No silver bullet for instant messaging security


No silver bullet for instant messaging security

A 2006 Ostermen Research survey found 93% of North American businesses were using instant messaging (IM). Commercial offerings such as Reuters Messaging Interchange will only increase demand, writes Raj Samani, vice-president of communications at ISSA's UK Chapter.

This popularity is understandable: a study by the Radicati Group found that an organisation with 5,000 people could save $37.5m a year using IM. Much like the fabled Dutch boy plugging the dyke with his finger to save his village from flooding, security departments are faced with trying to plug vulnerabilities in a technology that is fast becoming ubiquitous.

Introducing new communication channels for business, coincidentally also becomes a new delivery channel for malware and spam (or spim - spam over instant messaging). The popularity of IM is not lost on those that propagate such unwanted traffic, with 12% of online fraud initiated via IM, according to Gartner.

Other valid concerns include the threat of data exfiltration; simply implementing a policy and/or controls to prevent attached documents is half the solution. By mentioning the release date of a product to a 'buddy' may be detrimental to its release onto the market for example.

Tunnelling alternative services through IM can also be a challenge because what was expected as being a straight messaging service could now be offering VoIP or file sharing capabilities. Thus wreaking havoc with network or gateway systems that do not anticipate higher volumes of traffic.

IM presents a number of challenges with the archival or audit of messages for regulatory or investigatory purposes along with the routing of a potentially unencrypted message over unknown networks. Solutions do exist to help solve these challenges but at a cost, potentially negating the saving which could have been made using IM.

Sadly, there is no super silver bullet to analyse the risks introduced by IM, or any technology for that matter. Simply following the tried and tested model of identifying and managing risk in a perpetual cycle ensures that the business is not only aware of risks but also manages them to an acceptable level.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

This was first published in August 2009


COMMENTS powered by Disqus  //  Commenting policy