These messages lower employees’ alertness and tempt them to share personal or business-related information. Vishing has grown in importance in recent years, especially when those messages are delivered after hours, when employees may not be as focused on protecting important information.
IT Strategies to Mitigate Collaboration Voice Threats
Despite the voice security issues organizations face when monitoring collaboration services, there are ways to fight back:
1. Endpoint Management for BYOD. While IT and security administrators have limited visibility and control over personal endpoints, there are ways to mitigate the risks with enterprise-class endpoint management tools. Depending on the platform used, some threat mitigation capabilities may include:
- App data encryption and copy/paste/export protection;
- Enforcement of two-factor or multi-factor authentication (MFA);
- limitation of language/collaboration skills outside of working hours; and
- Functions for remotely deleting applications.
2. Block access to administration and the user profile. Use MFA to tightly restrict and secure administrative access to cloud-based voice and collaboration. This tactic prevents attackers from using a cloud-based exploit or compromise of administrator usernames and passwords to abuse or destroy collaboration configuration services. Collaboration user profiles should also be carefully created to allow only the voice/collaboration services they need to do their job and no more. This limits how much damage a compromised account can potentially cause.
3. Acceptable Use and BYOD Policy. Revise BYOD policies and train employees to understand new language security standards. New policies could include requiring employees to frequently change their voicemail passwords, as well as simplifying the way employees notify security teams of usage anomalies and attempts by unknown users to obtain personal or business information.