Instant messaging - communication revolution or security disaster?

Instant messaging, known as IM, has changed the communications landscape dramatically over the last decade or so. Since the evolution of IM as we knew it in the mid 1990s, this social communication tool has grown phenomenally, and is now being incorporated into the day-to-day business operations of many enterprises. But while it may be a convenient and cost-effective method of communication, it also poses major security threats to corporate networks.

Says Amy Thomas, Fortinet Product Manager at Zycko, an official distributor of Fortinet Solutions: “Because of the nature of IM, it is able to bypass existing security processes, gaining access to the network without passing through security gateways. This creates loopholes that enable viruses and worms onto the network, for example through file transfers, which are not blocked by traditional anti-virus software. Other flaws such as buffer overflows can and have been used to spread viruses, worms and denial of service attacks. IM also poses problems to productivity levels, as employees could spend hours a day chatting to friends and family about personal things, and not using this as a business tool.”

Another problem, says Tinus van Rensburg, System Engineer, Sub-Saharan Africa at Fortinet, is that people can create anonymous identities on IM clients. “You can create any identity you like on IM, and there is no way of checking the authenticity of these IDs. For example, I can set myself up as BillGates1 on an IM client, and nobody will have any way of knowing that I am not in fact Bill Gates. This is known as authentication spoofing, and it creates risk, as IDs and nicknames can be used maliciously, by scammers, paedophiles and other undesirables.”

IM services have the ability to exploit any open port on a firewall, including those used for other applications. This phenomenon, known as firewall tunnelling, creates risk for the network, as it bypasses traditional points and security solutions. Some IM clients also use peer-to-peer connections, basically leaving a backdoor into the network wide open and subjecting it to all manner of threat and risk.

“IM services also pose a threat to confidential corporate data. Content can be sent and received via IM completely unmonitored, without anyone's knowledge, as file sharing in this manner is untraceable by the IT department,” Van Rensburg adds. “There is also no form of content filtering or archiving with IM, and therefore a corporation may not discover that it has a data leak until it is way too late. Even if content is not maliciously distributed this way, file sharing via IM does not leave an audit trail, and this has legal and compliance repercussions.”

Spam is also growing via IM, and is known as spim. These unsolicited interruptions are intrusive, as they pop up on the user's computer screen, and may be sexually offensive, violent, or unpleasant, creating legal risk issues as much of the content distributed via spim is illegal or against company policy.

However, despite the numerous security threats involved, IM is steadily growing in popularity in the workplace and as a business tool. Not only is it a low cost method of real-time communication, it is also easy to use and eliminates the response time required by e-mail. This also enables more natural 'conversations' to occur between people, as response can be practically instantaneous, and an individual can see at a glance whether the other person is online and available, eliminating the often irritating process of playing voicemail tag.

IM can also be used to greatly improve customer service. Many organisations have embraced this idea, and offer live chat options on Web sites, where clients can ask questions and get queries resolved instantly online, without having to pick up the telephone or wait a long time for response via e-mail.

“Within the company itself, IM has numerous uses. Through presence management, presence detection, buddy lists or whatever you want to call it, an individual can see at a glance who is available, and instantly locate the right person to handle urgent queries,” says Thomas. “This way, customer queries can be routed to the person most likely to solve them, shorten time to resolution and leading to greatly increased customer satisfaction.”

Deciding whether or not to allow IM within an organisation must take into account the pros and cons of the technology. While it is immensely useful for keeping businesses connected to customers, partners, suppliers and employees, it can also expose the corporate network to a wide variety of threats and attacks, as well as lead to decreased employee productivity.

Organisations need to ensure that security solutions cater for application level protocol, and should also standardise on IM client across the organisation, create policies for IM and make sure everybody in the organisation knows about them and adheres to them. In addition, it is also prudent to ensure that all users are aware of the potential risks of using IM.

IM has the potential to be an immensely powerful business tool, and should not be ruled out by companies. Yes, there are threats involved, just as with any other technology, but if organisations play it smart and ensure security protocols are in place to handle the risks, businesses may just be able to harness this instrument to create that ever important competitive edge.