Skype security: Is it safe for business?

According to data released last month from research firm TeleGeography, Skype, the popular software that allows computer users to make calls over the internet, now accounts for 12 percent of all long-distance calls. The company saw its user base grow to more than 500 million accounts in 2009 and is making a run at a new market this year.

So far, the popular VOIP provider has been primarily used in personal, consumer settings. But in 2009, Skype launched Skype for SIP, a service that lets its peer-to-peer VoIP clients interact with existing IP PBXs and is aimed at small businesses looking to get in on the cost-savings of internet telephony. Skype for SIP (also know as Skype for Business) was launched in beta early last year and brought into public beta at the end of 2009.

While many large businesses have used VOIP services for years, those enterprise-class VOIP systems typically used in corporate environments differ from Skype, according to Michael Gough, an information security specialist and president of the Austin, Texas, chapter of ISSA. Gough, owner of the web site, and author of Skype Me! From Single User to Small Enterprise and Beyond, gave us his thoughts on Skype’s benefits and challenges in the business environment.

We know that Skype is making a play for business customers with Skype for SIP. But as it stands now, do you think it is used in many business organizations?
Michael Gough: Predominantly it is still used by individuals, but a lot of small-to-medium-sized businesses utilize Skype to cut costs for things like road warriors. Another common use I’ve seen in business is in outsourcing off-shore resources like help desk or support scenarios where you have a lot of people outside your state and doing off-hour support. Often Skype is an option for some of these companies.

Are there security concerns with Skype that are unique when compared to other VOIP solutions?

In any corporation, if you are going to install software on end-users computer, you have to do your governance. You have to set the rules that govern what you are going to do or allow with any piece of software. So every enterprise has the challenge of controlling the proliferation of Skype into the environment. If you’re a local administrator, and you’re going to install the product, now, all of a sudden, you have texting and voice conversations that are potentially encrypted and something that the enterprise or company can’t monitor. That is definitely a challenge.

The first thing an administrator should do is say ‘what are my rules about this? Do I have requirements that say I have to capture IM traffic?’ for instance. For example, if you have employees trading stocks, bonds, anything like that, you can’t use an IM solution (which Skype contains) unless it is actually auditable. It has to be recorded. Anything they chat about has to be able to be logged and printed out.