In the past two-to-three years, instant messaging (IM) has triumphed among personal Internet users as well as within companies. There are now few school children not in touch with their friends via ICQ, MSN or AOL Messenger — but also stockbrokers, currency dealers, and IT department are constantly 'chatting' with their most important contacts via Messenger.
According to a Gartner poll, instant messaging is used today in 70% of all companies. According to the Yankee Group, however, only 15-20% of companies operate a solution for IM administration. In the remaining 50%, IM constitutes a huge, rampant infrastructure usage that poses a severe security risk for firms. The same is true for the use of peer-to-peer services, e.g. music exchange services, which have also become pervasive in many organizations, but lack any administrative supervision whatsoever. These peer-to-peer services entail both security and legal risks.
Does my company need instant messaging?
IM is suitable for all areas where quick, immediate contact among a known and manageable group of people is crucial. As with SMS, short messages can be swapped and, for instance, a deal team can finalize and authorize the terms of an offer. Technicians helping a customer on location can send queries back to company headquarters via IM, and obtain immediate answers from customer support specialists, without their queries being buried under an avalanche of e-mails or suffer from constantly engaged
In companies with more complex and clearly defined workflows and processes, where flexible decision making and coordination timed to the minute play a lesser role, it is questionable whether instant messaging is beneficial. Private chat sessions, and the constant distraction from larger tasks by incoming instant messages, can bring about a drop in productivity. A derogatory comment made by IM can be just as much of a legal problem as one made by e-mail so there could also be exposure to potential litigation.
However, what is decisive is not the question of whether your company needs IM, as much as the answer that your company very probably already has IM without your knowledge.
If instant messaging has already taken root in a company and is popular, where's the problem?
Speaking technically, instant messaging tools, similar to peer-to-peer exchanges, function as 'wild', non-standard protocols, which mount on HTTP or HTTPS protocols. They are capable of transferring not just active technologies such as scripts and macros, but also all kinds of data attachments (word files, zip archives, etc.), and thus can transfer all currently known carriers of viruses and worms. Content exchanged via peer-to-peer services also entail a considerable legal risk. A study of Gnutella P2P traffic showed that 47% of requests related to pornography and 97% infringed existing copyright. It is also evident that such content is often infected with viruses. Thus instant messaging and peer-to-peer exchanges pose threats every bit as dangerous as the flow of data into the company from e-mail or Web. In contrast, however, IM data flow cannot be controlled by firewalls, simple Web filters and URL blockers.
Is my company helpless in the face of instant messaging?
No — the use of special IM and P2P filters allows instant messaging to benefit the company while controlling the security risks that it involves. In order to implement a uniform security policy simply and consistently, the IM filter should preferably be part of a comprehensive, integrated Content Security Management Suite. This enables company, group and user specific configuration of the security profile, and its consistent application to the entire data flow and all standard and 'wild' application protocols. A typical 'policy' could, for instance, block all IM clients who send requests to unauthorized, public messaging servers, and permit requests only to the company's own messaging server(s).
It only remains to ask: What are others doing and why do I have to act?
As was also the case with the wave of spam, IM-connected security problems first occurred in the U.S. As a result, for instance, Sarbanes Oxley made mandatory the permanent monitoring and protocolling of instant message traffic in all U.S. financial institutions. In current U.S. tenders for content security solutions, the filtering of instant message data flows is a standard requirement. U.S. companies' were triggered into action by very real breaches of security. Instead of waiting for the wave to break in the U.K. as it did in the U.S., companies should take advantage of the 'early warning system' and have their content filtering systems upgraded now – not least because the cost of improving IT security is more than offset by the ensuing increase in productivity.
About the author:
Dr. Horst Joepen Senior Vice President for Strategic Alliances of CyberGuard Corporation and CEO Webwasher AG - a division of CyberGuard Corporation. Prior to founding WebWasher, Dr. Joepen held several management positions at Siemens, where he led a number of national and European research projects. During his tenure at Siemens, he also spent eight years managing a group for computer aided engineering, development methodology and support. In his most recent role, Dr. Joepen was in charge of innovation as a department manager with Siemens ICP Computer Systems, where he served for several years in the ZVEI/VDMA industry group. Dr. Joepen holds a Dipl. Ing. and Ph.D. degree in Electrical Engineering and Computer Science. As a result of his vast experience, Dr. Joepen has developed strategic relationships within the international IT industry.
About Infosecurity Europe:
CyberGuard is exhibiting at Infosecurity Europe 2005 which is Europe's number one information Security Event. Now in its 10th anniversary year, Infosecurity Europe continues to provide an unrivalled education program, new products and services, over 250 exhibitors and 10,000 visitors from every segment of the industry. Held on the 26th – 28th April 2005 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. Infosecurity Europe
This was first published in March 2005