Many small organisations rely on a private branch exchange (PBX) phone system every day, often unaware that it’s a vital component within their organisation that they need to protect against cyber attacks.
Since our new guidance on securing PBX systems is aimed at the more technical audience, this brief blog summarises why you should care about your PBX, and how you go about protecting it.
What is a PBX system?
A PBX system is a private telephone network that is connected to the internet and is used to manage and route incoming and outgoing telephone calls within an organisation. Most systems offer features not available through regular phone lines, like call forwarding, diverting, voicemail and conference calling.
As with any system that’s connected to the internet, PBX systems, if not configured correctly, can be targeted by cyber criminals, who might route calls to high-rate overseas numbers, or a set up scam lines that charge a premium rate.
In addition to this ‘dial-through fraud’ (as it’s known), compromised systems can be used to carry out DoS attacks against another organisation, so it’s important to keep your PBX system secure for everyone’s benefit.
How to protect a PBX system
By following the steps outlined in the guidance, organisations of all sizes can reduce the likelihood of attackers compromising their PBX systems, whether they use a managed service hosted ‘in the cloud’, or a service located within their premises. There’s also some general mitigations that should be implemented regardless of the type of PBX used. This includes ensuring users understand the importance of using strong passwords to access the system, and the need to protect administrative accounts by setting up two-step verification (also known as ‘multi-factor authentication’).
Read the small print
As the guidance explains, your organisation - as the PBX owner - is responsible for the security and administration of your phone system. You should thoroughly examine any PBX contract (or consult with your legal/financial experts if necessary) before signing, to protect yourself from unintended financial consequences.
For example, you may decide that you need to limit the types of calls staff make, or restrict the ability to forward calls to an off-premise number. If you’re using a managed service, then attacks as a result of misconfiguration are the responsibility of the provider, something to keep in mind if you’re pressured into taking out insurance to defend against attacks that should be covered by your managed service provider. As usual, it pays to read the small print.
What to do if you think you’ve been compromised?
If you think your PBX system has been compromised, in the first instance you should contact your PBX provider. If you’ve lost money, you should contact your bank, and also report the incident as a crime to Action Fraud, the UK’s reporting centre for cyber crime (unless you’re in Scotland, in which case contact the police by dialling 101). By reporting an incident, you’ll be helping the NCSC and law enforcement to reduce criminal activity.