Why Voice Infrastructure is a Growing Risk for the Public Sector

In the world of Public Sector IT, the security conversation is usually dominated by ransomware, phishing, and hardening the network perimeter. Meanwhile, sitting on every desk and mounted in every classroom is an endpoint that is frequently overlooked: the desk phone. 

Legacy voice systems are no longer just utilities. They are network-connected devices that often run on outdated operating systems. If they aren’t managed with the same rigor as your servers and laptops, they become a backdoor for bad actors and a liability for public safety. As we move through 2026, voice security has officially become a top-tier priority for IT leaders. 

The Manual Patching Gap 

Most legacy, on-premise PBX systems rely on manual firmware updates. For a lean IT team at a school district or a small city, these updates often fall to the bottom of the priority list. 

When a critical vulnerability is discovered in an older system, it often remains unpatched for months while the team focuses on firefighting other issues. This creates an opening for "zero-day" exploits. 

In contrast, cloud-native platforms handle security patches automatically in the background. This removes the human error element and ensures your voice stack is hardened against the latest threats. According to the 2026 CISA Cybersecurity Strategic Plan, hardening the terrain through automated vulnerability management is one of the most effective ways to reduce the likelihood of damaging intrusions. 

Compliance: Beyond Data, Into Safety   

For government and education, security is not just about data: it is about physical safety. Federal mandates have fundamentally changed the requirements for voice infrastructure. Failure to comply is not just a technical oversight: it is a legal liability. 

• Kari’s Law: This law requires that anyone can dial 911 from a multi-line telephone system (MLTS) without needing to dial a prefix like "9" first. As the FCC Kari's Law guidelines specify, the system must also be configured to notify a central location when a 911 call is placed. 

• RAY BAUM’S Act: This mandate requires "dispatchable location" information to be sent with every 911 call. This means the emergency operator needs to know the specific floor, wing, or room number where the caller is located. The FCC rules for MLTS emphasize that this applies to both fixed and non-fixed devices on and off premises. 

Many legacy systems struggle to meet these requirements, especially in hybrid environments where staff move between buildings or work from home. 

Lateral Movement and Network Risk 

A compromised phone system isn't just a phone problem. Modern attackers use vulnerable IoT devices, including VoIP phones, as a beachhead to move laterally through your network. 

If your voice system is running on an outdated OS, an attacker can use it to gain a foothold. From there, they can scan your network, bypass VLAN protections, and eventually target your most sensitive data. Securing the voice layer is a critical component of a Zero Trust Architecture, which assumes that no device can be trusted regardless of its location or previous verification. 

The "Ghost" of Technical Debt 

Legacy systems often require specialized hardware that is no longer supported by the manufacturer. This "End-of-Life" (EOL) status is a security nightmare. When a vendor stops providing security updates, that system becomes a ticking time bomb. 

As noted in the CISA Hardening Guidance for Communications Infrastructure, organizations must closely monitor for vendor EOL announcements and upgrade as soon as possible to maintain visibility. We often see agencies paying premium maintenance fees for support that doesn't actually include new security patches. This is the "Legacy Tax": you are paying more for a system that is becoming less secure every day. 

Next Steps: Assess Voice Security and E911 Compliance 

Voice risk tends to stay quiet until an audit, an incident, or an emergency call that does not behave the way you expect. The most practical next step is documentation: inventory what is in service, confirm what is end-of-life, and verify that E911 requirements are consistently met across every site and work mode.

Once you have that baseline, prioritization gets easier. You can separate “fix now” gaps from longer-term modernization work, and tie both to clear risk reduction.