IM Security: A Threat or Just Marketing Hype?

By | June 14, 2006

Adoption of instant messaging (IM) as a mainstream business communications platform is moving at breakneck speed. IDC estimates that one billion IM messages are being sent daily by business users and consumers, and according to the Gartner Group, IM usage will surpass email usage by 2006.

With this explosion in business use of IM, however, comes the all-too-familiar exploitation of the medium by those who seek illicit gain. Hackers, proliferators of malware, spyware, and viruses, spammers, and corporate identity thieves have been quick to exploit the inevitable security gaps created by the skyrocketing popularity of IM. The AOL Adware and AOL Rootkit worms that hit networks last January and October, respectively, are only two recent examples of the havoc that can be wrought on such a popular mode of communication. And the IM security threat is not expected to lose steam any time soon! IM security incidents appear to be keeping pace with the surging adoption of IM. Research conducted by FaceTime Security Labs found a 2,200% increase in IM security incidents between 2004 and 2005.

Do you need protection?

In light of the myriad threats to corporate security, some companies may be tempted to ban IM in their organization altogether. Such a draconian response, however, forgoes the obvious productivity gains IM provides, while frustrating employees (assuming they would go along with such a ban in the first place). And this approach is unnecessarily restrictive because the security risks to IM can be mitigated by the right IM security solution, enabling users to leverage the power of true real-time communication with customers, partners, and colleagues.

Most enterprises are asking if they need basic IM security, an enterprise IM (EIM) solution (i.e. one that provides IM communication “in-house”, as opposed to using an external service provider like AOL or Yahoo), or both. Other companies including those burned by vendor promises in the past – are wondering if the push for IM security is simply a case of vendor hype. After all, in spite of the tremendous growth in IM, IM-borne threats are still dwarfed by email-borne viruses, worms, and spam that have plagued companies for years. In contrast to IM, most companies have already deployed some level of email security.

If IM is being used in your organization, at least some protection is probably warranted in today´s environment of compliance, litigation, and intellectual property “leakage”. But what level of protection is necessary and appropriate? Before this question can be answered, it is critical that companies take a good look at their email security since IM security is pointless if the company´s email network is at risk. Assuming their email network is secure, companies must look next at whether and how IM is being used in their organization.

Are employees using IM for business purposes? Do they need IM in order to do their jobs? If the answer to both is no, IM security may be unnecessary, particularly for companies that do not want to encourage the use of IM (note that there are solutions on the market that enable enterprises to actively block IM usage).

Type of information dictates need for IM security/EIM solution

For those companies whose employees are using IM, is sensitive information being sent and received? Given the level of sensitivity of the data they deal with, healthcare organizations, banks, investment firms, and other financial organizations that utilize IM are perhaps at the greatest risk of corporate information theft-not to mention the legal and public relations risks inherent in the various regulations and statutes that govern these companies´ behavior.

In the U.S., the Securities Exchange Commission (SEC) recognizes IM as a standard form of electronic communications, just like email. In addition to IM security, companies that are publicly traded or simply concerned about compliance should also strongly consider an EIM solution. An EIM solution provides an internal IM system which powers secure employee IM communications, enables monitoring of instant messages for corporate data leakage, enforcement of IM acceptable use policies that support compliance, and archival of IM content, among many other functions.

Industries far-removed from regulatory concerns and/or those industries that do not handle sensitive customer, consumer, or patient information may have little potential exposure to IM malware. Employees at manufacturing enterprises, for example, may not utilize IM to the same degree as those on Wall Street (or at all), and may require no more than a basic IM security solution. Such companies may even be able to get by without any IM security solution, at least in the short term, by accepting more risk. They are also poor candidates for an EIM solution-the business need simply does not justify the expense.

Interestingly, the size of the company or volume of IM messages does not necessarily dictate the need for IM security: a small hedge fund with only few dozen IM users would likely need to deploy a full-fledged IM security and an EIM solution that guards against the theft of intellectual property and other confidential data-an example of which would be the hedge fund´s customer financials-due to their extremely sensitive and proprietary nature.

What do you look for in an IM security solution?

For those companies who may need an IM security or EIM solution (or both), several vendor solutions secure so-called greynets that encompass email, IM, VoIP, Web conferencing, peer-to-peer networks and other communications, and not only protect technology and intellectual property but also support compliance with corporate and regulatory requirements and enforce IM usage policies (much like today´s leading email security solutions). Companies should make sure their solution has message filtering capabilities as well.

Does the solution, like many of today´s email security solutions, support policy filters down to the individual user level–for example blocking attachments and other potentially threatening content? Does the solution automatically scan different types of content and log content that may be needed for review, for example, in a future audit? Needless to say, many businesses will need this level of functionality to safeguard their proprietary data.

In an ideal world, all email and IM security solutions would work seamlessly, supporting and enforcing policies across the entire organization regardless of messaging platform. That day is not yet here – although it is on the horizon. In the meantime, businesses should look to equip their networks with the appropriate type of IM security and EIM platform based on the industries in which they operate, the information handled, and IM usage. While IM security and EIM functionality is a viable option for most businesses, they may not be appropriate for everyone.

Leave a Reply