*Don't allow access to your phone or servers web configuration pages from the Internet.
*If you run your own server and allow phones to use it from your WAN/Internet, then lock this down as much as possible - perhaps only allow access to your PBX from the Internet via a VPN.
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick 2500/2700 and many simple NAT routers). If NAT works, then well done, but if not we cannot guarantee to be able to make it work. See: [[VoIP NAT]]