Mitigate IM risks with security awareness and access control

Instant messaging (IM) is one of those applications that is seen as either the best thing since sliced bread, greatly improving productivity, or the bane of a manager's life because it is perceived that staff waste a lot of time using it.

Instant messaging (IM) is one of those applications that is seen as either the best thing since sliced bread, greatly improving productivity, or the bane of a manager's life because it is perceived that staff waste a lot of time using it.

Given these two opposing views, the first thing any company should do is to ensure they have a comprehensive set of acceptable use policies (AUPs) covering such things as IM, e-mail and internet access. They must also ensure that staff are aware of the various AUPs and sanctions for abuse of an AUP.

Security awareness education is also key. You cannot blame staff for doing something if they do not know it's wrong or ill advised, and you will need to keep on top of maintaining the awareness message to your staff, its not a one shot deal (visit the ISAF website and the BCS website for advice).

So what are the security risks of using IM? According to security researchers, one in 78 links contained in instant messages connect to malware, so its use is clearly an issue, and while AUPs and education won't fix this problem, it is the right place to start.

For companies that want to use IM as a business tool, one route to take is to install an in-house or enterprise IM server and then block access to all IM services and accesses at the internet gateway except those initiated by the in-house server. The in-house IM server can then be given connections to other external IM gateways as determined by business need.

The in-house system should be locked down, be up to date with security patches and run licensed and maintained anti-virus software. This should be backed up by AV software running on users PCs as well as restricting any software installs to officially sanctioned products. A variant of this is to use an externality hosted IM service. The object in both scenarios is to block all IM access from the desktop except to the corporate IM service.

For SMEs where the opportunity to run dedicated services or servers is not generally an option, I would advise that day-to-day PC use is done using a low privilege log-on account, not one with administrator privileges. That coupled with the use of a recent version commercial AV package (ie, less than 18 months old), keeping the PC up to date with vendor-issued security patches, the application of common sense (you get nothing for free, especially from people you don't know) coupled with regular checking of your AV vendors websites for the latest information (subscribing to a vendor's newsletter is another option) and keeping to just one IM service should help with IM security.

Peter Wenham, is a committee member of the BCS Security Forum Strategic Panel and director of information assurance consultancy Trusted Management.

Read more expert advice from the Computer Weekly Security Think Tank >>

This was last published in August 2009

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close