VoIP could provoke 'electronic Pearl Harbour'

Companies' rush to embrace voice-over-IP services could leave them open to a major attack, according to security experts

The head of information security for the Royal Mail has warned that voice-over-IP (VoIP) applications will expose companies to hackers and malicious code if not implemented correctly.

Speaking at the annual Business Continuity Expo in London's Docklands, David Lacey, director of information security for the Royal Mail Group, said that he expects a widespread IT security incident to occur in the next two years, possibly as a result of companies hastily moving to VoIP without carrying out the necessary due diligence.

"An electronic Pearl Harbour-type event will happen in 2006 or 2007. I do stand by that. New technologies such as VoIP risk driving a horse and cart through the security in our networks," he said.

Lacey, one of the founders of the Jericho Forum security user group, said that VoIP represented a particular threat to enterprise network security as companies may rush to take advantage of cheap telephony services without thinking about the security aspects. "If VoIP is implemented in a very fast way, that will be a pretty major threat," he said.

In a survey released last month from the Computing Technology Industry Association (CompTIA), VoIP was named as the application capable of offering the greatest productivity gains by 34 percent of respondents.

Voice systems do not have the same security heritage as data networks which could make VoIP a fundamentally insecure part of a company's network infrastructure, added Lacey. By using the same network for all their voice and data traffic companies also risk "putting all their eggs in one basket", he said.

A recent report from consultancy BearingPoint, Making the Leap to the Next Generation, claimed that "the global networks of many financial services firms and other enterprises are 'networks of networks' cobbled together through mergers and acquisitions. The result is often inefficiency, high cost, inadequate disaster recovery and an inability to deliver new bandwidth-intensive applications."

Lacey made his comments while chairing a debate on the most pressing risks to IT at the BC Expo.

David McCaskill, section manager for Global Security Solutions at pharmaceutical giant Proctor & Gamble, also participating in the debate, agreed with Lacey's prediction of a major IT security incident in the near future. "I think the risk is real. The US East Coast blackout was a wake-up call for people who didn't believe that a disaster involving critical infrastructure could come out of the blue," he said. "Systems are becoming so complex that no human being can fully understand the potential problems."

But Jamie Watters, business continuity manager, for Barclaycard, also on the panel debate, disagreed that there a major IT catastrophe was looming. He claimed that it was much more likely that a cumulative series of small events would prove to be more serious over time. "I think lots of little incidents are potentially more damaging. That is what has happened in the past. A series of small things acting together is probably what is going to kill me in the long run rather than one big incident."