Instant messaging is now one of the highest risks to business users of Microsoft Windows, according to an annual survey by the Sans Institute.
The US-based research body, which pulls together security experts from government, suppliers, users and academics, focused on the risks associated with the dramatic rise in instant messaging software in its report published in October 2004.
The Sans Institute warnings are in line with the experience of security experts in the City of London. They have reported that some City professionals are using instant messaging technology to send commercially sensitive information outside the organisation without detection.
City firms are increasingly turning to specialist investigators to root out the practice during sensitive merger and acquisition talks, when the confidentiality of corporate information can mean success or failure in a takeover.
The practice illustrates the risks that unauthorised instant messaging can pose to companies, not only from employees sending out confidential information, but by breaching legal and regulatory requirements and creating new routes for virus infections and hackers.
Adrian Palmer, managing director of risk consultancy Kroll Ontrack, said his team is increasingly being asked to investigate cases where companies suspect secrets have been lost through instant messaging software.
"It tends to be information about mergers and acquisitions. People targeting particular companies as acquisition targets do not want it to get out to the market. They want to steal a march on other companies," he said.
It is not just City firms that are at risk. A small technology firm had to call in corporate investigation firm Carratu International earlier this year after it grew concerned that a rival firm had developed products which showed a marked similarity to its own.
"They did not realise how the information was going out. They knew it was not being e-mailed and they knew it was not being saved [to a removable device]," said Carratu's Gavin Hyde-Blake.
Carratu examined the company's PCs and identified which employee was responsible for passing on confidential data using instant messaging software.
But the investigation also revealed that eight of the company's 20 staff had instant messaging software on their machines and were wasting hours every day sending messages to each other.
"They were talking all day rather than doing any work. If you have 20 people in a company and several of them are chatting at the same time, productivity goes down. You are paying for them to socialise," he said.
Carratu's team was able to help the firm put together an electronic communications policy. All internet messaging use is now banned and frequent checks for instant messaging software on PCs are carried out.
Barring use of messaging
Monitoring instant messaging in large firms requires a technical solution. Simply banning it is not enough. Instant messaging software now comes as standard on most PCs and can be easily downloaded by staff without the company's knowledge.
Face Time, a security firm which specialises in instant messaging, advises firms to set up an authorised messaging service. This way, they can check that incoming messages do not contain viruses, include disclaimers and block the transfer of large files. These measures should be combined with technology to block unauthorised messages. Face Time supplies a device that examines all network traffic and blocks unauthorised messages.
Despite the ready availability of blocking software, many large companies turn a blind eye when their employees download their own instant messaging software.
Ken Charman, director at Face Time, said it is common for even City firms to "sweep it under the carpet".
"When I talk to City institutions they tell me they are not going to start logging instant messaging until the Financial Services Authority requires it. Or they have taken legal advice and they are waiting for a court case to set a legal precedent," he said.
In the wake of high-profile cases involving Microsoft, Enron and Shell, many financial services firms are wary of retaining electronic information that could later come back and bite them.
Rather than retaining more documents, many City firms are reducing their retention periods, said Charman.
"Standard financial record retention should be six years, lawyers recommend. But some companies are bringing down retention policies to six months or 90 days. The message I get is that the cost of the storage is high, and the risk of retaining the information is greater than the risk of destroying it," he said.
Risks of disposing of messages
Stephen Mason, a barrister who specialises in electronic communication, said companies are exposing themselves to huge legal risks.
There are more than 150 laws and regulations in the UK which place a legal obligation on companies to retain commercial information for anything between three and 10 years. Records on pensions have to be kept indefinitely.
This poses a problem when companies are using instant messaging to communicate critical information. Mason uses the example of the Limitation Act 1990, which requires car manufacturers to keep documentation on their models for 10 years after it is discontinued.
"Let's say there is a fault with the steering wheel in a car and someone passes a report around the company by e-mail. That e-mail has to be retained. Instant messaging is no different," he said.
The problem can be particularly serious for financial services companies and other regulated businesses. Mason said it is easy to imagine employees sending stockmarket-sensitive financial information to their buddies around the world in an attempt to manipulate share prices.
"If you permit instant messaging and you fail to record it, you could be breaching industry regulations even if you are not breaking the law," said Mason.
Although there have been no cases brought against individuals. Norwich Union was sued for an employee defaming another company in an in e-mail and paid out £450,000 in damages plus costs.
A new route for viruses
Instant messaging can also provide new routes for viruses to spread into organisations. Graham Cluely, virus technology expert at Sophos, said there have been a number of viruses over the years that have spread by e-mail and instant messaging.
"I do not think it will ever be as big a problem as e-mail viruses, but I would not be surprised if we saw more viruses using instant messaging in future," he said.
From a common sense point of view, there are advantages to keeping messages. Should a dispute arise, it is much easier to prove your case if you have a record of the conversation.
The emergence of corporate government regulations, such as Basel 2, will mean that firms will not be able to duck the problems of instant messaging indefinitely.
Despite the high costs of storage, companies will have no choice but to bite the bullet, said Mason.
"If directors and senior managers want to use the technology they have got to face facts. They have to spend more on security and storage to get what they want - higher profits and reduced operational costs," he said.
Instant messaging options for enterprise users
Reuters provides a corporate instant messaging service for customers of its financial news services. The service currently has 60,000 users worldwide. Reuters plans to link its messaging service to the services run by AOL and MSN.
Microsoft is developing corporate instant messaging services to supplement its consumer-focused services. Its live communication server offers internal messaging. The next version, which will be available in 2005, will allow businesses to communicate securely with external suppliers and customers. Microsoft plans to link the service to consumer-focused messaging services, its own MSN Messenger and similar services provided by AOL and Yahoo. Microsoft includes its business-oriented Windows Messenger software with the Windows XP operating system. The software can be used to send messages within a corporation using Microsoft's Exchange Instant Messaging service. It can also send messages externally using the MSN Messenger service.
Yahoo's instant messaging service is aimed at home users, but is frequently used by staff for business-related communications. It has two million customers in the UK and offers a variety of services including SMS to mobile phones and access to internet radio stations.
AOL's Instant Messenger service is aimed at consumers but, like other services, is widely used by businesses. The service is available with AOL's internet software or customers can download it. AOL also runs the ICQ instant messaging software service. The two services claim to have about 100,000 users. Services offered include video instant messaging and voice over IP.
Public versus enterprise instant messaging systems
End -to-end enterprise systems
Supplier: AOL, IBM, Microsoft, Oracle, Reuters, Sun, Yahoo
Pros: Strong security, control and tracking. IT supports a single client
Cons: Expensive. Firms must convince users to give up tried-and-tested instant messaging clients
Best fit: Large firms. Firms with very strict regulatory requirements.
Public instant messaging add-ons
Supplier: Akonix Systems, Blue Coat Systems, Cerulean Studios, Deviant Technologies, Face Time Communications, Imlogic, Jabber, Symantec, Vayusphere
Pros: Quick set-up. Users can keep existing instant messaging clients. Less expensive
Cons: IT does not have control of clients. Relies on the quality of service of public networks
Best fit: Smaller firms. Firms with less strict regulatory requirements.