Symantec says enterprises failing to secure instant messaging

Despite the fact that instant messaging technology is nearly ubiquitous in the enterprise, and has been for some time, according to a new survey nearly 60% of US organisations do not have any security technologies in place to defend against IM threats.

Security giant Symantec Corp. surveyed 400 CIOs on their organisations' IM security policy, and found that 57% of them had no security or availability policies for their IM systems. The survey also found that only 22% of organisations archive their employees' IM messages, a serious oversight that can lead to the leakage of confidential data or other sensitive information.

Nearly all enterprises have developed email archiving, retention and inspection policies, but the survey results suggest few organisations have extended that to their IM systems.

"It starts with visibility. Most IT departments don't have any visibility into the IM deployments in their enterprises," said Andrew Burton, senior product manager at Symantec.

More on secure instant messaging IM too critical a business app to ban Report: IM, P2P threats on the rise IM threats grow, response lags Symantec to purchase IMlogic

Burton said IM security is an issue, but enterprises should also address IM usage policies, data leakage and risk management. "These three areas have been addressed in email security," he said, "but most organisations haven't viewed them as something they need to address with IM."

Some industries, most notably financial services and securities trading, have developed regulations that specifically govern the usage of IM clients and require logging and archiving of IM conversations. Other industries are beginning to follow that lead, Burton said, but slowly, for the most part.

"With regulatory compliance, life sciences and health care are starting to see the need for this. Government is coming on board, too," he said. "In terms of governance, we're seeing a broader movement across industries to secure IM in order to comply with audits and IT governance requirements."

The results of the survey are especially surprising considering that the number of IM threats increased by more than 1,600% from 2004 to 2005, according to statistics gathered by Symantec. Last year the vendor recorded a total of 2,400 unique IM threats.

Burton attributed the increase to several factors, but noted that IM attacks often are more effective than email attacks, given the ease with which threats can spread through a user's contact list.

"There's a larger footprint [for IM] now, and the number of users attracts attackers," he said. "Plus, the effectiveness is higher. Once someone is infected, the social engineering aspect of IM increasing the likelihood that other people will fall victim to the attack."