By Jack M. Germain E-Commerce Times
06/28/07 4:00 AM PT
A recent monthly Instant Messaging Threat Watch by security firm Akonix tracked 20 malicious code attacks over IM networks during the month of May, bringing the 2007 total to 170 threats. The number of security threats associated with unmanaged instant messaging during work hours is steadily increasing. On average, at least one IM attack occurs per day.
How Much is 'Free' Costing You? Learn how DaveRamsey.com saw a 567% uplift in ROI with Omniture. This complimentary guide and webinar cover the most important factors in selecting an analytics solution. Download Now.
Instant messaging applications are easy targets for hackers taking advantage of vulnerabilities. It is critical for businesses to pay attention to their employees' use of instant messaging during work hours, warn security pros.
Failure to safeguard sensitive company data could expose corporate networks to intrusions from an growing variety of attack malware.
"Businesses are becoming exacerbated by IM threats. Despite compliance and content issues, most companies continue allowing workers to use consumer-based IM networks. Such use has steadily grown over the last five years," Maurene Caplan Grey, founder and principal analyst for Grey Consulting, told the E-Commerce Times.
The first part of this two-part series will look at what risks the unbridled use of consumer instant messaging apps can present to an enterprise.
Attacks Growing
A recent monthly Instant Messaging Threat Watch by security firm Akonix tracked 20 malicious code attacks over IM networks during the month of May, bringing the 2007 total to 170 threats.
The number of security threats associated with unmanaged instant messaging during work hours is steadily increasing. Akonix found a 73 percent increase in threats between 2006 and 2007. On average, at least one IM attack occurs per day.
Nearly half (46 percent) of the 171 respondents to a June 2007 Web poll by Akonix admit their primary use of instant messaging at work is for personal communications. Employees can unintentionally exchange infected files, such as vacation pictures and videos, with their friends, potentially spreading worms and viruses across corporate networks.
Same Pattern
Businesses are reacting to the use of IM in the office much as they did in the infancy of e-mail several years ago. People were using e-mail at home, but many workplaces did not provide e-mail accounts. People brought their personal e-mail accounts to the office.
"That caused a boom for spreading the Melissa and the I Love You viruses. That had pretty disastrous impact at work with e-mail. Now the same things are happening with IM," Don Montgomery, vice president of marketing at Akonix, told the E-Commerce Times.
The use of instant messaging in the workplace as a business tool has exploded in the last 18 to 24 months. This is the same pattern businesses displayed with e-mail, he said.
One reason that instant messaging is becoming so prominent on workers' desktop computers is its similarity to other established electronic communication over the Internet.
"IM is another way of communicating along with e-mail, text and voice. But IM is not exclusive like e-mail was thought to be," said Grey.
Similar Security Weakness
In much the same way they first eyed e-mail, many mainstream enterprise managers view instant messaging as being a huge time-waster for workers. However, many bosses tend to tolerate IM because of its popularity.
Some studies show that as many as 90 percent of all organizations use instant messaging. In addition, as much as 60 percent of e-mail users at work also use IM in the office, according to Michael Osterman, president of Osterman Research. He has been tracking the growth of IM in the workplace for the last two years.
"IM starts with a free product to bring informal adoption with no security," Osterman told the E-Commerce Times.
No specific research points to one consumer IM client being more of a corporate threat than others. In part, this is because there is no dominating market share in the IM space, he said.
Security Risks
Instant messaging poses risks to enterprise on three fronts. One risk category is the easy access for viruses, worms and spyware, Montgomery explained.
A second risk category is exposing the company to liability for inappropriate use. For example, workers can send offensive comments to fellow employees with speed faster than e-mail. Instant message conversations can also disclose sensitive corporate details, much the same as e-mail correspondence.
A third risk category instant messaging poses is the real possibility that the message content will violate regulatory compliance rules. Federal rules now require certain types of business activity to monitor and archive instant message and e-mail communications.
"Corporations are finally starting to wake up to all the security problems associated with IM," added Grey.
