The business telephone, by its very nature, has become an open conduit to connect people in an immediate and direct manner. The telephone system serves as the voice network for enterprises, and it’s a core element of every organization’s IT infrastructure.
Yet over the last decade, the standard voice network has lost its luster in favor of a new wave of collaboration tools and applications that began with BYOD and have evolved into integrated chat, web, video meetings, and virtual meeting hubs. In effect, the telephone has become a utility, and we expect it to just work.
How many of us hesitate to answer our own cellphones these days, because it’s possibly a spoofed call, robocall, or potential bad actor? That same situation happens across every large organization. But enterprises must continue to use their phones to conduct business through inbound calls, outbound calls, and SMS text messages.
In many ways, the voice network offers a vulnerable open doorway for cybercriminals who count on a human to answer the phone. That’s why voice network traffic has become such an under-appreciated threat vector, because the great majority of technology and security professionals still do not focus on the voice network as a pathway for cybercriminals.
For this reason, the bad guys have adopted a variety of social engineering techniques to trick employees into giving away protected company data over the phone. Unwanted voice traffic can come in many forms, including robocalls, spoof calls, scam calls, spam calls, spam storms, vishing (voice phishing) attacks, and smishing (SMS phishing) attacks. When such strikes succeed, they can lead to financially crippling blackmail attempts and extortion through ransomware lockdowns, along with data breaches, data theft, IP theft, and identity theft, along with damage to the brand reputation.
Vishing attacks on voice networks have only gotten worse
To gain deeper insights into industry awareness about the risks of voice network attacks, we recently conducted a survey of attendees, presenters, and vendors at two high-profile technology industry conferences, RSA and Cisco Live. The survey found that nearly half of organizations (47%) experienced a voice phishing or social engineering attack in the past year.
The biggest source of security risk today stems from employee errors, according to 43% of survey respondents. More than four-in-five respondents (81%) agreed or strongly agreed that their organizations identified vishing, smishing, social engineering, and robocalls as major security threats. Yet remarkably, more than one-third of respondents to our survey (38%) said their organizations do not collect any data on the amount of inbound, unwanted, and potentially malicious voice traffic hitting their organizations.
In addition, more than one-fourth of survey respondents (26%) were unsure about which tools were used to protect their voice networks, and 9% admitted that their organizations had no solutions in place whatsoever to protect their voice networks.
Survey respondents were clear that cybercriminals are actively leveraging a broad range of tactics to attack organizations through the voice network, and these attacks are often successful. What didn’t come through as clearly was what internal business units should protect the voice network, and what tools or solutions can companies apply to thwart the bad actors.
These kinds of attacks are broadly damaging to enterprise security and society at large. Unwanted voice traffic makes up an average 9% of all calls to enterprise networks. And more than three-fourths of U.S. organizations (77%) have faced vishing attacks, while more than one-third of all vishing attacks have succeeded (37%). In the aggregate, U.S. enterprises lose some $3.3 billion each year because of breaches of voice networks.
Security awareness training alone does not solve the issue
We see growing recognition that a real problem exists, but there’s little clarity about who must address the problem, or what technical solutions can combat the problem. Many organizations turn to employee trainings for a solution, but such trainings are often incomplete and ineffective.
Security awareness training does not suffice anymore because the cybercriminals change their tactics so often, and the bad guys are much better trained than most employees. In fact, 95% of cybersecurity breaches are caused by human error, according to findings by Cybint Solutions.
Users responding to their personal mobile phone or corporate line must trust that when they answer the phone it’s a legitimate call. Technical solutions are now available that are highly effective at removing unwanted voice traffic. These voice traffic filters block known bad calling numbers and some top-tier products have innovative voice captcha technologies to automatically quarantine and validate suspicious calls.
We can’t overstate that when business telephones are involved, the issue becomes uniquely human. People continue to prefer the phone for critical support requests, customer service, and meaningful one-to-one business communications. So, beyond training, organizations must protect their people with systems and technologies that eliminate voice network threats.
Roger Northrop, chief technology officer, Mutare