Recent research from Gartner shows that more than 100 million people in the United States are using instant messaging (IM) technologies in one way or another. Additionally, about 70 percent of IM use takes place at the office. Taken together, these statistics spell trouble for many enterprises, said David Hahn, senior product manager of instant messenger service in North America for MessageLabs, a provider of e-mail and IM security solutions.
“Over 80 percent of businesses in North America have IM use in play—in other words, they have some form of IM being used behind their corporate firewalls,” Hahn said. “Only 25 percent of those are using enterprise or secure IM solutions. There’s a significant number of that 100 million that make up those insecure clients.”
There are several IM offerings out on the market today with varying levels of sophistication and security. They also differ in terms of the technical platforms they operate on. Thus, there aren’t really any surefire ways to prevent inappropriate IM use at work. “Corporations who have decided to say no to IM’ing in the organization are having problems,” Hahn said. “You prevent the download of an .exe when installing that client’s desktops by restricting the user’s access rights and so forth. But with the new versions, they’re being passed through the firewall because they look like HTML traffic. There’s this new evolution around IM, and that introduces a whole new level of risk.”
Additionally, most companies are actually very interested in using IM as a communications technology because of its functionality. “IM use in an organization is no longer just social chit-chat, talking to my brother or my wife,” he said. “It really has become a critical business communication tool. Some of the analysts I’ve spoken with say it’s going to be bigger than e-mail because of its real-time nature and because of the presence detection—you can actually know if someone’s at the other end or not.”
However, security still presents a big challenge for IM technology. SPIM, or spam through IM, is very difficult to prevent on an insecure, public IM system because it just pops up without any action on the part of the user. Also, malware can spread much faster through IM than with e-mail, because messages with infected attachments or links to Web sites with malicious code can propagate almost instantly through users’ buddy lists. “Malware authors think this is the land of opportunity because all these systems are unmanaged,” Hahn explained. “They’re not scanned, they’re not properly filtered, so why not send someone a social engineering message with a link they’ll click on that spawns a Web page that contains malware?”
Another issue lies with the users themselves. If they’re using a public system, they can access all their company-related contacts long after they’ve left their employer, and pass along sensitive information or disparaging comments about the organization to various former professional associates, Hahn said. “As their familiarity with the organization grows, they’ll start chatting with colleagues, partners, vendors and so forth. The organization has not sanctioned and is not aware a lot of the time of how the IM is being used. It’s a potential risk not just from a security perspective, but also from management, confidentiality and best practices perspectives.”