IM Security Risks Spark Workplace Monitoring Debate
With more and more U.S. workers using instant messaging in the office, security experts are debating whether IT managers should be monitoring the instant communications.
No matter how many firewalls and intrusion detection systems a company has set up, if an employee is sending out critical information over instant messenger, they might as well be screaming it from the rooftops. Unsecure IM lines are one of the hottest new targets for hackers looking for critical corporation information to steal, according to security watchers. And they also provide an easy communication avenue for any employees bent on leaking information to a competitor.
"When I'm talking to customers now, they have big concerns about instant messaging," says Chris Pick, vice president of product strategy at PentaSafe Security Technologies, Inc., a security software firm based in Houston. "Instant messaging offers a lot of productivity advantages from a business standpoint, but now they carry a lot of risks with them. It's a hot topic right now."
And Dan Jude, president of Security Software Systems, Inc., based in Sugar Grove, Ill., says the best way for a company to protect itself and its critical business and financial information is to monitor the instant messages coming in and going out of their offices.
"What's important is to make sure your employees are not abusing instant messaging," says Jude, whose company develops and sells monitoring software. "Studies show that 70% to 80% of security breaches come from within the company. If employees can communicate inappropriate information without checks and balances, you're leaving yourself open to problems."
Jude points out that there are a number of reasons to monitor instant messages. He says that some brokerage firms monitor messages to make sure that brokers are not promising stock gains or guaranteeing earnings. He says companies also might want to monitor to make sure that an employee isn't IMing coworkers off-color jokes that could be taken as sexual harassment. And of course, he says, it's important to make sure employees are sending out information that is critical to the business.
Security Software Systems sells two IM monitoring products -- one that sends a warning to a security administrator when an employee breaks policy and then automatically shuts down the instant messaging application.
The other product calls up a policy warning box when the user logs onto IM and calls for a digital signature from the user, attesting that the user understands the company's policy. And if a violation of the policy occurs, the software will take a screen capture of the violating message and store it away.
Impact On Corporate Culture
But PentaSafe's Pick says a lot of IT managers are hesitant to go with the new companies that have sprung up recently offering IM monitoring devices. He says a lot of managers are looking for monitoring systems that will fit in with their other enterprise-level monitoring systems.
And Pick also says some managers are thinking twice about monitoring their employees' every word.
"Do I police everything people say?" asks Pick. "How does that affect corporate culture? We need to protect privacy and confidentiality but how do you weight that with having a healthy corporate culture? Controls tend to demoralize people somewhat."
Securing instant messaging can be a tough project since the technology comes with very little, if any, security capabilities built into them.
Mike Rasmussen, director of research and information security at Giga Information Group, a Boston-based analyst firm, says instant messenger software -- whether it's from Yahoo or AOL or Microsoft -- has been lax when it comes to any kind of security. If a user is sending a credit card number or critical company information over instant messengers, it's not secured.
But Rasmussen says makers of instant messenger software are working to make their transmissions more secure, preparing to add encryption capabilities, along with virus scanners. He says improvements should be coming as soon as six months from now.
August 22, 2002
A former U.S. Secret Service agent, experienced in risk assessment and high-tech crime, says companies are doing a poor job of securing themselves from the inside out.