IM at Work, Part 1: Idle Chatter, Serious Risk

Consumer-grade instant messaging applications such as Yahoo Messenger, AOL Instant Messenger (AIM) and Windows Live Messenger can become significant security holes when used by workers on corporate networks.

Instant messaging applications are easy targets for hackers taking advantage of vulnerabilities. It is critical for businesses to pay attention to their employees’ use of instant messaging during work hours, warn security pros.

Failure to safeguard sensitive company data could expose corporate networks to intrusions from an growing variety of attack malware.

“Businesses are becoming exacerbated by IM threats. Despite compliance and content issues, most companies continue allowing workers to use consumer-based IM networks. Such use has steadily grown over the last five years,” Maurene Caplan Grey, founder and principal analyst for Grey Consulting, told the E-Commerce Times.

The first part of this two-part series will look at what risks the unbridled use of consumer instant messaging apps can present to an enterprise.

Attacks Growing

A recent monthly Instant Messaging Threat Watch by security firm Akonix tracked 20 malicious code attacks over IM networks during the month of May, bringing the 2007 total to 170 threats.

The number of security threats associated with unmanaged instant messaging during work hours is steadily increasing. Akonix found a 73 percent increase in threats between 2006 and 2007. On average, at least one IM attack occurs per day.

Nearly half (46 percent) of the 171 respondents to a June 2007 Web poll by Akonix admit their primary use of instant messaging at work is for personal communications. Employees can unintentionally exchange infected files, such as vacation pictures and videos, with their friends, potentially spreading worms and viruses across corporate networks.

Same Pattern

Businesses are reacting to the use of IM in the office much as they did in the infancy of e-mail several years ago. People were using e-mail at home, but many workplaces did not provide e-mail accounts. People brought their personal e-mail accounts to the office.

“That caused a boom for spreading the Melissa and the I Love You viruses. That had pretty disastrous impact at work with e-mail. Now the same things are happening with IM,” Don Montgomery, vice president of marketing at Akonix, told the E-Commerce Times.

The use of instant messaging in the workplace as a business tool has exploded in the last 18 to 24 months. This is the same pattern businesses displayed with e-mail, he said.

One reason that instant messaging is becoming so prominent on workers’ desktop computers is its similarity to other established electronic communication over the Internet.

“IM is another way of communicating along with e-mail, text and voice. But IM is not exclusive like e-mail was thought to be,” said Grey.

Similar Security Weakness

In much the same way they first eyed e-mail, many mainstream enterprise managers view instant messaging as being a huge time-waster for workers. However, many bosses tend to tolerate IM because of its popularity.

Some studies show that as many as 90 percent of all organizations use instant messaging. In addition, as much as 60 percent of e-mail users at work also use IM in the office, according to Michael Osterman, president of Osterman Research. He has been tracking the growth of IM in the workplace for the last two years.

“IM starts with a free product to bring informal adoption with no security,” Osterman told the E-Commerce Times.

No specific research points to one consumer IM client being more of a corporate threat than others. In part, this is because there is no dominating market share in the IM space, he said.

Security Risks

Instant messaging poses risks to enterprise on three fronts. One risk category is the easy access for viruses, worms and spyware, Montgomery explained.

A second risk category is exposing the company to liability for inappropriate use. For example, workers can send offensive comments to fellow employees with speed faster than e-mail. Instant message conversations can also disclose sensitive corporate details, much the same as e-mail correspondence.

A third risk category instant messaging poses is the real possibility that the message content will violate regulatory compliance rules. Federal rules now require certain types of business activity to monitor and archive instant message and e-mail communications.

“Corporations are finally starting to wake up to all the security problems associated with IM,” added Grey.

IT Responding

As business executives come to terms with IM security issues, some IT departments are starting to react to the unbridled used of consumer IM apps running on corporate networks. About 30 percent of enterprises are blocking its use, Osterman said.

However, blocking consumer IM may not be an effective strategy, he cautioned. Blocking the ports that IM clients use can also block legitimate Internet traffic as well.

A better approach might be implementing a corporate IM product or installing an IM auditor program to build in control and have IT regulate how employees use instant messaging.

“You can use such tools with rules to prevent file transfers or map workers’ IM handles with their corporate e-mail addresses to present a consistent company image. The problems begin with workers using their own personal IM identities at work,” explained Osterman.

Enterprise-Level IM

In fact, businesses are now starting to look at corporate-level IM applications, noted Grey. Vendors have been developing enterprise-level IM products for a while. However, their adoptions are slow because businesses have to decide to purchase a program instead of continuing to allow use of free IM clients.

Now, vendors are shifting their products to make instant messaging a component in a suite of communications tools rather than a stand-alone purchase. This is beginning to offer better protection options to corporations, according to Grey.

With vendors pushing a new product line, the new generation of messaging products now fits a new category. Unified communications is the term that has now become the new buzz work, Grey said.

“Each vendor has its own take off on how to get unified communications. IM is a key element to all offered solutions,” she said. “Vendors are now pushing their own products together with tool sets to recreate what workers are already doing.”

IM at Work, Part 2: Tools for Locking Down

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Security

E-Commerce Times Channels