Companies take IM threats seriously

It is also among the companies saying it now takes threats to IM as seriously as those targeting email and web applications.

Special report: Messaging (in)security: About this special report: Based on the results of exclusive readership research, SearchSecurity.com took a closer look in December at the top messaging security challenges facing today's businesses. This original, multi-media series explores hot-button security issues like evolving threats, the increasing reliance on mobile devices, remote email access and instant messaging, and the technologies designed to secure it all.   Special report menu: Day 1: Messaging insecurity fuels data leakage fears: The proliferation of messaging technology means more opportunity for malware to take root and sensitive data to be lifted.   Day 2: IT pros look for ways to lock down IM: To control growing IM threats, administrators are trying to limit which programs can be used or ban the technology altogether. But that's not always possible. Day 3: Messaging Security podcast: Burton Group analyst Diana Kelley discusses the latest threats to messaging security and where the solutions are. Inside the numbers: A closer look

Small businesses such as Wesabe, which has six workers, as well as those with thousands of workers, such as Richmond, Va.-based Media General Inc., are deploying IM-specific software and appliances designed to keep malware and phishers out, while letting trusted clients and friends in.

With their sales and creative teams reluctant to give up IM for the sake of security, the companies are using IM security tools to implement "no attachment" policies and to block the installation of unauthorised chat clients. Akonix, Facetime and Symantec are among those with the most popular--and some users said, the most effective--IM security products.

The threats to virtually all IM clients, including AIM, Jabber, and Skype, are mounting, according to the SANS Institute's 2006 Top-20 list of internet security attack targets. The SANS report recommends establishing acceptable use policies for IM and considering the deployment of "products specifically designed for instant messaging security."

Those products can add to a security team's workload, however. The IM security software become "yet another silo of security policies to manage and alerts to monitor," said Trent Henry, an analyst at the Burton Group.

That's one why many organisations first try to use their web filtering appliances, such as those from WebSense, SurfControl, Secure Computing, or Blue Coat, to handle IM, Henry said.

But the Web filters "don't have an adequate degree of granularity to fully block IM," Henry said.

Wesabe's staff is distributed across Berkeley, San Francisco and Seattle. And because they need to keep in touch as if they were in the same room, the company uses IM for group chats and presence awareness. "It's replaced email for us," said Marc Hedlund, who heads the company's engineering group.

It is also easy with only six employees, to get everyone using a single IM system, Hedlund said.

Wesabe uses the Web-based business chat tool Campfire, from Chicago, Ill.-based 37signals, for IM. Campfire chats are logged and searchable. Authorised group members can see who's online and available and what conversations are taking place at any time. Wesabe staff can also share files through Campfire.

But Wesabe also chose Campfire for its security features, Hedlund said.

Campfire's paid versions can secure chats via SSL. A Wesabe employee must have SSL enabled on his Web browser to join a Campfire chat, said Hedlund.

Chat participants must also be invited into Campfire discussions, which can be password protected.

At Media General, which has 7,500 employees and owns newspapers and TV stations throughout the Southeast, weaning staff off their favorite IM clients seemed unrealistic to Mike Miller, the company's head of IT security.

The president of Media General's new Interactive division was an IM supporter and he didn't want to be cut off from clients outside the company, Miller said.

By 2003, Media General deployed IM Manager, now owned by Symantec. The software logs conversations and blocks attachments. It also integrates well with other antivirus applications, Miller said.

Miller uses IM Manager to limit access to only 300 people who he says have a business need. Workers in the Interactive division, salespeople, and meteorologists who use Yahoo Messenger and Jabber to receive alerts from the National Weather Service are authorised to use IM through the Symantec software, he said.

Since then, there have been few complaints about not being able to send attachments through IM.

"We tell them to use email for that," Miller said.