Instant messaging

Does instant messaging improve communication or threaten companies' security and productivity? Dr Horst Joepen, CEO of Webwasher, answers instantly.

In the last two to three years instant messaging (IM) has triumphed among personal internet users as well as within companies.

There are now few school children not in touch with their friends via ICQ, MSN or AOL Messenger, but stockbrokers, currency dealers, and the IT department are also constantly 'chatting' with their most important contacts via Messenger.

According to a Gartner poll, instant messaging is used today in 70 per cent of all companies. According to the Yankee Group, however, only 15–20 per cent of companies operate a solution for IM administration. In the remaining 50 per cent, IM constitutes a huge infrastructure usage that poses a severe security risk for firms.

The same is true for the use of peer-to-peer services such as music exchange, which have also become pervasive in many organizations, but lack any administrative supervision whatsoever. These services entail both security and legal risks.

So do you need IM? IM is suitable for all areas where quick, immediate contact among a known and manageable group of people is crucial. But in companies with more complex and clearly defined workflows and processes, where flexible decision-making and coordination timed to the minute play a lesser role, it is questionable whether instant messaging is beneficial.

Private chat sessions and the constant distraction from larger tasks by incoming instant messages can bring about a drop in productivity. A derogatory comment made via IM can be just as much of a legal problem as one made by email, so there could be exposure to potential litigation.

What is decisive is not the issue of whether your company needs IM but rather that it very probably already has it. So, if instant messaging has already taken root, where’s the problem?

Speaking technically, instant messaging tools, similar to peer-to-peer exchanges, function as wild - non-standard - protocols, which mount on HTTP or HTTPS protocols.

They are capable of transferring not just active technologies such as scripts and macros but also data attachments and thus can transfer all currently known carriers of viruses and worms.

Content exchanged via peer-to-peer services also entails a considerable legal risk. A study of Gnutella P2P traffic showed that 47 per cent of requests related to pornography and 97 per cent infringed existing copyright.

Such content is often infected with viruses. Thus IM and peer-to-peer exchanges pose threats every bit as dangerous as the flow of data into the company from email or the web. And IM data flow cannot be controlled by firewalls, simple web filters and URL blockers.

What can you do? The use of special IM and P2P filters allows instant messaging to benefit the company while controlling the security risks.

In order to implement a uniform security policy simply and consistently, the IM filter should preferably be part of a comprehensive, integrated content security management suite.

A typical policy could, for instance, block all IM clients who send requests to unauthorized public messaging servers, and permit requests only to the company's own messaging servers.

As with spam, IM-connected security problems first occurred in the US where companies were triggered into action by very real breaches of security.

UK organizations should take advantage of the early warning system and have their content filtering systems upgraded now, not least because the cost of improving IT security is more than offset by the ensuing increase in productivity.

in a nutshell

  • IM poses a severe security risk for firms: it can transfer all currently known carriers of viruses and worms.
  • IM data flow cannot be controlled by firewalls, simple web filters and URL blockers.
  • Special IM and P2P filters allow instant messaging to benefit the company while controlling the security risks.
  • Take advantage of the early warning system and have your content filtering systems upgraded now.

This article first appeared in May 2005 ITNOW.