According to the Radicati Group, a market research firm, the number of worldwide instant message (IM) accounts will increase from 944 million in 2006 to over 1.4 billion in 2010. IM’s success as a communications tool is clear.
One huge value of IM is the way it allows business users to talk to each other in real time without incurring huge long distance bills. For SMBs, IM lets employees talk to customers and partners almost instantaneously, providing excellent customer service for a very low cost. A small company can communicate like a big company does, anywhere in the world.
But is IM inherently secure? No. Like any other application, it requires security policies and procedures as well as the purchase of software if your employees are going to use it without fear of exposing the company to viruses, or inadvertently providing passwords or critical internal information to an unknown data prowler.
The threats from IM are somewhat more focused for the SMB space, says Carmi Levy, a senior research analyst with Info-Tech Research Group, based in London, Ont. A typical SMB does not have an established IT presence specifically for security, nor the dedicated resources, tools or budget required to deal with it. “You won’t see messaging-related security as a budgetary line item for IT,” says Levy, so SMBs are at greater risk to IM-related security exposure, simply because the processes and the tools and the checks and balances that would usually be in place in a more methodical IT environment are not there.
IM has always been, and still is, introduced into company computer systems under the radar, especially at SMBs. Someone decides to download AOL Instant Messenger, or another one of the freely available consumer clients, on his or her PC. Why? Because no one stops them.
“Once they’ve installed it and are using it, there’s nobody watching,” says Levy. “These things become vectors for infection. It opens up ports through the firewall, it pokes holes through the firewall, it undermines pre-existing network defences. And SMBs are less likely to have the resources to fix whatever breaks when the inevitable infection or attack happens.”
Lee Weiner, senior product manager at Symantec, which earlier this year purchased IMlogic, an IM-security and monitoring software vendor, says organizations in general are looking at putting in messaging protocols across their business that apply to all messaging forms, including IM and e-mail.
This is the best approach to fighting the threats from Trojans, viruses and spyware that can come through IM, say both Weiner and Levy.
But they must recognize that the hacker community knows IM networks are relatively un-secure and is increasingly targeting them. And it doesn’t stop there.
“The payload of the threat usually contains code to further propagate the threat through the IM channel, so if you’re infected, for example, it would then use your IM client to spread the threat to all your buddies,” Weiner explains. “It would send a message to all of them with some malicious code in it saying, ‘Hey, click on this link,’ and your buddy would because he thinks it’s from you and trusts the source. So the success rate of these is fairly high because of the social engineering aspects that it uses.”
In terms of IM security software, SMBs have typically had two choices. They could buy a point solution to deal with the problem directly, such as Symantec’s IM Manager and similar programs from Akonix Systems or FaceTime Communications, or they could buy a suite.
David Knight, vice-president of messaging solutions at WebEx Communications, says his company has come up with an alternative to these choices.
In partnership with AOL, WebEx offers AIMpro Business Edition. It’s well-suited for SMBs because it’s delivered as a monthly service on-demand, meaning there are no servers to buy or software to install — just a regular fee.
‘Before this came out businesses really only had two choices,” Knight says. “We think we’ve provided the best of both worlds. We have the cost-effectiveness of a consumer solution with the security of a traditional enterprise IM package.”
It remains to be seen, but whatever method SMBs choose, Carmi says they must look at their messaging security strategy as a whole. And above all, they shouldn’t give up. They should take control of their employee policies — and the software — so their data stays safe, while employees reap the benefits of IM.
IM is a victim of its early success, says Levy. “The knee-jerk reaction is to ban it outright, but with IM, if the tool itself is corporately sanctioned, is architecturally secure and if the organization introduces it alongside a well-documented and distributed policy and framework, then there’s no reason IM canít be as much an enhancer of productivity as, say, e-mail.”
Contact the editor