Does Instant Messaging Improve Communication Or Threaten Security?
by Dr. Horst Joepen - SVP Strategic Alliances CyberGuard Corporation - Monday, 3 October 2005.
Instant messaging (IM) has triumphed in the past 2-3 years among personal Internet users as well as within companies. There are now few school children not in touch with their friends via ICQ, MSN or AOL Messenger — but also stockbrokers, currency dealers, and the IT department are constantly ‘chatting’” with their most important contacts via Messenger software.

According to a recent Gartner poll, instant messaging is used today in 70% of all companies. According to the Yankee Group, however, only 15-20% of companies operate a solution for IM administration. In the remaining 50%, IM constitutes a huge, rampant infrastructure usage that poses a severe security risk for firms. The same is true for the use of peer-to-peer services, e.g. music exchange services, which have also become pervasive in many organisations, but lack any administrative supervision whatsoever. These Peer to Peer services entail both security and legal risks.

Does my company need instant messaging?

IM is suitable for all areas where quick, immediate contact among a known and manageable group of people is crucial. As with SMS, short messages can be swapped and, for instance, a deal team can finalise and authorise the terms of an offer. Technicians helping a customer on location can send queries back to company headquarters via IM, and obtain immediate answers from customer support specialists, without their queries being buried under an avalanche of emails or suffer from constantly engaged phones. Stockbrokers can also instantly swap the latest market rumours via IM and act upon what they learn.

In companies with more complex and clearly defined workflows and processes, where flexible decision-making and coordination timed to the minute play a lesser role, it is questionable whether instant messaging is beneficial. Private chat sessions, and the constant distraction from larger tasks by incoming instant messages, can bring about a drop in productivity. A derogatory comment made by IM can be just as much of a legal problem as one made by email so there could also be exposure to potential litigation.

However, what is decisive is not the question of whether your company needs IM, as much as the answer that your company very probably already has IM without your knowledge.

If instant messaging has already taken root in a company and is popular, where’s the problem?

Speaking technically, instant messaging tools, similar to peer-to-peer exchanges, function as ‘wild’, non-standard protocols, which mount on HTTP or HTTPS protocols. They are capable of transferring not just active technologies such as scripts and macros but also all kinds of data attachments (word files, zip archives, etc), and thus can transfer all currently known carriers of viruses and worms. Content exchanged via peer-to-peer services also entail a considerable legal risk. A study of Gnutella P2P traffic showed that 47% of requests related to pornography and 97% infringed existing copyright. It is also evident that such content is often infected with viruses. Thus instant messaging and peer-to-peer exchanges pose threats every bit as dangerous as the flow of data into the company from email or web. In contrast, however, IM data flow cannot be controlled by firewalls, simple web filters and URL blockers.

Is my company helpless in the face of instant messaging?


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th