Some experts are even urging Congress to consider VoIP security implications as it starts to revise the Telecommunications Act of 1996. They believe the government may need to impose new standards or requirements for critical infrastructure, especially where it relates to emergency services or national security. "I do know that if there is a significant VoIP security event, there will be a reaction from Congress and the executive branch," says Roger Cressey, a former White House cybersecurity official from 1999 to 2002 and now the president of Good Harbor Consulting.

CIOs who have already begun using VoIP advise those considering it to start focusing on security now. That way, they can avoid the expense and frustration of patching and fixing their systems after the fact. "You’ll be sorry if security is an afterthought with VoIP," says Gary Heller, deputy CIO for the Arizona Healthcare Cost Containment System, the state agency that administers Medicaid. Heller recently helped install VoIP between the agency’s five metro Phoenix offices and its 11 call centers. "We’re comfortable now only because we took the time to do the due diligence and proactive monitoring that can lead to a safe VoIP environment. If we didn’t have all that, I’d be scared." Here’s what a number of early VoIP adopters have done to realize the cost savings of VoIP and to save their companies from a potential disaster.

Full VoIP Ahead

With VoIP, PBXs—the backbone of the traditional phone system—are replaced by IP voice servers that usually run on Microsoft or Linux operating systems. These "call management boxes" deliver VoIP services and log call information—and they are susceptible to virus attacks and hackers. VoIP is even more sensitive than data when it comes to disruption and packet loss. Yet many security measures that are applied to data networks don’t work well for VoIP. For example, traditional firewalls can result in delays or blocked calls, and encryption can cause "latency" and "jitter" (packet slowdowns that can disrupt calls). As a result, security techniques must be specialized for VoIP. And it should go without saying that VoIP equipment should be placed in a secure, locked location.

Despite the perceived gaps in VoIP security, there haven’t been any reports of large-scale cyberattacks or security breaches of VoIP networks. That’s due in part to the fact that vendors and service providers are offering a wider variety of VoIP firewalls, intrusion prevention systems and other protective devices when they install the systems. VoIP adoption also is still in its early phases. According to Osterman Research, only one in 10 U.S. companies has deployed VoIP in the workplace. But that will soon change. By late 2007, the research firm predicts, 45 percent of companies will have some form of VoIP, and adoption is expected to accelerate thereafter as many large organizations will need to replace aging telecommunications infrastructures.