As IT administrators increasingly move to adopt enterprise-level instant
messaging software, industry players say their first thought should be
about how to make it secure.
Francis deSouza, CEO of IMlogic, an instant messaging company based in
Waltham, Mass., says there are two trends rolling through the IM industry
these days. One is the corporate adoption of a single, enterprise-level
IM package that would replace all of the instant messaging software that
end users have downloaded onto their machines over the years. The second
trend, deSouza says, is that the skyrocketing threat to instant messaging
software has IT administrators thinking about security.
And deSouza, along with other industry observers, says security should be
their first consideration. Actual implementation should be second.
”We’re in the midst of a pretty massive enterprise adoption wave for
instant messaging,” says deSouza. ”IT departments have embraced it and
they’re doing some very big rollouts… It’s hit the radar in terms of
being a main stream valuable business tool. Almost every large company
right now is in the midst of a rollout or are planning a rollout.”
Back in 2001 and 2002, instant messaging was being used in corporations.
But IT had nothing to do with it. End users, in love with the real-time
communication, were downloading various programs and running wild with
it. IT administrators simply were left of the loop.
The first concerns came from the business side with managers and
executives worried about lost productivity — since most communication
was about weekend plans and gossiping about the boss. Then managers
started to become concerned that sensitive information could be shooting
out beyond corporate walls.
Now, business and IT managers are in the thick of it.
As it turns out, instant messaging is a hot tool — not just for
gossiping and chit chat. It’s actually a legitimate business tool,
keeping colleagues in touch with each other, passing information back and
forth faster than email can manage, and helping remote workers feel like
part of the team. But just as IM shows its business side, hackers have
discovered it, as well.
”We’re seeing more than a 2,700 percent increase over last year of
reported incidents of IM viruses,” says deSouza. ”It’s absolutely lower
than email [viruses] today, but it’s following a very specific
trajectory. We know from our email experience how this plays out and with
IM, we’re on a very similar path.”
And deSouza says there is a lot to be learned from the way companies
deployed email years ago. Security wasn’t the first concern back then,
and it caused problems. We need to learn from that mistake, he adds.
”If you’re deploying a messaging structure, you need to deploy security
at the same time,” says deSouza. ”When you’re planning your IM rollout,
plan from Day Zero to have a security infrastructure. It also will help
put into place policies around archiving and system management.”
Ken Dunham, a senior engineer at Verisign-iDefense Intelligence based in
Reston, Va., says any organization rolling out an enterprise-level IM
implementation, or even considering it, need to identify security as
their top priority.
”You can’t just implement these things. You need to have a strategic
plan and it needs to fit into your larger plan for security,” says
Dunham. ”We’re going to see a lot more of these little IM worms pop up.
Organizations are getting hit by IM worms every day. They have to have
policies where they can understand how to deal with them, how to quickly
shut them down and respond to them. If you don’t have that in place,
you’ll need it very soon. It’s critical.”
MJ Shoer, president of Jenaly Technology Group Inc., a Portsmouth,
N.H.-based outsourced IT firm covering small- to mid-sized businesses in
New England, says he’s glad that IT execs are starting to think about
standardizing on one IM platform — and making it a secure one.
”We’re not fans of multiple IM clients,” says Shoer. ”It’s just more
exposure. One of the things about IM clients is the real-time connection
out to the public net. You could argue that you’re opening up a hole of
some sort. It’s not a huge hole and it’s not a major risk, but we
discourage multiple holes. If they have to have instant messaging, we try
to work with them to define one client that they’ll only use.”