Voice over IP (VoIP) provides businesses with lower cost calling, more powerful and robust private branch exchange functionality, and the ability to add numerous value-added services to basic calling. Tools and techniques exist for using VoIP to enhance enterprise security, including call recording, voice biometrics, and voice analytics.
Call recording is the most basic VoIP service to support enterprise security. Businesses with regulatory compliance needs (such as financial, legal, and health care) record all calls made on company phones, including mobile devices. Vendors in this space sometimes refer to call recording as voice documentation because it provides a complete electronic record of what is said between parties during phone calls. In legal disputes, call recording can provide evidence that best practices and proper procedures are followed.
Voice biometrics provide a layer of security to authenticate individuals. Avaya, NICE Systems, and others provide solutions that are used for basic authentication during call center transactions, securing applications and transactions, and mobile applications. Using voice also provides the ability to replace personal identification numbers, passwords, and challenge questions with a faster method of authentication, saving time for customers and businesses while providing better security. Financial institutions such as Barclays, Banco Santander Mexico, and U.S. Bank all use voice biometrics to provide secure customer authentication.
Businesses and organizations can use voice biometrics to provide authentication to field service personnel interacting with a dispatch center and other daily communications where there is potential for a third party to gain access to internal business processes through social engineering. An attacker will call into an organization posing as a company employee and use a series of techniques to build trust and gather information on a target. Voice biometrics can be used to provide an automated gatekeeper function to screen inbound and in-house calls for bad actors.
In combination with call recording and voice biometrics, voice analytics can provide in-depth defense against social engineering attacks. Traditionally, voice analytics has been used as a big data–style application to monitor call center performance, gauge the success of new products, and provide competitive intelligence through the ability to look for key words and phrases. Existing processes can be tuned to look for social engineering attacks phishing for passwords and other sensitive information as a part of the nightly and weekly analytics batch runs.
Once an attack instance has been identified, the attacker’s voice biometric information can be identified and used to search through the archive of daily calls for other instances to build a picture of the type of information being sought and what departments are being targeted. The voiceprint then can be incorporated into blacklist processes to flag and block calls from an identified attacker. Other information can be gleaned from the characteristics of the calls themselves, including length of call, time of day calls are made, and the IP address of origin if it’s VoIP from end to end.
Until recently, call recording and voice biometrics have only been available as dedicated solutions. Cloud-based services are now making recording and biometrics both more available and more affordable than expensive solutions tailored to large call centers with a substantial number of calls per hour. Voice analytics is becoming an option for cloud-based call center offerings, but the effectiveness of the technology as a security measure is dependent upon being able to process through all calls within the business. If limited to the call center, voice analytics will not catch attackers calling to internal extensions while posing as employees.
Voice technology being rolled out this year will enable real-time machine actions to be triggered on key words or phrases, speeding up the process of identifying an attack. A request for a password during a phone call could send an immediate text or e-mail message or bring in the IT security desk to monitor the call as it takes place.
None of these solutions are magic bullets to prevent security breaches. Instead, view them as potential components of a holistic security plan. Determined attackers will figure out ways around security schemes, so the objective within a larger enterprise security plan is to provide as many barriers to entry as possible to deter break-in attempts.
Contact MCC’s Telecom Division today to learn more about VoIP and how it can benefit your organization!