Is Anyone Paying Attention to IM Security?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  



That was our reaction when we read this Silicon.com piece. We spend a lot of time splitting hairs and dealing with shades of gray: What is network access control (NAC)? Is it best to outsource or keep security in-house? Is it absolutely necessary to go with Wi-Fi Protected Access (WPA), or will the Wired Equivalent Protocol (WEP) do the trick?


Those are important issues, but they can be a bit tedious. The Silicon.com piece is different, in that its point is stark and unequivocal: Instant messaging is on its way to becoming as ubiquitous as corporate e-mail, but only a fraction of companies are showing any inclination to secure it.


That's a big deal. The story is based on a Burton Group report which says that only 10 percent of organizations have formal IM policies, and only half of that percentage secure the application. Think of it: Users make no distinction between the platform they use to convey information. Consequently, blizzards of sensitive data are flying through cyber space, with little outside of dumb luck keeping it out of the hands of the bad guys.


This posting at the LibrarianInBlack describes the tension between IT departments and those who want full access to IM. Later, the writer provides four common-sense steps for the safe use of the platform: keep the program, operating system, antivirus, firewall and antispyware software up to date; turn off file sharing; disallow automatic downloads and be very careful in opening attachments or following links -- to the point of sending an IM or e-mail message to the putative sender to make sure that everything is legit.


The librarian's security tips are fairly generic. This ebiz posting covers much the same ground. The writer does, however, offer more IM-specific suggestions. For instance, enterprises should treat all IMs as untrusted, use separate passwords for IM, host IM in house and map it to the corporate directory, which will make it easier to switch platforms.


A very good survey of the problem can be found at E-Commerce Times. It begins by quoting Akonix findings that there were 20 IM-based malicious code attacks in May. This brought the 2007 total to 170, an increase of 73 percent over last year. A big problem is that IM is second nature to employees and they bring it into the enterprise. This means that IT has a big problem -- even in companies that don't officially sanctioned the application. In addition to malware, IMs can contain objectionable and even illegal material and may violate regulatory guidelines.


If anyone needed any further motivation, this SC Magazine report should do it. Gartner said this week that by the end of 2011, IM will be the "de facto" conveyance for voice, video and text chat. It will be the favorite method for real-time communications for 95 percent of workers by 2013. The company compares the projected growth of IM to that of e-mail in the 1990s.


The bottom line is that an IT executive shouldn't need an advanced degree from the academy to figure out what to do: Secure IM.