Skip to content

Why are Enterprises lax About VoIP Security?

There is a general consensus that more investment of time, resources, and money is needed to protect enterprises from VoIP security threats. So why are enterprises so lax in investing resources in improving their defenses?

Our conversations with a few enterprises present the following general theme: 

  • Nothing is broken. Why fix it? 
  • We have firewalls and endpoint security components installed. Why do we need to do more? 
  • We are compliant with NIST and ISO 27001 standards. Why should we look beyond these standards? 

There’s also this optimism bias that’s prevalent in enterprises – the tendency to think that only good things happen – until something bad happens. Then there are those who think that bad things happen to only those who don’t plan and are not observant, among other things. 

Let’s look at ten specific reasons why enterprises often think they don’t need robust cybersecurity: 

Large enterprises 

The insights that we gained from our conversations with large enterprises is startling considering we expect them to have the budget and the skills needed to protect themselves against cyberattacks, but they too have the following bottlenecks: 

  1. Lack of priority – most IT teams are already fully occupied and stretched in their routine activities, so they can neither adequately focus on presenting their security-related activities to the leadership team nor communicate the importance of cybersecurity to the leaders in the vast spectrum of the management in large enterprises. 
  1. Lack of budget – building resilience towards cyberattacks needs appropriate budgets, which leadership teams are reluctant to spare, especially since most of them are unaware of the importance of cybersecurity. 
  1. Organization structure – CISOs of large enterprises report to the CIO, the head of the Legal department, or the head of the Risk Assessment department, or some other department that does not give enough weightage to cybersecurity. The fact that reporting to such departments does not give you direct visibility with the leadership team also exacerbates the problem. Many CISOs still either don’t have a seat at the leadership team table or present their reports to audit committees, which report to the leadership team. 
  1. Lack of awareness – CEOs typically don’t interact as frequently with CISOs as they do with CFOs and the Legal team, which underscores the lack of awareness towards cybersecurity. 
  1. Overconfidence – most leadership teams fall prey to the overconfidence effect thinking they’ve provided enough budget for cybersecurity, thereby assuming they’ve all the equipment required for adequate protection 
  1. Lack of risk models – some large enterprises have yet to identify their risk tolerance levels and their risk models are not mature enough to determine how much and where to invest to improve their resilience against cyberattacks. 

Small and Medium Enterprises 

When we dug deeper in our conversations with small and medium enterprises, we gained the following insights about their laxity towards cybersecurity: 

  1. Ignorance and apathy – Some are ignorant about cybersecurity, while others just don’t care about it. We guess that their optimism bias is at play here. 
  1. Lack of budget and skills – Some don’t have the budget to think about cybersecurity, while others don’t have the skills to implement a framework for cybersecurity. 
  1. Futile – Some think that they won’t be able to protect their enterprises against cyberattacks, especially since even large enterprises have fallen victims, so they think that it’s futile to even bother investing resources for cybersecurity. 
  1. Bias – Some think only large enterprises are targeted because they read only about these types of enterprises falling victim to attacks in the news. 

The potential threats 

VoIP security risks

All enterprises must bear in mind the following that they must consider as potential weaknesses in their armor that allow cyber attackers to gain a foothold in their networks. 

  • The exponential rise of the work-from-home culture has also exponentially increased the risk of cyberattacks. 
  • Security Operations Centers have been historically configured to look for abnormalities and threats in scenarios where the majority of the employees work in physical offices with a minimal number of employees working remotely. The COVID-19 pandemic has turned this ratio upside down, and quite a few enterprises now have up to 70% of their employees working remotely, while only 30% work in offices. 
  • Some enterprises have implemented systems for cybersecurity, but they then forgot to invest enough in processes and people, so they don’t have enough resources to monitor the systems. 
  • Cybersecurity-related incidents such as DLP, ransomware attacks, insider threats, phishing, etc., happen mostly because of the involvement of the human component, which often is the weakest link because of lack of training and awareness in employees. 
  • Insurance companies are now vigilant and monitor the efforts enterprises take to invest in cybersecurity and improve their resilience against threats. Enterprises that cannot demonstrate that they’ve done enough fail to have their insurance claims passed when their networks are breached. 

The financial impact 

The faster enterprises detect cybersecurity-related incidents, the lesser they are impacted financially. The average financial impact of cybersecurity-related incidents amounts to around $500000, which might go up to as much as 7.5% of the total traded value for publicly-traded enterprises. 

Large enterprises are more capable of surviving cybersecurity-related incidents, while smaller enterprises might never recover from such incidents. 

The human component 

Employees being human add their personal, human biases to the cybersecurity equation. 

Employees performing risk assessments of the enterprise networks bring similar biases in their assessments which reduces the risk factor thereby limiting the investments required to prepare against cyberattacks. 

However, at the risk of sounding cliche, there’s a silver lining to every cloud, and we can use our human biases to our advantage. Just as we compensate for risks in our personal lives, such as signing prenuptial agreements even though we think that our marriage might last forever, enterprises can prepare for cybersecurity-related incidents even though they might think that they will never be a target for cyber attackers. 

Conclusion 

While enterprises cannot always prevent cybersecurity-related incidents, preparing for cyberattacks and building resilient cybersecurity mechanisms considerably reduce the risk and impact to them when cyberattacks do happen. 

Investments in cybersecurity-related systems must be considered as part of the cost of running businesses and must be provided with adequate budgets. These necessary investments in people, processes, technology, and governance do help enterprises navigate the dynamic, digital world with confidence. 

The impact of your VoIP systems on your cybersecurity 

Given how closely enmeshed VoIP systems are with the rest of your organization, it’s time to extend the gambit of cybersecurity to your communication systems.  

What can you do to get started? 
Your VoIP security relies greatly on securing your network perimeters.     

We highly recommend that you extend cybersecurity visibility and best practices into VoIP security starting with Session Border Controllers, your perimeter devices.  

Regardless of your security model, make sure to  

  • Ensure that your VoIP security practices comply with basic data security principles pertaining to encryption, certificate and security strength, certificate age, validity, and more. 
  • Scan your SBCs periodically to uncover any anomalies that could signal attacks and breaches 
  • Review their configurations periodically  
  • Update these configurations dynamically based on the latest threat intelligence and your organization’s current topology. 

Assertion’s State of SBC Security report has uncovered several security gaps and concerns in SBC security that illustrate just how this laxness towards VoIP cybersecurity plays out in the real world.   

Download the report to discover insights on the State of SBC security, the common security mistakes companies the world over are making, and what you should do to improve your cybersecurity posture.  

If you have any questions on SBC security, why it matters, and details of implementing SBC security best practices to improve your VoIP security posture, please write to us at sales@assertion.cloud