Just when you thought you had e-mail all sewn up and your networks were safe, someone mutters those dreaded words, Instant Messaging (IM). Whether you like it or not, IM is here to stay and most probably already widely used within your organisation. Banning its use wont help unless you have the means to enforce it, so tackling the issues it can raise is the most pragmatic solution.
On the plus side, IM has a lot of benefits. One of the biggest ones is that it’s real-time – you know if someone is sitting at their desk and might be able to answer a question instantly, and it’s quicker than ringing someone up and going through the pleasantries when all you want is a yes or no answer. In this respect it could be considered to be a tool that increases productivity and is less of an overhead to the business than e-mail.
Another benefit to IM is that it can help remote workers seem less isolated, one of the biggest complaints from users that spend most of their time away from the office. By spending a few minutes each day chatting to friends, they still know the latest gossip, can be included on spontaneous evenings out or even join in with an office joke.
It may seem like this is a decrease in productivity, but it’s faster than gossiping besides the coffee machine or during a cigarette break, and anything that increases good will and helps to retain employees has to be positive.
Although many organisations prohibit the use of IM, employees frequently download programs without the knowledge or permission of the IT department. And unless the PCs themselves are locked down, there is very little that can be done to stop it. One of the big concerns is that users can download and execute malicious programs that have bypassed the corporate anti-virus scanners. So far IM has been used to download trojans and backdoor programs and even attack platforms for launching distributed denial of service attacks. Hackers sometimes use social engineering techniques to encourage IM users to download with the promise of music files or anti-virus protection.
Although the propagation of viruses and worms is not yet as prevalent using IM as it is via e-mail, if IM becomes as popular it will only be a matter of time before this channel becomes a major medium in which viruses spread. Just like other popular platforms, all of the main Instant Messaging systems – be it ICQ, AIM or MSN Messenger – have known vulnerabilities that highlight their insecurities. These include identity theft, insecure file sharing and transfers and, of course, the downloading of malicious software programs.
In fact, hackers often use a combination of these vulnerabilities to hijack IM identities and send messages to a buddy list with a link to a malicious Web page. In some instances, buddies end up unwittingly downloading Internet dialers that switch their dial-up account to premium porn numbers. With buddies like that – who needs enemies?
Even though security breaches are a major issue with IM, the platform is still relatively new and it has not yet become a popular medium with hackers and virus writers. A far greater risk at the moment to organisations is its legal exposure, should employees make libelous or offensive remarks or send attachments via IM.
IM tends to be used even more casually than e-mail and the dangers of careless words have been well documented in the past. Complaints against a company may include libel for sexist or racist comments and breach of confidence or confidentiality. The potential costs of such actions are far greater than that of the havoc caused by viruses and damages can run into hundreds of thousands of pounds for individual companies. In addition, for some organisations in heavily regulated industries, the uncontrolled use of IM contravenes many of the legislations they must comply with.
However, it’s amazing how employees can clean up their act once they think someone is actually monitoring their output. The way round all of the problems with IM is to introduce the same policies and procedures that protect e-mail systems, along with the necessary technology to enforce them. This includes content filtering, anti-virus controls and regular patching. Many of the security vendors that have provided similar solutions for e-mail are now in the processes of extending their technology to include IM.
Used correctly and carefully, regulated IM can provide real business benefits. Some companies are even using it to support their customers, although be careful of the login names users choose – CyberPunk might not provide the image you are looking to portray to customers. The secret to success, as with all messaging solutions, is to make sure you have laid out the ground rules to staff and implemented the technology that not only proves your behaving responsibly, but encourages your users to do the same.