A 2006 Ostermen Research survey found 93% of North American
businesses were using instant messaging (IM). Commercial offerings
such as Reuters Messaging Interchange will only increase
demand,writes Raj Samani, vice-president of
communications atISSA's UK
Chapter.
This popularity is understandable: a study by the Radicati Group
found that an organisation with 5,000 people could save $37.5m a
year using IM. Much like the fabled Dutch boy plugging the dyke
with his finger to save his village from flooding, security
departments are faced with trying to plug vulnerabilities in a
technology that is fast becoming ubiquitous.
Introducing new communication channels for business,
coincidentally also becomes a new delivery channel for malware and
spam (or spim - spam over instant messaging). The popularity of IM
is not lost on those that propagate such unwanted traffic, with 12%
of online fraud initiated via IM, according to Gartner.
Other valid concerns include the threat of data exfiltration;
simply implementing a policy and/or controls to prevent attached
documents is half the solution. By mentioning the release date of a
product to a 'buddy' may be detrimental to its release onto the
market for example.
Tunnelling alternative services through IM can also be a
challenge because what was expected as being a straight messaging
service could now be offering VoIP or file sharing capabilities.
Thus wreaking havoc with network or gateway systems that do not
anticipate higher volumes of traffic.
IM presents a number of challenges with the archival or audit of
messages for regulatory or investigatory purposes along with the
routing of a potentially unencrypted message over unknown networks.
Solutions do exist to help solve these challenges but at a cost,
potentially negating the saving which could have been made using
IM.
Sadly, there is no super silver bullet to analyse the risks
introduced by IM, or any technology for that matter. Simply
following the tried and tested model of identifying and managing
risk in a perpetual cycle ensures that the business is not only
aware of risks but also manages them to an acceptable level.