Firms Develop Policies, Technologies to Curb IM Security Dangers

Recent news headlines have chronicled instant messaging worms and viruses authored by malicious thieves intent on stealing identities. That’s only half the story.

There is another side to the IM vulnerability threat: internal theft. Internal theft not only compromises privacy assurances, but also puts intellectual property at risk. Both of these consequences could severely impact a company’s reputation or its competitive stance.

One recent case was Yahoo’s suit against MForma and a group of former Yahoo employees. Yahoo alleged theft of its trade secrets. The lawsuit relies heavily on archived IM conversations in which the ex-employees discussed their plans.

The risk of internal theft via IM is growing, according to security researchers and legal advisors. It’s not difficult to see why, with the Radicati Group reporting that 85 percent of businesses are using IM, but only one quarter have a clearly defined policy on its use in the workplace.

“Greater than 90 percent of IM usage is still occurring over consumer services like AOL, MSN and Yahoo. This grassroots adoption has created a pipe between the corporate network and the outside world. With any pipe, there are threats in both directions,” Jon Sakoda, senior director of product management for the enterprise messaging group at Symantec, told TechNewsWorld.

The Outbound Threat

Much ado has been made about the inbound threat — and Symantec said that threat is still significant. It’s the outbound threat, though, that the firm predicts could emerge as a greater risk in the months ahead if businesses do not implement IM policies regarding how employees use and archive electronic messages.

“IM is downloaded by consumers, so it is difficult for IT administrators, compliance officers, or anyone else who is worried about data leakage or confidential information leaving an organization to monitor,” Sakoda said. “There are a lot of lessons to be learned from e-mail with regard to setting policies.”

Sakoda is referring to educating employees on the approved use of IM in the workplace and letting them know IM usage, like e-mail usage, is monitored. The message is clear: Even though you installed a rogue consumer IM product you are still using corporate assets, and corporate policies apply.

The Gravity of IM

When crafting policy in and around IM, organizations should start by recognizing the gravity of the topic, said Ed Moyle, a manager with CTG’s Information Security Practice. IM should be approached with the understanding that it’s a full-fledged communications tool.

Just like any communications tool, IM technology can be dangerous if used inappropriately. Moyle points to the public embarrassment of eFront in relation to its CEO’s ICQ logs that revealed the struggles of coping with a corporate shakeout in 2001.

The logs were stolen from a PC used by eFront CEO Sam Jain. The public display of his explosive discussions about business partners, employees and others were a nightmare for Jain and the company.

“IM technology used in an inappropriate way can have a direct and negative impact to the firm. And it goes without saying that IM can also be a vector for the same threats as other communication channels: loss of intellectual property, inappropriate discourse, malware and loss of employee efficiency,” Moyle told TechNewsWorld.

IM: A Different Animal

Some enterprises have chosen to extend corporate “acceptable use of electronic communications” policy to cover IM as well as e-mail. Others have elected to prohibit IM technology altogether. Still others have elected to create new IM-centric policies.

IM is a somewhat different animal from e-mail. Sure, it’s all digital communications, but those digital communications don’t travel through cyberspace the same way. E-mail goes through the corporate server. Consumer IM applications do not.

“The very nature of IM is that once you sign off, there is no record of it unless you choose to archive it. Otherwise, it can’t be retrieved. It is much less secure than e-mail, because it doesn’t create its own record,” Stephen Feingold, a partner with the law firm of Pitney Hardin, told TechNewsWorld. “We recommend that clients do not allow IM access at work.”

Acceptable Use

When IM is a part of the corporate communications strategy, though, Feingold reverts back to the acceptable usage policy for IM. Similar to e-mail policies, he said acceptable use policies directly provide for the company’s right to monitor IM usage, especially when there is suspicion that the employee is sending out trade secrets or other proprietary information.

As with any policy decision, analysts said it is important for companies to keep an eye on the needs of the business when selecting the contents of an IM usage policy. The best approach is one that accounts for employees conducting legitimate business-related communication while ensuring that any legal and regulatory objectives are met and productivity remains high.

“This may sound like a hedge, but it’s true — firms have different needs. If a firm has a regulatory requirement to archive communications into and out of the firm, allowing unrestricted access to a public IM infrastructure is probably inappropriate,” Moyle said.

Enforcing the Policy

Regardless of the specific approach selected, analysts said it is important to realize that technical enforcement of that policy can difficult to implement.

One approach Moyle is seeing more often is the use of an officially sanctioned internal IM infrastructure that allows IM communications while retaining some measure of control over how the technology is used. “By hosting the entire infrastructure within the firm, they can archive, filter and monitor the traffic as fits the needs of their business,” he said.

There are also products from companies like Akonix and Symantec that can assist corporations with technical enforcement. Symantec’s IM Manager is designed to control and secure public enterprise IM networks while ensuring compliance with regulatory and corporate governance policies.

No Longer Below the Radar

Symantec acquired the technology when it bought IMlogic in January. It manages, secures, logs and archives all IM traffic with certified support for public and enterprise IM networks, including AOL, MSN, Yahoo, ICQ, IBM Lotus Instant Messaging, Microsoft Office Live Communications Server, Jabber and others. Its integration with the IMlogic Threat Center provides real-time antivirus and anti-spam prevention for corporate IM usage.

“The IM Manager allows companies to scan IM traffic for certain keywords, keep records of conversations and also put disclaimers in the conversation that pop up to notify the user that the messages are being monitored,” Sakoda said. “This works with the policy and puts IM usage on the corporate radar screen. Employees can no longer communicate below the radar.”

With the Radicati Group predicting corporate IM usage will grow in the coming years — worldwide IM revenue is expected to grow from $142 million in 2005 to $365 million by 2009 — analysts said the time to implement IM policies and technologies to monitor enforcement is now.