More and more companies are embracing the benefits of instant messaging as a corporate
application. But many are leaving such applications uncontrolled and vulnerable, and the
potential for attack is sending shivers down the spines of network administrators.
Email still takes priority over instant messaging (IM) when it comes to corporate security,
according to a recent poll of 100 organizations conducted by Akonix Systems, Inc., a San
Diego-based provider of IM security software. The survey shows that only 11 percent have IM
hygiene solutions in place, compared to 73 percent that take care of email. Additionally,
almost 50 percent of respondents say deploying an IM hygiene solution never crossed their
minds.
Industry observers say this gap between the security applied to email and that applied to IM
is particularly alarming since 47 percent of respondents indicate that the people in charge
of email also are responsible for securing instant messaging.
Globally, IM use is on the rise with nearly 12 billion instant messages being sent every
day, according to IDC, an industry analyst firm based in Framingham, Mass. IM use isn’t the
only thing on the rise, however. Attacks on instant messaging are going up, as well.
Akonix tracked 62 IM-based attacks last November, and saw a 226 percent increase over the
previous month, according to Don Montgomery, vice president of marketing for Akonix.
The primary reason organizations are not focused on IM security, despite the increase in
attacks, is that there hasn’t been a major IM virus outbreak yet, according to Osterman.
While email systems have been pounded by malware attacks, the viruses and worms hitting
instant messaging haven’t made as much of a splash yet since the damage has been low, so
far.
And many network administrators think the protections they already have in place will
safeguard IM, as well.
”There’s a perception that a lot of investments made in firewalls and perimeter security
will protect [networks] from viruses,” Osterman says. ”They would be wrong, though,
because instant messaging uses unique protocols and a firewall won’t be able to scan instant
messaging for content or for malicious URLs or for the file transfer for viruses.”
Osterman adds that firewalls work by shutting down ports. But public IM clients, like Yahoo,
AOL and MSN, which many employees use in lieu of a corporate standard, are port seeking.
”You can shut down one port and the public IM clients will find another,” he explains.
IT administrators at Kforce Professional Staffing, based in Tampa, Fla., aren’t going to let
that happen. The professional staffing firm has taken prescriptive steps to ensure that its
approximately 1,400 employees, who are situated around the U.S., are protected.
”We didn’t want to hinder productivity since… we believe [instant messaging] will be a
good tool for employees, especially if someone in one office wants to discuss a job with
someone in another office. It’s real time,” says Jon Portz, network security lead at
KForce. ”We had anti-virus software in place… but it can’t stop a direct attack on a
buddy list on AIM, which is quite vulnerable to buddy list hijacking.”
Administrators at Kforce decided to bring in an instant messaging security and management
system to handle ”uncontrolled use of IM, whatever the client”. Portz adds that they also
wanted to prevent ”information leakage”, and have the ability to track and log employees’
IM sessions.
The enterprise instant messaging security market is burgeoning. Other providers include
FaceTime Communications, IMLogic, which was recently acquired by Symantec Corp., Postini,
Inc. and ScanSafe, Inc.
Since moving to Akonix, which Portz says provided granularity of control and customization
features, KForce has standardized on MSN and AIM clients until it moves to an internal IM
solution.
Akonix gives Portz the ability to create reports on usage and do keyword searches if he
wants to check on employees discussing a particular subject. ”Compliance is gaining concern
here,” he notes. ”Our HR and legal departments have given us directives to treat IM as
email.”
Company administrators are looking at integrating Akonix with their Legato mail archive
system, which would give them the ability to archive all instant messages as if they were
email and attach the conversations to a specific user, Portz notes.
”If something questionable comes across Akonix, I get an email,” Portz says. Since Kforce
doesn’t allow use of the extended attributes of IM — raw chats only — an employee will
receive a notification that they have violated company policy if they try to do something
like an audio/visual session, for example.
”We also get an alert from Akonix if anything outside of the policy boundaries, like file
transfers, occurs,” he adds. ”Executives used to be very afraid of IM. Trying to lock it
all down and turn it all off is harder than you think… Having an instant messaging
security management system in place gives a heck of a lot more peace of mind.”
Osterman says it’s a given that there will be a big outage caused by instant messaging.
”Its not a matter of if, but when.”
He estimates the cost of implementing an IM security system at about $10 per user. ”We
point out to companies,” he notes, ”that they’re spending more on coffee every year for
their employees than to protect themselves from outside threats.”