Best practice for IM security

Corporate IT Forum members collectively believe that the triangle of trust around security is policy, enforcement and education. Obviously, individual organisations must decide how far they want to go with each of these, depending on the nature of the risk and its potential impact on the business

IT organisations must recognise that instant messaging (IM) is no more or less secure than any internet-facing application. It is really just one of the issues to consider when developing a comprehensive solution that will protect organisations from all types of Web2.0/internet threats, writes Peter Firstbrook, research director at Gartner.

The web and the internet are the most common sources of malware infections, so IT teams must have malware filtering in the internet gateway regardless of whether they allow IM or not. As malware attacks can also be directed at vulnerabilities in the IM software itself IT organisations must constrain IM client choices and ensure that IM clients are patched and maintained.

IM file attachments can be risky. Best practice is to block IM attachments and force them through a secure file transfer solution or email, where there is typically more malware filtering, file type and content controls. Also, user education is a good idea to dissuade users from the notion that the 'buddy list' makes IM more trustworthy than email.

In addition to malware protection, organisations should have the ability to select which IM networks can be used and who can use them. Like any communications channel IM can be used to distribute private, secret or unacceptable content. If the organisation uses data-loss prevention (DLP) on other channels to enforce corporate or regulatory compliance they should extend those tools to cover IM.

Unlike e-mail, archiving of IM is not mandated for most industries (US financial organisations being a notable exception). It is best practice not to archive IM and in cases where archiving is necessary, it should be archived in the same place as e-mail for easy discovery.

A combination of a good secure web gateway and network firewalls should address the IM security needs of most organisations.

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management