IT Responding
As business executives come to terms with IM security issues, some IT departments are starting to react to the unbridled used of consumer IM apps running on corporate networks. About 30 percent of enterprises are blocking its use, Osterman said.
However, blocking consumer IM may not be an effective strategy , he cautioned. Blocking the ports that IM clients use can also block legitimate Internet traffic as well.
A better approach might be implementing a corporate IM product or installing an IM auditor program to build in control and have IT regulate how employees use instant messaging.
"You can use such tools with rules to prevent file transfers or map workers' IM handles with their corporate e-mail addresses to present a consistent company image. The problems begin with workers using their own personal IM identities at work," explained Osterman.
Enterprise-Level IM
In fact, businesses are now starting to look at corporate-level IM applications, noted Grey. Vendors have been developing enterprise-level IM products for a while. However, their adoptions are slow because businesses have to decide to purchase a program instead of continuing to allow use of free IM clients.
Now, vendors are shifting their products to make instant messaging a component in a suite of communications tools rather than a stand-alone purchase. This is beginning to offer better protection options to corporations, according to Grey.
With vendors pushing a new product line, the new generation of messaging products now fits a new category. Unified communications is the term that has now become the new buzz work, Grey said.
"Each vendor has its own take off on how to get unified communications. IM is a key element to all offered solutions," she said. "Vendors are now pushing their own products together with tool sets to recreate what workers are already doing."
Beware of Online Shysters June 27, 2007
The illegal downloading and selling of items, such as music and videos, has been widely reported and continues to be a hot potato. "Some counterfeiters are so bold that they advertise movies that have not yet been released," said Andrew Horton, product management director at MarkMonitor.
Related Stories
Homeland Security Not So Secure June 20, 2007
A Congressional subcommittee learned that the U.S. Department of Homeland Security has experienced about 800 security breaches, many in the form of computer hacking. The DHS, an organization with hundreds of separate departments, possibly suffers from not having an overall plan to address security issues, according to Khalid Kark, senior analyst with Forrester Research.
Ethernet's New Security Layer June 19, 2007
"Only encryption can protect data itself -- and while IPSec (Layer 3) is still very common due to its flexibility, the technology is an overhead burden on the network," said Safenet's Andy Solterbeck. "IPSec encryption can create significant network bottlenecks, whereas Layer 2 encryption introduces virtually no latency or overhead to the network."
Security Testers Spot Bugs Galore on Windows Safari June 13, 2007
Mere hours after Apple rolled out the beta version of its Safari on Windows Web browser, security experts claimed to find it riddled with security holes, some of which were serious. Aside from the alleged flaws, Apple faces an uphill battle in putting its browser on the Windows desktop, which is already crowded with competitors like Firefox and Explorer.
More by Jack M. Germain
Microsoft FOSSifies .Net Micro Framework November 18, 2009
Microsoft has declared its .Net Micro framework open source under the Apace 2.0 license. Not all bits of .Net Micro are covered, however. Its TCP/IP stack has been stripped, as has its cryptography libraries. Rights to the TCP/IP stack aren't Redmond's to give, and the cryptography libraries are used outside of the scope of the .Net Micro framework, according to the company.
New Ubuntu OS Features Create Good Karma November 13, 2009
Amidst the OS upgrades from Apple and Microsoft over the last few months, the Linux OS Ubuntu got a version bump of its own. Ubuntu 9.10, or Karmic Koala, is well worth the effort to upgrade, and its developers have made the process easier -- if you're using the full-sized desktop/notebook version. The Remix version, intended for netbooks, caused quite a few headaches.
Samsung Chimes In With Bada Mobile OS November 11, 2009
With Android, iPhone, BlackBerry, WinMo, Symbian, WebOS and plenty other mobile platforms fighting for space, is there room for one more? Samsung believes there is, and it's announced a new open mobile platform called "Bada." The company, which already makes handsets for several existing platforms, says Bada will make app-making easy for developers. The first Bada handset should be out in the first half of 2010.
Headline Feeds
Talkback: 
