Symantec says enterprises failing to secure instant messaging

Despite the fact that instant messaging technology is nearly ubiquitous in the enterprise, and has been for some time, according to a new survey nearly 60% of US organisations do not have any security technologies in place to defend against IM threats.

Download this free guide

From forensic cyber to encryption: InfoSec17

Security technologist Bruce Schneier’s insights and warnings around the regulation of IoT security and forensic cyber psychologist Mary Aiken’s comments around the tensions between encryption and state security were the top highlights of the keynote presentations at Infosecurity Europe 2017 in London.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Security giant Symantec Corp. surveyed 400 CIOs on their organisations' IM security policy, and found that 57% of them had no security or availability policies for their IM systems. The survey also found that only 22% of organisations archive their employees' IM messages, a serious oversight that can lead to the leakage of confidential data or other sensitive information.

Nearly all enterprises have developed email archiving, retention and inspection policies, but the survey results suggest few organisations have extended that to their IM systems.

"It starts with visibility. Most IT departments don't have any visibility into the IM deployments in their enterprises," said Andrew Burton, senior product manager at Symantec.

More on secure instant messaging IM too critical a business app to ban Report: IM, P2P threats on the rise IM threats grow, response lags Symantec to purchase IMlogic

Burton said IM security is an issue, but enterprises should also address IM usage policies, data leakage and risk management. "These three areas have been addressed in email security," he said, "but most organisations haven't viewed them as something they need to address with IM."

Some industries, most notably financial services and securities trading, have developed regulations that specifically govern the usage of IM clients and require logging and archiving of IM conversations. Other industries are beginning to follow that lead, Burton said, but slowly, for the most part.

"With regulatory compliance, life sciences and health care are starting to see the need for this. Government is coming on board, too," he said. "In terms of governance, we're seeing a broader movement across industries to secure IM in order to comply with audits and IT governance requirements."

The results of the survey are especially surprising considering that the number of IM threats increased by more than 1,600% from 2004 to 2005, according to statistics gathered by Symantec. Last year the vendor recorded a total of 2,400 unique IM threats.

Burton attributed the increase to several factors, but noted that IM attacks often are more effective than email attacks, given the ease with which threats can spread through a user's contact list.

"There's a larger footprint [for IM] now, and the number of users attracts attackers," he said. "Plus, the effectiveness is higher. Once someone is infected, the social engineering aspect of IM increasing the likelihood that other people will fall victim to the attack."