But solutions providers can not only overcome those worries, they can net additional business in the process.
Security is the "main impediment" to more widespread VoIP deployment, said Dustin Kehoe, senior analyst for Current Analysis. It will eventually be the role of vendors to provide VoIP security, either built-in or through add-on products, but most are still a year or two off, Kehoe said. In the meantime, value-added resellers (VARs), systems integrators (SIs) and managed service providers (MSPs) can step in and fill the need.
The biggest opportunity is in selling VoIP security network monitoring services, Kehoe said.
"It'll drive the market for security specialists," he said. "The hardware can only do so much. You need people to actually look for breaches, just as you would a corporate network."
Dan Holt, CEO of Fort Collins, Colo.-based Heit Consulting, agreed. Heit sells Cisco VoIP systems to banks and credit unions, and always tries to package it with network monitoring, security or other managed services.
"We feel like it's critical," Holt said. "[Customers] do some type of managed services with us, and it still ends up being cheaper than the maintenance they were paying for their old PBX systems."
Heit also provides an extra layer of protection by selling Cisco Self Defending Network, which offers firewall, intrusion prevention system and other features.
"If you have those in place, you're making an enormous impact on the security of your VoIP network," Holt said.
Kehoe outlined two main ways hackers could exploit VoIP security: launching distributed denial-of-service (DDoS) attacks to reduce network and endpoint availability, and potentially more damaging, using the voice server as a back-door entrance to the corporate IT network.
But Phil Hochmuth, senior analyst for the Yankee Group, downplayed concerns over VoIP security. VoIP networks become secure using the same techniques as other networks -- through basic best practices, including network perimeter security and strong password management.
Most serious threats would have to come from inside the network, because hackers need to see the call server or know the IP or MAC address of a phone to launch an attack, Hochmuth said.
"It would be hard to take down a VoIP network from the outside," he said.
Still, customers have the perception that VoIP security is lacking, Holt said.
"It's a hurdle we have to get over, without a doubt," he said.
Heit's customers in the financial sector shied away from VoIP about two years ago, when the FDIC warned about security vulnerabilities. They are slowly becoming more accepting, and most will feel comfortable with VoIP security after talking with Heit's technical and sales staff, Holt said.
"Usually it just takes a bit of education," he said.