As 60,000 users of Reuters messaging service found out in April, an instant messaging worm can seriously damage your day. The pernicious Kelvir worm, which spreads by sending copies to everyone on an infected client´s IM contact list, swept through the company so fast that Reuters shut down the service rather than let the worm propagate itself any further.
Only once the company was confident the worm had been removed – some 12 hours later – was normal service resumed.
As well as causing a serious headache for Reuters IT managers, the case has acted as something of a wake up call for the industry.
IM is becoming increasingly popular as a business tool. According to Gartner, IM will surpass email as the preferred method of interpersonal communications by 2006. Even now, more than 85 per cent of businesses use IM according to a recent Radicati Group report. As well as the specifically developed services, like that used by Reuters, employees are downloading any number of different IM clients such as MSN Messenger from Microsoft, AIM from AOL and Yahoo! Messenger – currently the three biggest players in a market.
It´s not hard to see why. Instant messaging is truly interactive, with an immediacy that email lacks. It is an ideal way for two or more people to communicate quickly, and the ability to see if someone is away or busy makes it extremely useful in the fast-paced business world today.
Many organisations are already reaping the business benefits of instant messaging: productivity gains; increased global, real-time communication; and lower phone, travel and collaboration tool costs. It has also proved to be a highly popular form of personal communication – either at home or, rather more surreptitiously, in the office. In many cases people have turned to IM rather than face an email inbox that is clogged with spam. So much so that IM took only two years to get to 50 million users compared to the 16 years email took to reach the same number.
However, in terms of security, IM is where email was five or more years ago, and therefore some of the advantages it offered over email are slowly being eroded. Not only does it provide another channel for ´standard´ viruses and worms to break into the corporate network, there are now threats specifically designed to attack IM clients – as Reuters discovered. In fact, according to IM solutions vendor, IMLogic, there has been a 50 per cent increase, month on month, in reported security incidents since January this year, with more than 30 newly detected IM threats including viruses, worms and spam over IM (spim) malware.
Part of the problem is that IM tools are so easy to download and install, with the result that many organisations find they have an IM communication culture that is completely outside the control of the IT department. Furthermore, files transferred through IM rely totally on desktop rather than server-based anti-virus tools, which don´t provide sufficiently comprehensive security. In terms of spam the advantage that IM offers over email is that users are in a closed group and have to give permission for other senders to join. Nonetheless it doesn´t prevent accounts from being bombarded with requests from unknown senders. Nor does it prevent people from accepting some of the more enticing sounding options!
But still the biggest security issue surrounding IM is one of the very features that makes it so attractive in the first place: conversations and content are not automatically stored and therefore are not traceable or retrievable. As a consequence there is a totally unaudited communication path. While this is largely what puts the ´I´ in ´IM´, it does have serious implications for regulatory or legislative compliance.
Some of the earliest adopters of IM as a business communications tool were brokerage firms, who send buy and sell advice through IM tools. It offers them the rapidity they require – but they face the potential of having to defend trading decisions without having the back-up of a traceable instruction from clients, for example. And even though IM products offer the facility to store a history of conversations, these are generally only held locally and are not secure enough to be used for auditing or compliance purposes. Besides, adding complex archiving facilities runs counter to the initial philosophy that led to IM being adopted in the first place.
One option for companies wishing to boost their IM security is to put in place a central proxy server to act as a gateway for all IM traffic. This takes a similar approach to the type of perimeter email security deployed by most enterprises. Users log in as usual from their own machine but actually reach the outside world by going through another server. This enables audit trails and logging, as well as centrally controlled virus and attachment management. It also monitors information leaving the organisation both for compliance purposes and for protection of confidential corporate information.
In addition there are gateway products emerging that provide further opportunities for making IM more secure. Companies like Bayshore are developing directory tools that can be integrated with LDAP (Lightweight Directory Access Protocol), to create secure paths from private, internal networks, to the public internet. This can also act as a clearing house and point of control for IM content – and hence provides a similar level of perimeter security that protects many corporate email systems.
However, while there are a number of different security measures emerging, there are currently no established tools for protecting IM. The emphasis therefore must be on establishing corporate policies on IM use, and educating the user base to follow them. It may be that IM can only be used for informal conversations rather than core business issues. Certainly the circumstances in which audit trail options are switched on should be established. Basic security rules that are already in place for email should be re-iterated: users should be instructed to check the source of any messages and only open attachments about which they are 100 per cent sure.
Instant messaging has huge potential as a business tool, and can only become more sophisticated. It won´t be long before detailed visuals, and even video conferencing, will be added to IM capability. But for all that to happen, security needs to be taken seriously now, to prevent it being sidelined out of the corporate communications arsenal.