A 2006 Ostermen Research survey found 93% of North American businesses were using instant messaging (IM). Commercial offerings such as Reuters Messaging Interchange will only increase demand, writes Raj Samani, vice-president of communications at ISSA's UK Chapter.
This popularity is understandable: a study by the Radicati Group found that an organisation with 5,000 people could save $37.5m a year using IM. Much like the fabled Dutch boy plugging the dyke with his finger to save his village from flooding, security departments are faced with trying to plug vulnerabilities in a technology that is fast becoming ubiquitous.
Introducing new communication channels for business, coincidentally also becomes a new delivery channel for malware and spam (or spim - spam over instant messaging). The popularity of IM is not lost on those that propagate such unwanted traffic, with 12% of online fraud initiated via IM, according to Gartner.
Other valid concerns include the threat of data exfiltration; simply implementing a policy and/or controls to prevent attached documents is half the solution. By mentioning the release date of a product to a 'buddy' may be detrimental to its release onto the market for example.
Tunnelling alternative services through IM can also be a challenge because what was expected as being a straight messaging service could now be offering VoIP or file sharing capabilities. Thus wreaking havoc with network or gateway systems that do not anticipate higher volumes of traffic.
IM presents a number of challenges with the archival or audit of messages for regulatory or investigatory purposes along with the routing of a potentially unencrypted message over unknown networks. Solutions do exist to help solve these challenges but at a cost, potentially negating the saving which could have been made using IM.
Sadly, there is no super silver bullet to analyse the risks introduced by IM, or any technology for that matter. Simply following the tried and tested model of identifying and managing risk in a perpetual cycle ensures that the business is not only aware of risks but also manages them to an acceptable level.
This was first published in August 2009