Instant messaging is no longer just a quick and easy way to keep in touch with family and friends: It is quickly becoming a mainstay in the workplace, creating a new set of problems to worry about for information technology professionals.
International Data Corporation, a technology research firm, estimated that the number of corporate IM users will grow from fewer than 20 million in 2002 to more than 200 million in 2006. In the months and years to come, this transition of IM from home computers to business networks will create huge risks — both financially and legally.
Often businesses are embracing IM as a cost-effective method for internal and external communications, according to Cathy Planchard, director of marketing communications at VIACK Corporation, a provider of secure Web meeting software in Scottsdale, Arizona. “However, downloading an instant message application can create a serious security breach that could spread like an unwanted virus,” Planchard said.
“As more employees download popular IM tools, companies must recognize the immediate threat that these systems can cause to network security. IM can leave a plethora of open, unsecured doors to unauthorized prying eyes, including access to desktops and ultimately into company computers at all levels,” she said.
Policy, Not War
In response, many companies have banned the use of IM. But Planchard said renegade use of IM is virtually unstoppable. “Rather than banning IM in the workplace, migrating to business-class instant messaging systems can solve security problems and allow integration of instant messaging into other applications,” Planchard said.
Joe Licari, director of product management at Sybari Software, a provider of security and content filtering technologies in New York, suggested that IT professionals need to make policy, not war. “Instead of banning IM, embrace it, develop specific policies for IM and use tools to help enforce the policies,” Licari said.
Licari said that in a recent survey, Sybari found that 75 percent of businesses indicated that the threat of viruses and worms through IM was a major concern. This was closely followed at 68 percent by information theft and loss of sensitive data.
Licari predicted that the number of security problems would increase alongside adoption of IM. And the types of threats seem to be changing. “They appear to be more targeted and harmful in nature. In the overall messaging environment, malicious attacks are merging with spam techniques in an attempt to get past filters,” Licari said.
Gartner, a provider of technology research, forecasts that IM will represent 50 percent of all business-to-client communication in 2005. But sanctioned IM has less than a 17 percent corporate penetration rate, according to the researchers at Gartner.
Richard Lord, chief executive officer at The Steadfast Group, a consultancy concentrating on enterprise-wide security in Seattle, said many of the security problems arise because IM tools were not initially designed for business use. “IM was originally used for entertainment — an online toy for teenagers,” Lord said.
Lord noted that all major IM applications are designed to be left active, always running in the background and ready to pop up a window with a message from a friend. Because IM resides on users’ computers and communicates outside the corporate network over the Internet, it is difficult to differentiate IM messages from normal Web traffic.
“This backdoor can be accessed by anyone with a little bit of skill and reason to eavesdrop on the IM messages,” said Lord. “With instructions that are readily available on the Internet, a hacker can break IM codes and capture every IM message generated.”
Another threat posed by IM is the speed with which viruses can travel. “Instead of days for a virus to infect computers around the world via-email, IM can accomplish the same task in a matter of hours,” said Lord. He said that there are a number of initiatives underway to make IM more secure, but most are in the early stages of development.
The major IM consumer services, for example, do not offer the features that corporate IM must have for security purposes — archiving, auditing, authentication, encryption and interoperability. To address these issues, several corporate services have appeared, but these are often expensive and suited best for large organizations. Lord said the simplest policy is to outlaw IM until proper security measures are in place.
Akonix Systems, based in San Diego, is a provider of software that enables businesses to securely use instant messaging. Francis Costello, chief marketing officer at Akonix, said that the biggest security issue is that most corporate instant messaging use is still initiated by employees without the control or sanction of their employers.
Costello said that IM networks, such as those provided by AOL, Yahoo or MSN, put organizations at risk. “IM threats have consistently increased over the last three years, and unfortunately we are unlikely to break that trend, making IM security and control an even more important corporate priority next year,” Costello said.
Chris King, product marketing manager for Blue Coat Systems, said that IM is a conduit for security threats. Blue Coat, based in Sunnyvale, California, makes proxy appliances that provide visibility and control of online communications to prevent inappropriate surfing and viruses brought in through back door channels such as IM.
Blue Coat conducted a study and found that more than 65 percent of office workers surveyed used IM for personal conversation during work hours. Just 27 percent of workers used IM for business purposes only. Nearly 80 percent of respondents admitted to gossiping via IM. Nearly 60 percent did not believe IM could be monitored and one-third of respondents confessed to having made sexual advances over IM.
But King said that security products, such as those provided by Blue Coat, are helping to adequately counter security threats. “IM can be a powerful communication tool that enhances productivity when used efficiently, and the key is to enable organizations to reap the benefits of IM without suffering from the risks,” King said.
Randall Palm, chief technology and information security officer at Computing Technology Industry Association, an industry trade group based in Oakbrook Terrace, Illinois, said that he thinks enough is being done by the industry to counter security threats.
“Antivirus software companies are adequately addressing the issue,” said Palm. But he said that social engineering security threats — in which someone cons a victim through IM or other avenues into volunteering information, typically credit card or banking information — will require a new round of public awareness and education.
Greg Stenstrom, chief executive officer at Stenstrom Scientific, a provider of secure network services in Philadelphia, said that not enough is being done to counter security threats. He predicted that security breaches and loss of information are going to increase exponentially within the next two years and come to a head within three.
“The reason no one has bothered to crack down hard from an organizational perspective is that losses are considered an abstract number by most people,” said Stenstrom. “Right now, revenue dollars and the rush to get the largest market share possible are the driving force of AOL, Yahoo and MSN. Security is not a big concern.”
Adam Turteltaub, corporate relations executive at Los Angeles-based LRN, which provides ethics and compliance education, said that people continue to treat IM as something that is private. “There is not guarantee that a person you’re IMing with doesn’t have someone else watching the screen or isn’t just e-mailing the text of the conversation elsewhere. There’s huge risk for companies and individuals with this,” Turteltaub said.
“Until people start to think of IM differently, the risks will actually increase as fast as IM use increases, if not faster,” said Turteltaub. “I don’t think companies have fully woken up to this risk. IM is a valuable tool to help people talk with each other, but we have to also teach people to think twice before they hit send.”
Dennis Szerszen, vice president of business development at SecureWave, a Luxembourg-based provider of endpoint security services, said IM is capable of sending voice, images and applications, making it an open path for all of the latest attacks.
“Attacks are becoming more sophisticated. IM is an ultimate example of a peer-to-peer application that relies on its access to the network,” said Szerszen. “IM solutions are applications like any other in the enterprise: they need to be tested, verified and deployed as a company standard, not pulled down and implemented by the end users.”