What is SIP Trunking?
SIP (Session Initiation Protocol) Trunking is a digital way of making and receiving phone calls and other communications over an internet connection. The term trunking refers to the method of consolidating multiple communication channels into one singular connection. SIP Trunks provide VoIP (Voice over Internet Protocol) connectivity between on-premise phone systems to the PSTN, which allows for the efficient use of resources and connection to the telephone network.
Working with a trusted SIP provider like Fuse 2 ensures your VoIP infrastructure is built with security at its core, not as an afterthought.
What happens if I’m not SIP Trunk compliant?
SIP trunk compliance entails adhering to the regulations, standards, and legal requirements that govern the use of SIP trunks. The purpose of these regulations is to guarantee that the SIP trunking services are safe and secure. Following these regulations isn’t just a legal requirement; it’s a very important part of your SIP provider’s operational integrity. Failure to comply with Ofcom and GDPR can lead to severe consequences. Businesses may face serious legal consequences if providers fail to adhere to the mandatory E911 or PCI DSS requirements.
So what does this mean for you, the customer. Well, if your provider fails to comply with the outlined regulations, standards and legal requirements your business can experience data theft, latency, jitter or full seizure of services. Not to worry though, no legal action will be taken against your business if your SIP provider is not compliant – this will all fall back on them! This blog details the actions your SIP provider should be taking to ensure that your communications are compliant and to ensure continuity of secure and high quality communications.
Enterprise VOIP CIO
1. Call Authentication & Identity Protection
It’s estimated that 24.9% of all global calls are identified as scam attempts, taking personal and financial information with the majority being call spoofing. Call spoofing is when a caller purposely falsifies the information transmitted to your caller ID to hide their identity. Attackers usually use neighbour spoofing, which can present well recognised numbers (either local or business) to the receiver of the call and in-turn trick them into answering.
Choosing a provider that pro-actively monitors this activity is important, here’s how they can do it:
- Providers must conduct a thorough background check on customers purchasing numbers in locations not native to their billing address. CLI validation (Caller Identification) helps avoid spoofing by ensuring that the phone number calling you is real and can be trusted.
- Your provider is also responsible for monitoring their outbound traffic and also who is using their SIP services. A provider who can not pro-actively monitor their own network is at risk of enabling spoof calls. If this happens and is flagged, your services could be seized due to the closure of your provider.
- It is important to research into providers that follow Ofcom’s General Condition C6 regulations. These providers are more credible and ensure that scammers cannot spoof numbers.
2. Emergency Services Compliance
Ofcom’s General Condition 4 requires VoIP services to support access to 999/112 emergency services; however, some VoIP systems don’t allow calls to the emergency services. If users can’t get in proper contact with the emergency services because of their VoIP system, it may have a significant impact on their response time, which is critical in an emergency. Furthermore, failure to provide reliable access to emergency services can have serious legal consequences, which can lead to fines or service bans.
When onboarding with a SIP provider, it is crucial to check that they are compliant with the emergency services law. To ensure compliancy and avoid these risks, if not already doing so, switch to a provider that supports location-aware emergency routing and ensure that your SIP trunks are correctly configured. When onboarding with a new provider also check that they are capturing your emergency address. This is a clear indication that they are adhering to industry regulations.
3. Data Protection & GDPR
Under UK GDPR, both SIP metadata and call recordings are classified as personal data because both can identify someone directly (either by name or number) or indirectly (through IP addresses or other identifiers). Since these forms of data can hold personal information, mishandling them can lead to ICO investigations, as this would be a breach of data protection. The consequences for serious breaches in data can be enforcement notices or large monetary penalties. For you, the customer, GDPR compliance is one that can affect you the most! A security breach within your communications can be crippling, especially if your team receives sensitive information over the phone. Not only can you be targeted, this can then be taken one step further by targeting your customers.
Here are some methods that your provider should be taking to be more compliant:
- Transport Layer Security (TLS) and Secure Real-Time Protocol (SRTP) protocols. These extra layers of network security make stolen data unreadable and therefore useless to the perpetrators.
- A Data Protection Agreement (DPA) helps prevent data breaches by clearly outlining the responsibilities of both data controllers and processors when managing personal information.
- Call Logging consent provides evidence and helps avoid any legal trouble, and it also demonstrates respect for the person’s privacy and their right to control their personal information.
- Transparency of Data Storage. It is essential that in your onboarding your provider is transparent about where your call data will be stored. This is a key step in enhancing your digital privacy and also guarantees that should the worst happen, your provider can identify the root cause and knows how to stop the problem escalating.
4. Robocall & Spam Call Mitigation
Fraudsters can send spam and scam calls by using SIP trunks and masking their real caller ID. Ofcom makes Calling Line Identification (CLI) mandatory by emphasising that phone companies need to mitigate the spoofing of real UK numbers. IP address abuse is a growing problem in the realm of cybersecurity, and if your provider’s IP address is involved with spamming or scamming, it can be blacklisted from other networks.
A method to prevent this it’s best to use a provider with outbound traffic filtering. This is because they can closely examine call volume for unusual patterns and establish usage thresholds. A good pre-requisite question to ask is if your provider has alerts for unusual traffic, and if there is any rate limiting to maintain stability and security.
