Despite the fact that instant messaging technology is nearly ubiquitous in the enterprise, and has been for some time, according to a new survey nearly 60% of US organisations do not have any security technologies in place to defend against IM threats.
Security giant Symantec Corp. surveyed 400 CIOs on their organisations' IM security policy, and found that 57% of them had no security or availability policies for their IM systems. The survey also found that only 22% of organisations archive their employees' IM messages, a serious oversight that can lead to the leakage of confidential data or other sensitive information.
Nearly all enterprises have developed email archiving, retention and inspection policies, but the survey results suggest few organisations have extended that to their IM systems.
"It starts with visibility. Most IT departments don't have any visibility into the IM deployments in their enterprises," said Andrew Burton, senior product manager at Symantec.
Some industries, most notably financial services and securities trading, have developed regulations that specifically govern the usage of IM clients and require logging and archiving of IM conversations. Other industries are beginning to follow that lead,
"With regulatory compliance, life sciences and health care are starting to see the need for this. Government is coming on board, too," he said. "In terms of governance, we're seeing a broader movement across industries to secure IM in order to comply with audits and IT governance requirements."
The results of the survey are especially surprising considering that the number of IM threats increased by more than 1,600% from 2004 to 2005, according to statistics gathered by Symantec. Last year the vendor recorded a total of 2,400 unique IM threats.
"There's a larger footprint [for IM] now, and the number of users attracts attackers," he said. "Plus, the effectiveness is higher. Once someone is infected, the social engineering aspect of IM increasing the likelihood that other people will fall victim to the attack."