Instant messaging (IM) is one of those applications that is
seen as either the best thing since sliced bread, greatly improving
productivity, or the bane of a manager's life because it is
perceived that staff waste a lot of time using it.
Given these two opposing views, the first thing any company
should do is to ensure they have a comprehensive set of acceptable
use policies (AUPs) covering such things as IM, e-mail and internet
access. They must also ensure that staff are aware of the various
AUPs and sanctions for abuse of an AUP.
Security awareness education is also key. You cannot blame staff
for doing something if they do not know it's wrong or ill advised,
and you will need to keep on top of maintaining the awareness
message to your staff, its not a one shot deal (visit the
ISAF website and the
BCS website for advice).
So what are the security risks of using IM? According to
security researchers, one in 78 links contained in instant messages
connect to malware, so its use is clearly an issue, and while AUPs
and education won't fix this problem, it is the right place to
start.
For companies that want to use IM as a business tool, one route
to take is to install an in-house or enterprise IM server and then
block access to all IM services and accesses at the internet
gateway except those initiated by the in-house server. The in-house
IM server can then be given connections to other external IM
gateways as determined by business need.
The in-house system should be locked down, be up to date with
security patches and run licensed and maintained anti-virus
software. This should be backed up by AV software running on users
PCs as well as restricting any software installs to officially
sanctioned products. A variant of this is to use an externality
hosted IM service. The object in both scenarios is to block all IM
access from the desktop except to the corporate IM service.
For SMEs where the opportunity to run dedicated services or
servers is not generally an option, I would advise that day-to-day
PC use is done using a low privilege log-on account, not one with
administrator privileges. That coupled with the use of a recent
version commercial AV package (ie, less than 18 months old),
keeping the PC up to date with vendor-issued security patches, the
application of common sense (you get nothing for free, especially
from people you don't know) coupled with regular checking of your
AV vendors websites for the latest information (subscribing to a
vendor's newsletter is another option) and keeping to just one IM
service should help with IM security.
Peter Wenham, is a committee member of theBCS
Security Forum Strategic Paneland director of
information assurance consultancyTrusted
Management.
Read more expert advice from the Computer Weekly Security Think
Tank >>