Tag Archives: hosted pbx

BYOD

The Ups and Downs of BYOD

When it comes to the next wave of Unified Communication platforms, to bring, or not to bring…that has become the question.

To bring what you ask? To bring your own device, that is.

Businesses and technology buyers everywhere are asking themselves this right now. With pressure mounting as CEOs and front line sales alike are looking to use their favorite tech toys at work, IT leaders are being forced to ask themselves another question.

Should we or should we not allow our employees to bring and utilize their personal devices for business purposes?

Undoubtedly we have all grown increasingly connected at the hip (pun intended) to our favorite iDevice or Droid product. With this we have also grown increasingly demanding about having the opportunity to utilize these tools for work.

But just because we want to doesn’t mean that we should. This is exactly why we have CIOs and IT leadership in our organizations. If you are responsible for making the decision for whether or not to allow your UC solutions to be run on independently owned devices, here are some things to consider.

BYOD: The Good

  • Integration: Most of the devices are running on the same handful of operating systems, most commonly Apple’s iOS and Google’s Android. For the most part, BYOD integration with UC platforms is built on an application via iTunes or the Google Play store. This means setting up the device to work is usually a few simple settings, including pointing the device at the right server and then inputting user credentials. The experience on the individual device will be completely ubiquitous with the experience on a company issued device. If the employee should no longer have access, the app running on the device can be made useless by simply changing credentials.
  • Cost: Generally with bring your own device, a company is able to put more of the cost requirements on the worker. This also alleviates some of the headaches related to preparing hardware for every new employee or chasing down hardware whenever an employee leaves. (Note: A lot of companies doing BYOD today still have company issued hardware.)
  • Employee Satisfaction: Employees are generally appreciative of the opportunity to use their preferred devices, which is good for morale. As a side effect of this, the employees are often going to have the newest tools which would be very hard for a company to keep up with. We have all seen the life cycle of new products become so short that even when you issue your employees the newest thing they almost immediately become replaced by what is next. This way the integration with your UC platform isn’t as much device specific as it is operating system specific, so the company can provide some guidelines to employees interested in utilizing their own device and then let the employee take it from there.

BYOD:The Bad

  • Security: As I mentioned above, security for BYOD and UC isn’t necessarily all bad. The real challenge is chances are that BYOD won’t be “only” used for UC. And if that is indeed the case, it is more difficult for a company to manage security when they allow personal devices to be used for work. Generally the company has to set acceptable use policy that lives on top of the personal device, but it is hard to mandate certain things. Take for instance social media use. Your company may not want workers on Facebook during the workday, but what about an employee checking in from their personal (BYOD) at lunch? Creates a real grey area. The other consideration may be requiring use of certain security tools such as anti-virus or locking their devices at all times. These can be part of the use policy and part of the expectations set for companies allowing BYOD.
  • Compliance: If your company is governed by any sort of compliance laws, for instance HIPAA, then you have to make sure those rules are followed regardless of who owns the device being used. If contact information or UC integration with CRM or other systems that contain sensitive data, then the systems must be in place to make sure that the data is safe and secure.
  • Data Retrieval: This goes along with security, but if an employee leaves or is let go the data that resides on the personal device will need to be retrieved. This expectation has to be set and agreed upon prior to BYOD deployment. Most UC applications are closely tied to customer records, contact information, sales and financial data and more. The good news for IT departments is this isn’t really a new challenge. In many organizations that have webmail interfaces, people have been “popping” email to separate accounts where they can access them from a personal device. What does need to happen is this needs to continue to be better managed to make sure important and sensitive documents aren’t left out there after the person has parted ways from the organization.
  • With widely available applications for UC on your own device, BYOD continues to gain momentum. Could a BYOD friendly UC deployment have a place in your organization? It just may, so long as you plan correctly and set the right expectations with your users up front.

    This blog was written by EC3 CEO Daniel Newman and was originally posted on Commercial Integrator. The original article can be found here.

    TollFraud

    Toll Fraud: A Network and Security Threat

    Recently I asked this question as it became a front-of-mind topic of discussion around my peers, colleagues, and clients and it appears toll-fraud is still one of the largest IT security threats many c-level execs haven’t heard of, or don’t pay much attention to.

    How did toll-fraud become a network security threat?

    Allow me to explain; For those unfamiliar, Toll-Fraud & Phone Hacking is a multi-billion dollar industry with monetary damages more than double that of Credit Card Fraud.

    Do I have your attention now?

    Toll Fraud can be simply explained as any instance where a subscriber attempts to defraud the telephone company, the telephone company attempts to defraud a subscriber, or a third party attempts to defraud either of them.

