This article has been provided to OUT-LAW.COM by Dr. Horst
Joepen, SVP Strategic Alliances, CyberGuard Corporation
According to a recent Gartner poll, instant messaging is used
today in 70% of all companies. According to the Yankee Group,
however, only 15-20% of companies operate a solution for IM
administration. In the remaining 50%, IM constitutes a huge,
rampant infrastructure usage that poses a severe security risk for
firms. The same is true for the use of peer-to-peer
(P2P) services, e.g. music exchange services, which have also
become pervasive in many organisations, but lack any administrative
supervision whatsoever. These P2P services entail both security and
legal risks.
Does my company need instant messaging?
IM is suitable for all areas where quick, immediate contact
among a known and manageable group of people is crucial. As with
SMS, short messages can be swapped and, for instance, a deal team
can finalise and authorise the terms of an offer. Technicians
helping a customer on location can send queries back to company
headquarters via IM, and obtain immediate answers from customer
support specialists, without their queries being buried under an
avalanche of emails or suffer from constantly engaged phones.
Stockbrokers can also instantly swap the latest market rumours via
IM and act upon what they learn.
In companies with more complex and clearly defined workflows and
processes, where flexible decision-making and coordination timed to
the minute play a lesser role, it is questionable whether instant
messaging is beneficial. Private chat sessions, and the constant
distraction from larger tasks by incoming instant messages, can
bring about a drop in productivity. A derogatory comment made
by IM can be just as much of a legal problem as one made by email
so there could also be exposure to potential litigation.
However, what is decisive is not the question of whether your
company needs IM, as much as the answer that your company very
probably already has IM without your knowledge.
If instant messaging has already taken root in a company and is
popular, where’s the problem?
Speaking technically, instant messaging tools, similar
to P2P exchanges, function as ‘wild’, non-standard protocols,
which mount on HTTP or HTTPS protocols. They are capable of
transferring not just active technologies such as scripts and
macros but also all kinds of data attachments (word files, zip
archives, etc.), and thus can transfer all currently known carriers
of viruses and worms. Content exchanged via peer-to-peer services
also entail a considerable legal risk. A study of Gnutella P2P
traffic showed that 47% of requests related to pornography and 97%
infringed existing copyright. It is also evident that such content
is often infected with viruses. Thus instant messaging and P2P
exchanges pose threats every bit as dangerous as the flow of data
into the company from email or web. In contrast, however, IM data
flow cannot be controlled by firewalls, simple web filters and URL
blockers.
Is my company helpless in the face of instant messaging?
No – the use of special IM and P2P filters allows instant
messaging to benefit the company while controlling the security
risks that it involves. In order to implement a uniform security
policy simply and consistently, the IM filter should preferably be
part of a comprehensive, integrated Content Security Management
Suite. This enables company, group and user specific configuration
of the security profile, and its consistent application to the
entire data flow and all standard and ‘wild’ application protocols.
A typical ‘policy’ could, for instance, block all IM clients who
send requests to unauthorised, public messaging servers, and permit
requests only to the company’s own messaging server(s).
It only remains to ask: What are others doing and why do I have
to act?
As was also the case with the wave of spam, IM-connected
security problems first occurred in the USA. As a result, for
instance, Sarbanes Oxley made mandatory the permanent monitoring
and protocolling of instant message traffic in all US financial
institutions. In current US tenders for content security solutions,
the filtering of instant message data flows is a standard
requirement. US companies’ were triggered into action by very real
breaches of security. nstead of waiting for the wave to break here
as it did in the USA, companies in this country should take
advantage of the ‘early warning system’ and have their content
filtering systems upgraded now – not least because the cost of
improving IT security is more than offset by the ensuing increase
in productivity.