This will ensure that they are ahead of the curve with detecting abnormalities in call traffic and can mitigate the issue before it gets out of hand! Providers who can implement spend limits and time of day routing are essential when it comes to fraud mitigation. This means that upon liaising with your team, they can define what times of the day you will not be using the phone and how many calls you expect to make in a day.
When these limits are breached this will flag to your provider and your system will be blocked instantly until resolved or confirmed by a member of staff that it was not fraudulent.
5. Network Security
SIP trunks can be vulnerable to toll fraud, DDoS and brute-force attacks. A data breach may result in serious short-term and long-term financial costs, including the costs of remediation and the costs of cybersecurity experts repairing and storing data, to reduced sales and loss in investor confidence. Businesses may also experience fines for failing to comply with data protection laws on top of all other costs. Aside from financial losses, there are also reputational impacts after a data breach that may be difficult to repair.
Some methods your provider should use to prevent data breaches are:
- Session Border Controller: SBCs act as a security gatekeeper and ensure that voice and video data is protected against threats like DDoS.
- IP White Listing: A crucial security measure that prevents access to specific IP addresses. This guarantees that only authorised users can connect to your system.
- Strong passwords: Malicious attackers have a much harder time trying to gain access to accounts and systems when there are strong passwords that are changed regularly.
- Fail2ban: This actively prevents brute-force attacks by examining system logs and dynamically blocking malicious IP addresses.
- Real-time monitoring: This allows for instant detection of suspicious patterns and allows for immediate responses before threats cause damage.
6. Configuration & PBX Integration
An incorrect trunk or PBX setup can result in a variety of communications problems, including failed calls, audio problems and even security risks. These can significantly raise costs because of increased troubleshooting time, higher call volumes to support and potential service disruptions. Furthermore, an incorrect configuration of a PBX and its SIP trunks can lead to types of outages, interrupting inbound and outbound calls. This can also lead to non-compliance with CLI or emergency calls.
To minimise failed calls and disruptions, it’s best to follow your PBX vendor’s and provider’s recommendations for security and maintenance. This typically means the usual, keeping on top of updates, strong passwords, and watching out for unusual patterns.
Besides in-house protocols which you can implement, your provider should confidently be able to provide proof of the below steps to ensure your configuration is air-tight!:
- Codec Compatible: Affects call quality and bandwidth usage by compressing data to optimise quality during transmission.
- The correct NAT and Port Configurations: Help ensure a strong network performance and connectivity.
- SIP Registration and Security: Protects your business from fraud and eavesdropping, while also maintaining call quality and minimal disruptions.
7. Monitoring, Logs & Audit Trails
Without event logs, it can be hard to prove compliance or to investigate issues that identify the source of a problem. Logging documents provides all of the necessary evidence for accountability and decision-making. Keeping logs are also effective in SLA management because they provide records required to examine and improve service performance against agreed-upon service levels.
Securely storing your SIP logs, CDRs, error codes, and any configuration changes is vital for legal compliance. It’s best to ensure that there is a robust logging system which guarantees secure and centralised log management. A further important feature a provider should have, is to have alerts for call failures and abuse to ensure quality and safety. Your provider should have a dashboard and log viewer that provide crucial insight into the performance and health of applications and infrastructure.
8. Choosing a UK-Compliant SIP Provider
Not all SIP providers in the UK will meet the legal and security standards. Working with a non-compliant provider will leave your business legally vulnerable and at operational risk.
Before selecting your provider, it’s important to ensure that they
- Are Ofcom-registered
- Support emergency call routing with location info
- Store data in the UK/EEA
- Hold ISO 27001 or Cyber Essentials certification
- Offer 999 support
- Have robust data measures
- Have published SLAs
Do you really need sip trunk for 3cx
9. Internal Training & Operational Alignment
Your tech system will only be as strong as the team that runs it. The staff running your system must have a high level of expertise to ensure its success. To ensure that your workplace is compliant, your organisation must train staff to ensure successful maintenance of the system. To ensure that tasks are carried out the same way by everyone, Standard Operating Procedures (SOPs) must be documented and followed by the organisation.
While it is important for you to have a designated in-house technical lead, it is also important to remember that your provider should be the ones responsible for all high level technical issues. They are the experts in this field so, if they are putting too much responsibility on your staff it’s time to make the switch! Your staff should not be in charge of managing SIP compliance, nor should you be expected to have a deep knowledge of VoIP configuration.
10. Continuous Review & Regulatory Monitoring
Ofcom, the ICO, and industry best practices are always evolving to keep up with the rapidly changing media and communications landscape. Failure to keep up with these changes to regulations and software updates can drastically increase the likelihood of non-compliance and security vulnerabilities.
There are a few important measures that can be implemented to ensure that the workplace is compliant. For instance, scheduling internal audits to assess your organisation’s adherence to policies and procedures quarterly. When doing these reviews, it’s important to:
- Review SIP configuration and compliance.
- Ensure that ICO and Ofcom updates are tracked and actioned.
- Ensure that your provider’s SLAs and qualities still meet your needs.