VoIP and the Perception of Risk

Is Voice over IP much less secure and much less robust than good old-fashioned POTS? Let me try to answer the question with a back-to-front thought experiment. One way to manage a risk is to 'share' it. In other words, you pay a premium to an insurance company so that when something goes wrong, the cost falls on the insurer and not on your business. With more and more corporations switching to IP-based telephony to cut costs, if their risks are higher, then an economically rational market should respond with an increase to premiums for those policies that cover relevant risks. A relevant risk would be lost sales because of communication outages denying customers the chance to make orders. That there has been no notable increase in premiums suggests that the switch to VoIP does not lead to a measurable increase in risk. With that in mind, it is interesting to see that one technology firm has decided to make a pitch about the dangers of VoIP directly to the insurance companies. In their report, Emerson Development says:

"The VoIP Industry is attempting to manage the risks generated by VoIP; however their approach is inadequate... Internet phone service (sic) will suffer the same critical cyber-security risks as every other Internet system, and therefore will become a likely attack vector for hackers, cyber-criminals, foreign governments and terrorists... This is significant to the Insurance Industry because a growing range of insured user sectors depend upon VoIP..."

I will stop short of endorsing the report because its tone does sometimes stray over the boundary from alarming to alarmist. For example, I get the point that anybody might set up a DNS server without needing the illustration that it could be a "drug user who needs money". But the very existence of the report is a useful reminder that managing risk also includes managing the perception of risk. Even if fears are unfounded, they can have an economic impact. That impact might be measured in terms of insurance premiums. It might also be measured in terms of lower numbers of sales, especially to risk-averse customers. As the industry moves towards an all-IP world, security and robustness are not just critical in themselves, but critical because providers need to allay the fears of their customers and other stakeholders. The exaggeration of risk by parties outside a business can hurt the bottom line just as the bottom line can be hurt when management underestimates risk. Risk management has both an outward-facing and an inward-facing role, and businesses need to effectively link the two. And the best demonstration of that can be found regularly on the news - just ask BP's outgoing CEO, Tony Hayward...