How Phone Conferencing Security Works

By: Dave Roos
In today's global business market, conference calls are a necessity in keeping operations running smoothly.
© Photographer: Tomasz Trojanowski | Agency: Dreamstime

Phone conferencing is key to doing business in a global economy: It brings together associates from around the world for real-time exchanges of important information.

In business, information is gold. According to the American Society for Industrial Security, as much as 75 percent of the market value of the average American company is made up of "intellectual property assets" like patented product designs, source codes and confidential client data [source: Asis International].­


Since business executives often use phone conferences to discuss sensitive, valuable information, it's crucial that they invest in phone conferencing security. Without the proper security, disgruntled former employees and savvy hackers can eavesdrop on private phone conferences and sell the privileged information to the highest bidder. A secure phone conferencing setup will have protocols and safeguards in place for controlling access to conference information during and after the call.

In this HowStuffWorks article, we'll explain how to set up a secure phone conference that'll keep your business associates informed and corporate thieves at bay.


Setting up Secure Phone Conferences

Former Vice President Al Gore (above) would need more security for his conference calls -- it's necessary to encrypt them.
Tim Sloan/AFP/Getty Images

The fundamental security consideration when setting up a phone conference is access control. Since phone conferences are "invitation only" events, a certain level of access control is built into the invitation process itself.

To invite someone to participate in a phone conference, you need to send him or her a dial-in number and an access code for that individual call. No one can enter the phone conference without this information.­


It's not uncommon for a company to use the same dial-in number and access code for more than one phone conference. Also, if everyone in the phone conference uses the same access code, then the code tells you nothing about the individual who possesses it. The company CEO has the same access code as a spy from the competition.

To tighten access control, it's smart to assign each invitee a PIN (personal identification number) that's tied to their personal information in the phone conferencing system. This way, when the person logs into the phone conference with their PIN, the moderator knows exactly who has joined the call.

Most phone-conference systems allow the moderator to do a "roll call" of all the people participating in the phone conference. The moderator can do this either by pressing a special number command on his telephone keypad or through a Web interface. None of the other participants in the phone conference will hear the roll call other than the moderator.

Another handy security feature of most phone conferencing services is the ability to lock a conference, blocking any new guests from entering, even if they were invited.

Most phone-conference services also offer the option of using a live operator to assist with the call. For an added layer of security, the operator can greet new callers and ask for their PIN and personal information to see if it checks out with the invitee list. The operator can also introduce each new participant to the group as they enter the call.

For an even higher level of access control, a moderator can choose to dial out to his guests rather than have them dial into a central number. This way, the only people that can participate in the call are those who are contacted by the moderator himself.

For phone conferences that demand the highest levels of security -- like government or military calls -- simple access control won't cut it. Hackers don't have to be logged into the conference to eavesdrop on the conversation elsewhere on the network. To prevent uninvited guests from listening in, it's necessary to encrypt the call.

To do this, all the call participants must have an encryption box installed somewhere between their phone and the PSTN (public switched telephone network) [source: Snapshield]. The boxes use special encryption keys to establish a secure connection between the two phones. Without the right key, no one can listen in on the conversation.

Now let's go over some phone conferencing security tips.


Phone Conferencing Security Tips

Change access codes frequently, and only give them out to trusted sources.
© Photographer: Oleksandr Kalyna | Agency: Dreamstime

Along with the security measures discussed in the previous section, there are even more things you can do to achieve a high level of phone conference security.

  • Change access codes regularly. For highest security levels, use new access codes for each conference.
  • Consider a two-stage entry process, where participants are first brought into a virtual "lounge" area and then welcomed into the conference. This allows the moderator to see who plans to attend and to block uninvited guests.
  • Don't allow the conference to begin until the moderator logs in.
  • Activate sound alerts to notify the moderator when someone enters or leaves the conference.
  • Use a Web interface that shows exactly who is logged into the call, when they arrive and when they leave.
  • Consider using dial-out conferencing for smaller phone conferences that require high security.
  • At the call's end, disconnect all lines to make sure everyone leaves the conference.

[sources: allconferencing and indosoft]


Despite all these technical precautions, phone conference security often comes down to a matter of trust. According to a study by the American Society for Industrial Security, current employees with direct access to confidential information are the leading perpetrators of information theft, followed by computer hackers [source: ASIS International].

PINs and access codes should only be distributed to trusted sources. And even then, they should be changed and rotated out regularly. There have been several high-profile cases of former employees using their old access codes to log into corporate phone conferences long after they had been fired. This type of unauthorized access can easily be prevented by frequently swapping out old access codes and PINs.

Now let's talk about securing information after phone conferences.­


Securing Information after Phone Conferences

The reporters shown above hold their microphones to a speaker to record a conference call with Guantanamo Bay detainees. Reporters often record conference calls to refer back to for research purposes.
Brendan Smialowski/AFP/Getty Images

Securing information after a phone conference is as important as securing data during the call itself. Most phone conferencing services allow you to record the call. This can be activated by keypad commands or through a Web interface.­

Phone conference recordings are useful for several reasons. If someone couldn't attend the live conference, they can listen to the recording. Corporations can record earnings calls and stockholder reports as proof of compliance with federal disclosure laws. Reporters can even use conference calls to conduct interviews that can be recorded for research purposes.


There are a couple of different delivery methods for phone conference recordings. Some phone conference services allow you to keep your recording on their system for a certain amount of time, perhaps 120 days. Anyone with the original access code or PIN can dial into the system, enter their codes and listen to the conference recording.

Other phone conferencing services can mail hard copies or e-mail digital copies of the conference recording directly to the moderator and other participants. Digital copies typically arrive as a WAV or MP3 audio file. For an extra fee, it's also possible to receive a written transcription of the phone conference.

As with phone conference security in general, the key to securing information after a phone conference is access control. By keeping a recording on the phone conferencing system, it's still protected by access codes and individual PINs. Once a digital recording or hard copy of the phone conference is distributed, it's harder to control who has access to it.

For highly sensitive phone conferences, it's also recommended that all notes and preparatory materials for the meeting be shredded once the conference is over [source: allconferencing].

The future of phone conferencing is Voice over IP telephony (VoIP). VoIP is cheaper than conventional phone conferencing for both large and organizations, but it presents a host of new security concerns.

Conventional phone conferencing transmits data over phone lines using the Public Switched Telephone Network (PSTN). To intercept that data, someone would have to have physical access to the phone line or the company's Private Branch Exchange (PBX), a telephone exchange that serves only one business [source: National Institute of Standards and Technology].

With VoIP, voice data travels in packets over the Internet, passing through dozens of insecure routers along the way [source: National Institute of Standards and Technology]. For this reason, VoIP data needs to be encrypted like any other sensitive data on the Web (passwords, credit card numbers, etc.) and filtered by special firewalls. The challenge with securing IP phone conferences is to not slow down the transfer of packets so much that it affects the quality of the call.

For more information about phone conferencing security and related topics, check out the links on the next page.