This is a question that we examined fifteen years ago. And the article was recently named as one of the top VoIP pieces of all time. After reviewing the piece, we found that it's just as relevant now as it was in April of 2003. Here's the original intro:
Voice over IP (VoIP) is no longer tomorrow's technology. High-speed networks that support quality-of-service (QoS) technology have come a long way in mitigating performance and availability issues.
But what about security? If your network is robust enough, securing VoIP is manageable. But if you're contemplating Internet telephony, you're entering dangerous territory.
Internally, voice running over your data lines is essentially no more or less secure than any other application in your IP infrastructure. And, in some respects, it's at least as secure as traditional telephony. VoIP is here, now, and growing. When we examine VoIP in the context of well-known issues of IP data and traditional telephone security, implementation remains a security challenge--but not necessarily a nightmare. Download paper...
Thanks to Marjorie at RingCentral for reminding me that this paper existed. Looking forward to your collective comments on this subject.