Instant messaging: Corporate policies for IM security issues

While the business benefits of using IM often outweigh the risks, locking down instant messaging in the workplace is still essential to enterprise security.

Twitter may be all the rage when it comes to social exchanges, but instant messaging (IM) is still the preferred communication channel for working in collaboration with colleagues and partners in different locations. Many users feel the use of IM leads to more effective and efficient workplace communications and increased productivity.

Of paramount importance of course is clearly stating what type or classification of information can be communicated via IM.

IM has three big advantages over Twitter when it comes to corporate environments: Employees can see when colleagues come online (presence awareness), they can transfer files and conversations don't have a potentially limitless audience. This last point is very important, given that the Press Complaints Commission has ruled that material published on Twitter should be considered public and can be republished by anyone.

Many enterprises are struggling to get the use of social networking under control, but IM is often poorly supervised,, even though it introduces various risks to enterprise networks. Threats range from IM-borne viruses, worms, spam over IM (SPIM), malware and phishing attacks, accidental or deliberate data leakage, inappropriate use and regulatory non-compliance.

The sole purpose of most IM attacks is to trick potential victims into installing a malicious program. IM-based attacks need some form of user interaction in order to launch, so attackers make use of social engineering to entice them to break security procedures or ignore common sense.

These attacks usually exploit people's innate curiosity or natural desire to help. They can also try to appeal to vanity or authority and other triggers, such as greed, fear, anger, moral duty or reciprocation and integrity: Many of the techniques used in legitimate marketing campaigns.

Last year, variants of IM-Worm.Win32.Zeroll appeared to be capable of infecting users via several different IM clients simultaneously. Once installed, the malware would send itself to the addresses in the contact list of any IM client it found, transmitting messages in 13 different languages. It also contacted a remote command-and-control centre for further instructions using different IRC channels, depending on the country and the instant messaging clients located on the computer. In order to prevent the Win32/Slenfbot.AKD worm from spreading, Microsoft had to temporarily suspend active links in Live Messenger in November 2010 because "the volume of attacks was too significant to let it continue without any remediation,” it said.

If your enterprise is going to use IM, a robust instant messaging corporate policy is essential, backed up by user awareness training. As with any policy, it is important to keep an eye on the needs of the business as well as security when developing restrictions concerning IM usage.

The best approach is one that accounts for employees conducting legitimate business-related communication, while also ensuring any legal and regulatory objectives are met. You can certainly base your IM security policy on your email policy, as acceptable usage will be very similar.

However, not every employee will need access based on business needs, and there will be additional areas that need addressing, such as naming conventions for accounts so employees can't impersonate other staff members, the tone of presence messages, and how file transfers are initiated. Of paramount importance of course is clearly stating what type or classification of information can be communicated via IM.

Your policy should include the company's right to monitor IM usage. (However, technically, it is difficult to enforce your policies without the use of an IM firewall or server.) If you host your own enterprise IM server in-house, you can enforce your IM policies through traffic analysis and reporting, message keyword searches and message archiving. You can also implement end-to-end encryption and user authentication, as well as configure content and URL filters, and allow the controlled use of many collaboration features, such as integrated live voice, video and data.

For many Windows-based enterprises, Microsoft’s Office Live Communications Server is an obvious choice when considering an IM server; however, there are other options, such as the open source Openfire Enterprise Instant Messaging Server (formerly known as Jabber). Smaller organisations, however, may want to consider a cloud service. A big advantage of this approach is that employees are not restricted to a particular IM client, making it easier to communicate with clients who may not be using Windows Messenger.

Opting for a cloud service means there is no need to install additional hardware or software. All IM messages sent to or from your network are routed through the cloud service, where they are scanned for viruses, worms and malicious URLs. Messages are also matched against your content control and acceptable IM use policies: messages that are malicious or suspicious, or violate policies, are automatically blocked. Also, all messages are logged and can be sent to your existing archiving solution to satisfy legal discovery requirements and other relevant regulations. This type of service makes enterprise-grade control of IM accessible to organisations of all sizes.

The business benefits of instant messaging more than offset the potential IM security issues, as long as its use is controlled and monitored. Banning IM completely means you lose out on a great collaboration tool. It is a great way to connect home-based and remote workers to create a team community, with documents being easily shared. It's no longer the latest technology, but it still demands careful management in order to be a productive tool and not a hacker's weapon.

About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of’s Security School lessons.

Content Continues Below

Read more on Application security and coding requirements