Is Anyone Paying Attention to IM Security?

Carl Weinschenk



That was our reaction when we read this piece. We spend a lot of time splitting hairs and dealing with shades of gray: What is network access control (NAC)? Is it best to outsource or keep security in-house? Is it absolutely necessary to go with Wi-Fi Protected Access (WPA), or will the Wired Equivalent Protocol (WEP) do the trick?


Those are important issues, but they can be a bit tedious. The piece is different, in that its point is stark and unequivocal: Instant messaging is on its way to becoming as ubiquitous as corporate e-mail, but only a fraction of companies are showing any inclination to secure it.


That's a big deal. The story is based on a Burton Group report which says that only 10 percent of organizations have formal IM policies, and only half of that percentage secure the application. Think of it: Users make no distinction between the platform they use to convey information. Consequently, blizzards of sensitive data are flying through cyber space, with little outside of dumb luck keeping it out of the hands of the bad guys.


This posting at the LibrarianInBlack describes the tension between IT departments and those who want full access to IM. Later, the writer provides four common-sense steps for the safe use of the platform: keep the program, operating system, antivirus, firewall and antispyware software up to date; turn off file sharing; disallow automatic downloads and be very careful in opening attachments or following links -- to the point of sending an IM or e-mail message to the putative sender to make sure that everything is legit.


The librarian's security tips are fairly generic. This ebiz posting covers much the same ground. The writer does, however, offer more IM-specific suggestions. For instance, enterprises should treat all IMs as untrusted, use separate passwords for IM, host IM in house and map it to the corporate directory, which will make it easier to switch platforms.


A very good survey of the problem can be found at E-Commerce Times. It begins by quoting Akonix findings that there were 20 IM-based malicious code attacks in May. This brought the 2007 total to 170, an increase of 73 percent over last year. A big problem is that IM is second nature to employees and they bring it into the enterprise. This means that IT has a big problem -- even in companies that don't officially sanctioned the application. In addition to malware, IMs can contain objectionable and even illegal material and may violate regulatory guidelines.


If anyone needed any further motivation, this SC Magazine report should do it. Gartner said this week that by the end of 2011, IM will be the "de facto" conveyance for voice, video and text chat. It will be the favorite method for real-time communications for 95 percent of workers by 2013. The company compares the projected growth of IM to that of e-mail in the 1990s.


The bottom line is that an IT executive shouldn't need an advanced degree from the academy to figure out what to do: Secure IM.

Add Comment      Leave a comment on this blog post
Jun 29, 2007 8:20 AM Sarah Houghton-Jan Sarah Houghton-Jan  says:
I am the author of the Librarian In Black blog, and also an IT manager in a library. One of the reasons my IM suggestions were more "generic," as you called them, was becuase I'm not talking about enterprise IM (staff-to-staff). Libraries use IM as a way to communicate with the public too, which is what I was writing about. If you're using programs like Trillian or Meebo to aggregate multiple IM accounts so you can talk with the public (with them using their IM service of choice), you can't inherently treat all IMs as unsafe or host IM in-house. Staff-to-Staff and Public-to-Staff IM solutions are very, very different. While IM security needs to be addressed, it also needs to be addressed the way we did it with email. You can't shut it down, or tell employees only to use the IM program you like for in-house communication. It won't work, especially if you're having to talk with the public via IM, which most smart companies are doing. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.