Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Locking Down IM

Before you embrace instant messaging, be sure to address the risks.
David Geer   Today’s Top Stories    or  Other Security Stories  
 

Sign up to receive Security Resource Alerts

August 29, 2005 (Computerworld) -- Instant messaging has fought the battle for business turf and won. The use of IM in the corporate sector has reached mainstream status, and it's a welcome productivity boost.
"Before IM, we had too many salespeople who had to get up and go meet face to face because someone couldn't be reached. And with e-mail, you have a latency issue, so employees would get up and go talk to each other," says Josh Stallings, vice president of strategic initiatives at No Red Tape Mortgage in Sherman Oaks, Calif.
"Now our people are on the phone all day because they can [simultaneously] IM our processing team to get the information they need for our clients," he says.
IM is a real-time text communications technology with which messages can be sent, received and viewed immediately. And it's nearly everywhere, says Paul Ritter, research director for messaging and collaboration at Wainhouse Research, a communications market research firm in Duxbury, Mass. "Our research shows that more than 80% of large companies in the U.S. have some form of IM," he says.
But IM is risky and could cause as much damage as rogue e-mail, says S.V. Purushothaman, program leader of the conferencing and collaboration group at Frost & Sullivan Ltd., a high-tech consultancy in New York. "Today, 10% of global IM messages are spim," or IM spam, says Purushothaman. "It has the same potential as e-mail spam."
Moreover, hackers are finding it easier to break in through IM buddy lists than by other means, he says.

Locking Down IM
Image Credit: Isabelle Arsenault
While some companies have outlawed IM because of security concerns , many are looking for ways to mitigate risks while enjoying the business benefits. Here are steps you can take to secure IM in your organization.

Manage unauthorized IM clients. This applies to anything that's added to IT assets and infrastructure, says David MacLeod, director of information protection and assurance at The Regence Group, a health insurance carrier in Portland, Ore. "We have a very well-defined, -controlled and -monitored electronic perimeter," he says. "We know what can leave our organization and what can come in. That is clearly the first and most important step when you want to introduce anything new onto the network."


Address risks that arise from change. Simply adding IM to the network, like adding any software, introduces risk. "It's not because it happens to be IM. Anytime we add something new to our environment, there are security and privacy considerations," says MacLeod. "You need to determine whether it has altered the security posture of the organization."

Identify and verify users to curtail unauthorized access. This is what's referred to as authenticating the user. CIO Tim Hudson at Man Financial, the brokerage arm of London-based Man Group PLC, accomplishes this by tying the party's identity and permissions for various types of uses to existing technologies that identify people who have access rights on the network. "If someone has logged onto IM, we know that she or he is that person," says Hudson.

Establish appropriate-use policies. "If you have an IM product you want to use, you need to do due diligence and have proper policies in place," says Frost & Sullivan's Purushothaman. Policies may include rules such as not allowing users to send files via IM, because sending and receiving attachments makes it easy to spread viruses, he says.
Or you may not want different workgroups to IM one another. "We have separate user groups and don't necessarily allow them to IM each other. This ensures that research, sales, and institutional and product client groups are appropriately connected or disconnected," says Hudson. The same technologies that identify users can identify the workgroups they belong to with their individual IM privileges, he says.

Educate employees about IM use and policies. Employees play an important role in IM security. "Educate your users that they shouldn't be sharing passwords and that if they are, they're handing over their identity to their colleague," says Hudson.
At The Regence Group, people management is key to securing IM. "We have clearly articulated our policies around what kinds of information should be shared, what kinds should be protected and what are appropriate mechanisms for sharing information," says MacLeod.

Enforce policies. "We have tools that automatically apprise us when it appears that something against policy has occurred,"says MacLeod. "We work with human resources and our leadership team to make sure that the employees involved understand why that's not appropriate and to coach them on how to do that kind of information exchange in a more secure and appropriate manner."
Purushothaman takes a harder line against IM misuse. He suggests issuing one or two warnings and then probation for offending employees.

Monitor risks related to security and privacy legislation. Many companies using IM are subject to multiple privacy and security regulations, such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act.
The compliance concern is that information that should be secured can be passed on quickly and easily to numerous parties in the public domain, CIOs say.
Therefore, in industries such as financial services, pharmaceuticals and health care, IM conversations must be archived and logged. There also need to be policies to prevent any damaging information from getting out, says Purushothaman.

Manage IM patches. Take the same care with IM patches that you do with any other software. "We evaluate all IM patches to determine if they address something that is at risk for our organization, and if they do, they are prioritized and applied as quickly as appropriate," says MacLeod.

If you send instant messages outside the company, recognize the unique risks associated with that. "If a CIO believes she or he needs to IM outside the company, that introduces an entirely different set of concerns," MacLeod says. "You require a different set of controls, and it should be segregated from the internal messaging capabilities."
Additional authentication measures might be necessary to adequately identify who is sending instant messages from outside the company, Hudson adds.
Geer is a freelance writer in Ashtabula, Ohio. Contact him at geercom@alltel.net.



Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Locking Down IM
Sidebar: Outside the Walls

Blogs

"This company's infrastructure group is running a disaster recovery exercise with a reluctant participant: an IT manager who's notorious as..." Read more...
"It's IT Blogwatch: in which Mozilla's Firefox Web browser continues to gain market share, smashing records as it does so...." Read more...
Read more Security posts or See all Blogs

Microsoft promises four patches next week
Google gives away home-cooked Web application security scanner
Storm botnet stages Fourth of July attacks
More top stories...
Microsoft trumpets security additions in upcoming IE8
Apple cuts price of high-end SSD MacBook Air by $500
Ultrathin showdown: Apple MacBook Air vs. Lenovo ThinkPad X300 vs. Toshiba Portege R500

This old laptop: Revitalizing an aging notebook on the cheap
All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how.
Bill Gates moves on
Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft.
Five things you should never tell your boss
There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss.
Hands-On: Firefox 3 fixes what's broke and keeps what's right
With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
Data Center Management Zone
Enterprise-Class Security Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
Business Intelligence and Analytics Zone


Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this webcast, free, compilments of Webroot Software
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Deploying Virtualized NetWare on Linux Whitepaper
Toward More Flexible, Next-Generation Collaboration Solutions
Driving Business Success Through Workgroup Choice and Flexibility
View more whitepapers 

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.