A new Burton Group study called "Instant Messaging Security: It's Not Just Idle Chatter," slated for release June 5, said corporate use of IM is on the verge of explosive growth. But IT administrators are still grappling with how to manage what has become a ubiquitous business tool.
IM messages between businesses grew by roughly 25% from 2005 to 2006, from 1.4 billion to 1.9 billion, according The Radicati Group Inc., a research company in Palo Alto, Calif. That number is projected to skyrocket in the next two years, according to Radicati, jumping to 4.3 billion IM messages by 2008.
Despite the steep increase in IM use, few corporations have usage policies in place, said Diana Kelley, a lead security analyst at Burton Group, a research and consulting firm based in Midvale, Utah. The reason that IT managers have not paid much attention to the consumer-turned-business tool is because they are not quite sure how many employees are using it or what types of corporate and customer information are being transmitted on it, she said.
Whether IT shops are managing a Windows or open source platform, Kelley said, the problem is the same: how to control instant messaging applications that are proliferating in enterprises. "The use of IM has been fairly organic in organizations, particularly in those companies that haven't really made a decision about whether employees should use it or not," Kelley said.
The first step for companies is to have a formal policy addressing IM specifically -- even if it is an outright ban, she said. For companies interested in enforcing a ban of the communications tool, there are products available that block unapproved applications, like IM, for its employees.
For others that want to allow IM while having some control over its use and security, a policy should be written to reflect who can use it, for what purposes and for what kinds of data, Kelley said.
The policy should also include whether file attachments are allowed. Worms and viruses, such as Bropia, Kelvir and MyDoom, have been launched specifically to breach IM tools.
Another consideration that relates to compliance is how to archive conversations and for how long. And finally, companies must decide how the policy will be enforced, Kelley said.
Securing IM can be part of a larger network or messaging initiative, Kelley said. Other steps to safeguard IM can include:
- Authentication: Multi-factor identity authentication should be provided.
- Access control: User information can be linked to directory stores like Active Directory to enforce user policies.
- Content control and keyword filtering: By using content filters and setting up keywords or other content blocks, IT shops can keep important data from leaving the network. An example of prohibited data might be Social Security numbers.
- Malware and URL filtering: In addition to content-based policy checks, many systems can check for malware signatures, like IM-specific worms, and prevent spam from getting through.
- Encryption: IM is not often encrypted, but policies that enforce encryption for certain data can be in place, with encryption happening gateway to gateway, server to server or client to client.
The bottom line is that without an IM-specific policy in place, companies put themselves at risk, Kelley said. "Real business is being conducted over instant messaging. Organizations that use instant messaging for business must protect and control this critical communication channel," she said.