Instant messaging is now one of the highest risks to
business users of Microsoft Windows, according to an annual survey
by the Sans Institute.
The US-based research body, which pulls together security experts
from government, suppliers, users and academics, focused on the
risks associated with the dramatic rise in instant messaging
software in its report published in October 2004.
The Sans Institute warnings are in line with the experience of
security experts in the City of London. They have reported that
some City professionals are using instant messaging technology to
send commercially sensitive information outside the organisation
without detection.
City firms are increasingly turning to specialist investigators to
root out the practice during sensitive merger and acquisition
talks, when the confidentiality of corporate information can mean
success or failure in a takeover.
The practice illustrates the risks that unauthorised instant
messaging can pose to companies, not only from employees sending
out confidential information, but by breaching legal and regulatory
requirements and creating new routes for virus infections and
hackers.
Adrian Palmer, managing director of risk consultancy Kroll Ontrack,
said his team is increasingly being asked to investigate cases
where companies suspect secrets have been lost through instant
messaging software.
"It tends to be information about mergers and acquisitions. People
targeting particular companies as acquisition targets do not want
it to get out to the market. They want to steal a march on other
companies," he said.
It is not just City firms that are at risk. A small technology firm
had to call in corporate investigation firm Carratu International
earlier this year after it grew concerned that a rival firm had
developed products which showed a marked similarity to its
own.
"They did not realise how the information was going out. They knew
it was not being e-mailed and they knew it was not being saved [to
a removable device]," said Carratu's Gavin Hyde-Blake.
Carratu examined the company's PCs and identified which employee
was responsible for passing on confidential data using instant
messaging software.
But the investigation also revealed that eight of the company's 20
staff had instant messaging software on their machines and were
wasting hours every day sending messages to each other.
"They were talking all day rather than doing any work. If you have
20 people in a company and several of them are chatting at the same
time, productivity goes down. You are paying for them to
socialise," he said.
Carratu's team was able to help the firm put together an electronic
communications policy. All internet messaging use is now banned and
frequent checks for instant messaging software on PCs are carried
out.
Barring use of messaging
Monitoring instant messaging in large firms requires a technical
solution. Simply banning it is not enough. Instant messaging
software now comes as standard on most PCs and can be easily
downloaded by staff without the company's knowledge.
Face Time, a security firm which specialises in instant messaging,
advises firms to set up an authorised messaging service. This way,
they can check that incoming messages do not contain viruses,
include disclaimers and block the transfer of large files. These
measures should be combined with technology to block unauthorised
messages. Face Time supplies a device that examines all network
traffic and blocks unauthorised messages.
Despite the ready availability of blocking software, many large
companies turn a blind eye when their employees download their own
instant messaging software.
Ken Charman, director at Face Time, said it is common for even City
firms to "sweep it under the carpet".
"When I talk to City institutions they tell me they are not going
to start logging instant messaging until the Financial Services
Authority requires it. Or they have taken legal advice and they are
waiting for a court case to set a legal precedent," he said.
In the wake of high-profile cases involving Microsoft, Enron and
Shell, many financial services firms are wary of retaining
electronic information that could later come back and bite
them.
Rather than retaining more documents, many City firms are reducing
their retention periods, said Charman.
"Standard financial record retention should be six years, lawyers
recommend. But some companies are bringing down retention policies
to six months or 90 days. The message I get is that the cost of the
storage is high, and the risk of retaining the information is
greater than the risk of destroying it," he said.
Risks of disposing of messages
Stephen Mason, a barrister who specialises in electronic
communication, said companies are exposing themselves to huge legal
risks.
There are more than 150 laws and regulations in the UK which place
a legal obligation on companies to retain commercial information
for anything between three and 10 years. Records on pensions have
to be kept indefinitely.
This poses a problem when companies are using instant messaging to
communicate critical information. Mason uses the example of the
Limitation Act 1990, which requires car manufacturers to keep
documentation on their models for 10 years after it is
discontinued.
"Let's say there is a fault with the steering wheel in a car and
someone passes a report around the company by e-mail. That e-mail
has to be retained. Instant messaging is no different," he
said.
The problem can be particularly serious for financial services
companies and other regulated businesses. Mason said it is easy to
imagine employees sending stockmarket-sensitive financial
information to their buddies around the world in an attempt to
manipulate share prices.
"If you permit instant messaging and you fail to record it, you
could be breaching industry regulations even if you are not
breaking the law," said Mason.
Although there have been no cases brought against individuals.
Norwich Union was sued for an employee defaming another company in
an in e-mail and paid out £450,000 in damages plus costs.
A new route for viruses
Instant messaging can also provide new routes for viruses to spread
into organisations. Graham Cluely, virus technology expert at
Sophos, said there have been a number of viruses over the years
that have spread by e-mail and instant messaging.
"I do not think it will ever be as big a problem as e-mail viruses,
but I would not be surprised if we saw more viruses using instant
messaging in future," he said.
From a common sense point of view, there are advantages to keeping
messages. Should a dispute arise, it is much easier to prove your
case if you have a record of the conversation.
The emergence of corporate government regulations, such as Basel 2,
will mean that firms will not be able to duck the problems of
instant messaging indefinitely.
Despite the high costs of storage, companies will have no choice
but to bite the bullet, said Mason.
"If directors and senior managers want to use the technology they
have got to face facts. They have to spend more on security and
storage to get what they want - higher profits and reduced
operational costs," he said.
Instant messaging options for enterprise
users
Reuters
Reuters provides a corporate instant messaging service for
customers of its financial news services. The service currently has
60,000 users worldwide. Reuters plans to link its messaging service
to the services run by AOL and MSN.
Microsoft
Microsoft is developing corporate instant messaging services to
supplement its consumer-focused services. Its live communication
server offers internal messaging. The next version, which will be
available in 2005, will allow businesses to communicate securely
with external suppliers and customers. Microsoft plans to link the
service to consumer-focused messaging services, its own MSN
Messenger and similar services provided by AOL and Yahoo.
Microsoft includes its business-oriented Windows Messenger software
with the Windows XP operating system. The software can be used to
send messages within a corporation using Microsoft's Exchange
Instant Messaging service. It can also send messages externally
using the MSN Messenger service.
Yahoo
Yahoo's instant messaging service is aimed at home users, but is
frequently used by staff for business-related communications. It
has two million customers in the UK and offers a variety of
services including SMS to mobile phones and access to internet
radio stations.
AOL
AOL's Instant Messenger service is aimed at consumers but, like
other services, is widely used by businesses. The service is
available with AOL's internet software or customers can download
it. AOL also runs the ICQ instant messaging software service. The
two services claim to have about 100,000 users. Services offered
include video instant messaging and voice over IP.
Public versus enterprise instant messaging
systems
End -to-end enterprise systems
Supplier: AOL, IBM, Microsoft, Oracle, Reuters, Sun, Yahoo
Pros: Strong security, control and tracking. IT supports a
single client
Cons: Expensive. Firms must convince users to give up
tried-and-tested instant messaging clients
Best fit: Large firms. Firms with very strict regulatory
requirements.
Public instant messaging add-ons
Supplier: Akonix Systems, Blue Coat Systems, Cerulean Studios,
Deviant Technologies, Face Time Communications, Imlogic, Jabber,
Symantec, Vayusphere
Pros: Quick set-up. Users can keep existing instant messaging
clients. Less expensive
Cons: IT does not have control of clients. Relies on the quality
of service of public networks
Best fit: Smaller firms. Firms with less strict regulatory
requirements.