Instant messaging (IM) may have started out as a consumer application, but it is now being used by about half of all employees in the UK for business purposes.
The software – which enables staff to send text messages in real time and can also support voice and video calls – is widely seen as offering significant productivity gains, especially for knowledge workers. But instant messaging has developed with little in the way business grade security.
Research carried out by Vanson Bourne for Microsoft found that 71 per cent of office workers using instant messaging (IM) were using a “consumer” messaging application, such as those from MSN, AOL or Yahoo. This is despite a 38 per cent of users knowing that IM poses potential security risks.
“Uncontrolled instant messaging poses a massive security risk,” says Donal Casey, a security consultant at Morse, the IT reseller and integrator. “In many ways, it can be likened to e-mail about eight years ago, when people were using it as a form of communication but only just realising that it could be used to leak information, for hatemail or spam.”
There have already been cases of bullying by instant messaging, but the main concern of IT experts is the way the software could allow viruses and other cybercrime attacks into the company, as well as how it could be used to send out sensitive data.
A basic consumer instant messaging client is designed for ease of use. On a network, the software will seamlessly work out a way to communicate across the company firewall. If it finds one route, known as a port, to be blocked it will try to establish communications with the service’s messaging server through another.
IM software can even “port hop”, and find another way on to the Internet if one port is closed down. This makes it harder in some ways to secure and monitor instant messaging traffic than it is to secure e-mail, which tends to operate over a narrow range of network ports.
Already, cybercriminals and hackers have exploited the growing popularity of IM by using it to introduce viruses or other malicious software into businesses.
According to the computer security company Sophos, the Hagbard-A worm posed as any one of 400 downloadable applications on internet file sharing websites. Once an unwitting user had downloaded and installed the software, it would then spread itself by sending instant messages to that user’s IM address book.
Other hacks have worked in a similar way to e-mail phishing attacks, with hackers posting false web links to instant messaging sessions. If a user clicked on the link they would either be taken to a forged website that would ask for sensitive personal data, or would download malware directly to their PC.
IM attacks pose a particular problem for IT managers because users trust instant messaging and are much more likely to click on a link if it appears to come from a messaging session with a friend or business contact. But as well as keeping the instant messaging channel open and secure, IT departments also face the challenge of blocking its use to communicate confidential information, and to log IM traffic for compliance reasons.
A number of options exist to do this. Symantec recently bought IM Logic, a company that provides add-on security for instant messaging sessions. Such software works by scanning web addresses in instant messages, and warning users if they try to download files.
In some cases, companies might opt to install instant messaging with its file-sharing capabilities disabled, and ask employees to turn on the logging functions that most IM software provides. But for businesses that make heavier use of IM, installing a business-grade IM server provides both a higher level of security and efficiency.
Microsoft’s research found that 58 per cent of IM users used the software to send messages to people in the same office, and 71 per cent to people in other offices within the same company. These figures suggest that many of the benefits of instant messaging could be delivered on a private system rather than by sending messages over the public Internet. IT administrators could then open up external traffic on a user by user basis.
Dedicated messaging servers such as Jabber and Microsoft’s Live Communications Server capture IM traffic and route them through a central server so that companies can apply monitoring, virus protection and other security measures.
Microsoft’s offering comes with an integrated desktop client that can access both the company messaging server and public IM networks. Symantec and other IM security vendors offer a bolt-on solution that monitors traffic in real time and can provide very specific blocks on activity, such as allowing internal file transfers but blocking those from outside the company.
“Instant messaging could be fine between two companies if the data being exchanged is very insensitive,” says Miles Clements, a project manager at the Information Security Foundation. “But a trader would not be able to use IM to trade with another bank.”
The right solution will depend largely on the value of the data, and the company’s view of risk.