IM, Skype, P2P open security holes: Survey

IM, Skype, Web conferencing and other real-time applications are a major concern to IT, but end users seem to shrug off the risks, a new survey has found.

More than half of corporate instant messaging (IM) users ignore security policies, while roughly 40% say it's their right to disregard those policies.

But IM isn't the only application end users are downloading that can wreak havoc.

According to a recent survey released by market research firm NewDiligence and commissioned by security vendor FaceTime Communications, applications such as IM, peer-to-peer (P2P), Skype and other consumer VoIP services, and Web conferencing are affecting the network now more than ever, costing companies up to $130,000 per year to quell security incidents caused by the unsanctioned apps.

The study, which asked 1,100 end users and IT professionals about their use and management of greynets -- real-time communications apps such as IM, P2P, Skype and Web conferencing that are introduced by end users and use evasive techniques to traverse the network – found that employees are downloading and using unsanctioned applications to gain new business productivity advantages, while IT managers confirm that these greynets continue to be a massive danger, which -- if left unmanaged -- can introduce huge risks.

According to FaceTime president and CEO Kailash Ambwani, the difference in end-user and IT perspectives when it comes to greynet poses a myriad of threats to network and information security because they can act as vectors for malware, intellectual property loss, identity theft and compliance risks.

Ambwani admits that greynets such as IM, Skype and Web conferencing tools have legitimate business uses, but he said IT needs visibility and control over those apps.

The survey found that more users are adopting and downloading greynet applications, and there has been little progress in combating the types of threats they introduce. Of those polled, 81% of IT managers said they've experienced greynet-related attacks within the last six months, roughly the same percentage that reported attacks in the previous year's survey. The most common attacks were from spyware and adware, 75%; viruses and worms, 57%; other malware, 22%; and rootkits and keyloggers, 22%.

Moreover, repairing and remedying these attacks costs average-size organizations nearly $130,000 per year, while the largest enterprises spend upward of $350,000 per year in greynet-related damage control.

The survey also found that four in 10 end users feel they have a right to install greynets on their work computers, while more than half of them, 53%, are at work locations where policies governing IM and P2P usage are in place but disregarded.

For more information
Read more about IM-related security concerns.

Check out a story on VoIP security.
Instant messaging is still the dominant greynet in use, according to the survey. Overall, 70% of end-user respondents said they have sent personal IMs from work, while one in four admitted to sending information about company plans, finances or passwords via IM. More than 25% of end users said they use IM in order to have "private, unmonitored communications," 45% of them adding that if they knew their IMs were being monitored, they would pay more attention to company guidelines, and 21% saying that they would pick their words more carefully. Thirty-three percent of end users said they would use IM less often if they knew it was being monitored, and 28% said they would be more cautious about clicking links.

For IT managers, unauthorized use of greynets has boosted the distribution of personal information and intellectual property, the survey found. Twenty-two percent of IT managers said personal information has been sent, while 19% found intellectual property being spread via greynets. Also, about 75% of IT managers said greynet use saps productivity.

Despite the potential for trouble, two-thirds of IT managers recognize that applications such as IM and P2P have business benefits if they're managed correctly. Of the IT managers polled, 20% said IM's benefits outweigh the risks.

Read more on Voice networking and VoIP