If you can’t beat them, tell them to play by the rules.
Instant messaging (IM) has evolved into one of the fastest growing communication tools in the enterprise and IT managers have now learned to accept rather than resist it, by setting policies on acceptable and responsible IM usage, according to one IT security analyst.
According to research firm IDC, enterprise IM business will grow from US$319 million in 2005 to US$736 million in 2009. With more than 28 million business users worldwide sending nearly one billion IM messages each day in 2005, security and compliance issues are getting increased attention from the IM perspective.
While enterprise-level IM applications have generally become more secure, with built-in auditing, logging, recording and security features, most companies still have to deal with employees downloading public IM applications such as AOL, MSN and Yahoo and posing a considerable threat to IT security, said Ross Armstrong, research analyst at Info-Tech Research in London, Ont.
And it’s not just the threat of worms and viruses that are worrying IT managers when end users download public IM software, but regulatory compliance as well, he added.
Regulations in the U.S. and Canada require organizations to keep a record of electronic communications including e-mail and IM. “It becomes an administrative and logistical nightmare especially if there are unknown and unsanctioned IM installations (by employees), putting the organizations at risk of non-compliance because these communications are not being recorded as IT doesn’t know they are occurring,” said Armstrong.
Armstrong compared IM to the use of telephone or e-mail in the corporate environment, where restricting employees’ usage of these communication tools to official business was not realistic. “As an IT manager, you have to accept that it will occasionally be used for personal reasons and as long as they aren’t excessive (and do not) put the organization at risk, then it’s permissible to a certain degree,” he said.
IM usage policies, Armstrong said, should be incorporated into the whole organizational policy structure, including security and acceptable-use policies. Most enterprise-level IM offerings allow organizations to impose such policies for both security and compliance purposes, he said.
Symantec Corp. recently launched IM Manager 8.0, server-based IM security and management software. IM Manager has three main features, namely: management, security and compliance, according to Jon Sakoda, senior director of product management at Symantec Canada.
The management function of the new Symantec offering allows organizations to set policies on IM usage, prescribing who can use IM and how it’s going to be used, Sakoda said.
IM Manager also has the capability to filter traffic going through the IM application to prevent worm, viruses and other malicious codes from entering the network as well as block confidential information or intellectual property from leaking out, the Symantec executive explained.
Sakoda said Symantec has been working with major public IM provider AOL to “understand how the clients work” and enable Symantec’s software to interpret the protocols associated with proprietary public IM clients.
“These (public IMs) are non-standard, proprietary, closed systems so the traditional infrastructure that’s in place, like VPN and firewall, are not able to really understand what the IM protocol looks like,” said Sakoda.
According to Symantec’s recent Internet Security Threat report, over 2,400 unique IM and peer-to-peer threats were detected in 2005, increasing to about 1,700 per cent from the previous year.
Info-Tech’s Armstrong said he has not seen a declining trend in the number of IM-related worms and viruses. “The number and level of severity of IM threat will probably one day rival the number of threats that travel via e-mail,” he said.
Another feature of IM Manager 8.0 is the capability to archive, search, retrieve, audit and supervise IM conversations, enabling firms to comply with regulatory requirements of electronic record retention, said Sakoda.
“There’s a tool for making sure that you can pull out the conversations that you need to satisfy your [regulatory] requirements,” he said. IM Manager 8.0 is slated for North American release this month.