IM Use a Big Security Threat

When it comes to security issues in the enterprise, blame the messenger and not the communications channel – at least that’s what a majority of IT security pros say in a new study from Gartner Inc. for managed security-services provider Guardent Inc.

Eighty percent of all network security managers who were surveyed at the Gartner Information Security Conference in Chicago, claim their biggest security threat comes from their own employees. Just as surprising is that 58 percent of those surveyed said the careless use of personal communications by their employees – especially email and instant messaging (IM) – poses the most dangerous security risk to their networks.

On the flip side, just 22 percent point to deliberate insider breaches as their biggest concern.

The Gartner/Guardent survey’s results are very surprising, especially when recent news stories of bugs and breeches of public IM systems are taken into account. While extra precautions can be taken to avoid those technical maladies, though, the human part of the IT equation definitely needs work.

Gartner’s/Guardent’s findings once again emphasize the need for corporations, organizations and governments to not only develop and implement comprehensive security policies, but to enforce them as well. Those policies now must also include IM usage, if they do not already.

In a study by INT Media Research (a division of INT Media Group, which also publishes this Web site), 70 percent of businesses surveyed said they don’t offer their employees guidelines on acceptable use of IM technology.

All of this data should not, however, discourage management from enabling their employees to use IM – preferably an enterprise-strength IM system that exists either from behind a firewall or as part of a ASP-supplied service.

The INT Media Research survey says that of the 47 percent of enterprises allowing or supplying IM access in the workplace, 13 percent take no security precautions whatsoever. Forty-one percent said their IM applications are installed behind a commercial firewall, while 41 percent said a network firewall prevents access to unauthorized free IM services. Just 5 percent said they outsource IM security functions to a third-party firm.

Such an enterprise system can come with interoperability, so that employees can chat with people on the free IM networks.

The use of free IM clients alone on a company’s network, though, is another matter. By using the services, messages sent by employees are essentially “in the clear” on the Internet, meaning that a savvy eavesdropper can “see” the IM session. Also, hackers use the public IM nets to try to entice unsuspecting workers to go to a malicious Web page or click on a link in the IM window. By following hackers’ leads, employees can unknowingly let a worm loose on a company’s network – especially because IM attachments can’t be easily scanned for viruses.

What’s more, employees open themselves up to the growing trend of IM spam by using the public IM nets.

While the question of deliberate intrusions by malicious hackers did not show up in the survey, IT managers nonetheless should take proactive security measures such as internal intrusion detection solutions and regular internal and external vulnerability scanning.

To mitigate the risk of IM vulnerabilities, Gartner recommends:

• Security administrators should stay on top of the spate of alerts in regards to IM.
• Administrators should also attempt to get users to apply patches in a timely manner and to treat IM as a formal communication tool subject to the same usage restrictions as email.

When choosing among competing IM systems, enterprises should heavily weight the security of the code, Gartner added.

Reprinted from Instant Messaging Planet, an internet.com site