Simmonds is a member of the management board of the Jericho Forum, an organization pushing for innovation in e-commerce security, and is also chief information security officer for a large, global chemicals corporation. Here, Simmonds speaks out about why the Jericho Forum regards today’s VoIP systems as “guilty” of not meeting a necessary level of security. For anyone discussing this with your vendors, Simmonds has also drawn up a “Ten ‘nasty’ questions to ask your VoIP supplier” that’s included at the end of this column.

We in the IT security industry are collectively guilty for allowing a fundamentally insecure system such as VoIP to be launched into the market.

We’ve known for years that only “secure out of the box” should be the default. Yet VoIP is not only insecure by default, it’s almost impossible to make natively secure. What’s worse, VoIP end-devices (the phones) are a full computer – usually with their own Web browser, and (insecure) File Transfer Protocols to manage the firmware updates. So just as organizations are coming to grips with managing the vulnerabilities on their PCs, we have just doubled the management nightmare.

The return-on-investment claims made for moving to VoIP rarely stand up to proper scrutiny. The phones cost more than a standard “business” phone, and have a reduced replacement cycle. Gartner says in its November 2006 report “IP telephony technology, in many cases, can be more expensive than equivalent TDM-based PBX Systems.”

The ability to benefit from toll-bypass (routing your voice traffic over your private WAN to take advantage of spare WAN capacity) is frustrated by the fact that peak time for voice traffic is also the peak time for data traffic on the WAN. Most network managers that I know are looking for ways to offload peak traffic from congested, expensive corporate WAN links – not add huge volumes.

The ability to integrate your computer and your phone is another “benefit” that is on the salesperson’s list, with features such as Click to Call, Find Me/Follow Me and Unified Messaging, but in reality companies rarely take any advantage of such CTI (computer-telephony integration) options.

Then toss in all the extra Band-Aid solutions you need to add, from VoIP firewalls to specialist VoIP security assessments (just run a Google search for “VoIP security solutions”), to make it even partially secure, and the extra management for firmware upgrades, vulnerability assessment and mitigation, and of course the WAN upgrades and all of a sudden those incredible savings the sales-person promised magically disappear.