Does Instant Messaging improve communication or threatening companies’ security?
by Dr. Horst Joepen, Vice President, Secure Computing
Corporation
Instant messaging (IM) has triumphed in the past 2-3 years among personal
Internet users as well as within companies. There are now few school children
not in touch with their friends via ICQ, MSN or AOL Messenger — but also
stockbrokers, currency dealers, and the IT department are constantly ‘chatting’”
with their most important contacts via Messenger software.
According to a recent Gartner poll, instant messaging is used
today in 70 per cent of all companies. According to the Yankee Group, however, only
15-20 per cent of companies operate a solution for IM administration. In the remaining
50 per cent, IM constitutes a huge, rampant infrastructure usage that poses a severe
security risk for firms. The same is true for the use of peer-to-peer services,
e.g. music exchange services, which have also become pervasive in many
organisations, but lack any administrative supervision whatsoever. These Peer to
Peer services entail both security and legal risks.
Does my company need instant
messaging?
IM is suitable for all areas where
quick, immediate contact among a known and manageable group of people is
crucial. As with SMS, short messages can be swapped and, for instance, a deal
team can finalise and authorise the terms of an offer. Technicians helping a
customer on location can send queries back to company headquarters via IM, and
obtain immediate answers from customer support specialists, without their
queries being buried under an avalanche of emails or suffer from constantly
engaged phones. Stockbrokers can also instantly swap the latest market rumours
via IM and act upon what they learn.
In companies with more complex and
clearly defined workflows and processes, where flexible decision-making and
coordination timed to the minute play a lesser role, it is questionable whether
instant messaging is beneficial. Private chat sessions, and the constant
distraction from larger tasks by incoming instant messages, can bring about a
drop in productivity. A derogatory comment made by IM can be just as much of a
legal problem as one made by email so there could also be exposure to potential
litigation.
However, what is decisive is not
the question of whether your company needs IM, as much as the answer that your
company very probably already has IM without your knowledge.
If instant messaging has already taken
root in a company and is popular, where’s the problem?
Speaking technically, instant messaging tools, similar to
peer-to-peer exchanges, function as ‘wild’, non-standard protocols, which mount
on HTTP or HTTPS protocols. They are capable of transferring not just active
technologies such as scripts and macros but also all kinds of data attachments
(word files, zip archives, etc), and thus can transfer all currently known
carriers of viruses and worms. Content exchanged via peer-to-peer services also
entail a considerable legal risk. A study of Gnutella P2P traffic showed that
47 per cent of requests related to pornography and 97 per cent infringed existing copyright. It
is also evident that such content is often infected with viruses. Thus instant
messaging and peer-to-peer exchanges pose threats every bit as dangerous as the
flow of data into the company from email or web. In contrast, however, IM data
flow cannot be controlled by firewalls, simple web filters and URL blockers.
Is my company helpless in the face of instant messaging?
No — the use of special IM and P2P filters allows instant
messaging to benefit the company while controlling the security risks that it
involves. In order to implement a uniform security policy simply and
consistently, the IM filter should preferably be part of a comprehensive,
integrated Content Security Management Suite. This enables company, group and
user specific configuration of the security profile, and its consistent
application to the entire data flow and all standard and ‘wild’ application
protocols. A typical ‘policy’ could, for instance, block all IM clients who send
requests to unauthorised, public messaging servers, and permit requests only to
the company’s own messaging server(s).
It only remains to ask:
What are others doing and why do I have to act?
As was also the case with the wave of spam, IM-connected
security problems first occurred in the USA. As a result, for instance, Sarbanes
Oxley made mandatory the permanent monitoring and protocolling of instant
message traffic in all US financial institutions. In current US tenders for
content security solutions, the filtering of instant message data flows is a
standard requirement. US companies’ were triggered into action by very real
breaches of security. Instead of waiting for the wave to break here as it did in
the USA, companies in this country should take advantage of the ‘early warning
system’ and have their content filtering systems upgraded now – not least
because the cost of improving IT security is more than offset by the ensuing
increase in productivity.
About Secure Computing
Secure Computing Corporation will be exhibiting at Infosecurity
Europe 2006 which is Europe's number one information Security Event. Now in its
11th year, Infosecurity Europe provides an unrivalled education programme, new
products & services, over 300 exhibitors and 10,000 visitors from every segment
of the industry. Held on April 25th – 27th 2006 in the Grand
Hall, Olympia, this is a key event for all IT professionals involved in
Information Security.
www.infosec.co.uk
www.securecomputing.com