    Sadly, toll-fraud has been a part of the telephone system almost from the beginning.

    According to the survey the 2011 top 5 fraud loss categories reported by operators were: CFCA.

    • $4.96 Billion (USD) – Compromised PBX/Voicemail Systems
    • $4.32 Billion (USD) – Subscription/Identity Theft
    • $3.84 Billion (USD) – International Revenue Share Fraud
    • $2.88 Billion (USD) – By-Pass Fraud
    • $2.40 Billion (USD) – Credit Card Fraud

    So how did toll-fraud become a network security issue?

    The answer is simple. VoIP!

    VoIP is now the most prevalent form of voice communications and as the acronym suggests, it is Voice OVER IP, meaning the calls terminate over the network. With this in mind, network security professionals must add another service to their list of networked services to protect. Requiring them to implement policies and procedures that mitigate breaches and theft of service.

    Unfortunately toll-fraud is typically a security risk many IT professionals learn about after it is to late.

    Network Security Engineers need to understand network services, protocols, port-numbers, etc. However, telephony has become a suite of applications now known as Unified Communications. Simply protecting the edge with firewalls & access-lists is not enough. Some common forms of toll-fraud include

    SIP Scripts – attempt to register as a phone or trunk to your Internet facing PBX
    This is extremely common and can cause major monitory damages. If a script detects open ports Voice services on a public IP, they will launch an authentication attack which will attempt to make repeated calls, usually to a third-world country’s local exchange or call-center charging $2 – $4/min per call. In this case the scripts are set to hang-up after the largest charge and dial again continuing the processes until your phone carrier detects it, or you get one heck of a surprising phone bill. To fully feel the potential effects of this, multiply the above per minute charges by the maximum number of calls your phone system can make at once.

    Hacking Voice-Messaging or voice-mail systems – After compromising users “pin” numbers, thus allowing the criminal to access the users private voice mails, make unauthorized calls from that user extension and make international calls through the voice-mail platform. Imagine someone having access to your executives voice-mails. What could they learn or damage could they cause?

    Compromising Soft-Phones - This falls into a well-known security venerability basically capturing wireless traffic and learning a user’s authentication information. Here again the hacker, could easily re-create the soft-phone account and would be able to eavesdrop on phone calls, and make unauthorized calls on your account as they see fit.

    As CTO of a cloud Unified Communications company it is part of my job to plan for the unexpected. This includes the design and implementation of systems to mitigate these types of large financial losses that could happen when you’re able to make tens of thousands of calls at once. It’s an ongoing challenge and unlike other types of network security risk, the product/services available to combat/mitigate toll-fraud are extremely limited.

    Throughout my career I have supported and consulted with many companies who have experienced toll-fraud of some kind. By the time their phone company realized their clients service was compromised and notified the client there were already substantial financial damages.

    So why didn’t these Telco’s just disable their service?

    Depending on the carrier they may or may not have real-time toll-fraud mitigation techniques in place, maybe they didn’t detect the abuse until the next day, or your system was compromised on the weekend? Sometimes it’s politics in the contracts, not allowing them to take the service down without prior written notice. It can be a number of reasons, the focus here is not telecom policies it’s understanding the risk and doing what you can to mitigate that risk in the first place.

    What is the policy of your telecom provider in the event of excessive toll-fraud? If you don’t know, I suggest that you find out by reviewing your contract terms or speaking with a representative of your provider. Better to find out before something happens than when it may be too late.

    So what can I do to mitigate toll-fraud?
    Like all security risks, mitigating toll-fraud requires a full-understanding of the technology and where you are most exposed.

    When designed properly, VoIP can be much more secure than copper-based phone systems and PBX’s. Start by consulting your Unified Communications or PBX provider about best practices; align their recommendations with your business objectives and your corporate security policy . Also, work with your security consultant as they may have a different approach to mitigating toll-fraud; especially if you are moving to or considering migrating to Unified Communications.

    If you believe you are experiencing toll-fraud, disconnect or disabled the compromised services until you are sure the threat is mitigated. Call your provider right away and tell them you suspect toll-fraud on your account and have them disable services.

    VoIP is here to stay and the benefits of Unified Communications far outweigh the risks. While the toll-fraud attacks like all internet security risks will continue to happen and potentially become more sophisticated, there are ways to greatly reduced your risk by partnering with a Cloud Unified Communications company that is offering a bundled Unified Communications service, QoS, and secure data services including a full solution with best-practice toll-fraud mitigation techniques in place.