Enterprises Come Up Half-Empty on IM Policies

Despite increasing security threats and rising use among workers, only half of U.S. businesses have an IM policy in place, according to an Internet security company.
Posted March 25, 2005

Dan Muse

Enterprises may be drawing a bead on how to establish policies for Internet and e-mail use, but they appear to be misplaying instant messaging, according to survey results that will be released tomorrow by SurfControl, a Scotts Valley, Calif. -based Internet security company.

The survey asked 7,593 SurfControl customers in the U.S. about their IT management policies governing Internet-based communications. While more than 90 percent of the respondents surveyed said they had an Internet access policy, 49 percent reported that they had no policy concerning the use of IM and peer-to-peer applications.

The lack of an IM policy leaves enterprises open to new security threats, according to Jim Murphy, director of product marketing for SurfControl. ''Instant messaging may be viewed as convenient to end-users, but the business costs are too great to leave IM usage unchecked by security policy,'' he said. ''Without the proper policies and protections in place, numerous IM-borne viruses, worms, spyware applications and blended threats can jeopardize network security and cost companies hundreds of thousands of dollars in clean-up costs.''

Other surveys confirm SurfControl's finding. Osterman Research reports that about 90 percent of organizations had employees using at least one form of IM applications in 2004. And a recent American Management Association study reported that 78 percent of workplace IM users had download free IM software from the Internet, unaware of the potential risks involved.

More troubling, according to SurfControl, is the fact that security vulnerabilities such as buffer overflows, denial of service attacks, encryption weaknesses continue to be found and exploited in all of the major IM clients.

Even more important than blocking malware, according to survey respondents, is protecting confidential data. Eighty-three percent ranked it as a major concern. Their concern is justified, according to Murphy, who noted that IM and P2P communications are almost never encrypted or cryptographically signed, making them susceptible to network snooping, modification, hijacking and impersonation attacks -- making nonrepudiation impossible.

''Left ungoverned, instant messaging applications are an easy vehicle for accidental or malicious disclosure of sensitive corporate data, including company financials, personnel records and customer data,'' said Murphy. ''IT managers need to work with HR to ensure that all employees are governed by enforceable rules.''

SurfControl offers the following basic guidelines to help companies minimize IM and P2P threats:

  • Create a well-defined corporate usage policy on the appropriate use of IM and P2P within the organization;
  • Communicate these policies, as well as consequences for misuse to employees;
  • Advise users to never follow any link in an unsolicited or suspicious IM communication, reminding them that a simple visit to a Web site could trigger multiple IT threats, and
  • Implement a filtering tool to identify and block in real-time both the use of IM applications and popular P2P networks.

    This article was first published on

  • Comment and Contribute


    (Maximum characters: 1200). You have characters left.