Employees using instant messaging could be opening up gaping holes in their companies' network security.

Viruses aimed directly at instant messaging (IM) software, along with a lack of security for IM freeware, are creating big problems, according to Eric Chien, chief researcher for Symantec Security Response.

And to make matters worse, many, if not most, IT administrators don't have policies regarding instant messaging, and many don't even know how many end users have it installed on their desktops and laptops. That means there are potential problems and security lapses that administrators aren't even aware of.


''At conferences, when we ask if people are using instant messaging, everyone raises their hands,'' says Chien. ''But when we ask who has a policy about it, maybe 50 percent raise their hands... It's a problem.''

Not so long ago, email surpassed the telephone as the key form of communication in the workplace. People could send and receive emails without interrupting their work flow. They could contact several colleagues with one message. They could open a message and read it when they had an opening instead of when the phone was ringing.

But today, instant messaging is nipping at the heels of email for the top rung on the communication ladder. Messages can travel back and forth in real time, enabling colleagues or business partners to communicate in real time. Buddy lists enable coworkers to see when you're online and available. Away messages keep bothersome interruptions at bay.

All of that has made instant messaging popular. And that popularity has made it dangerous.

''Instant messaging has become so popular that we're getting the classic issues that we've had with email,'' says Chien. ''IM can attach and transfer files, so viruses and worms can attach themselves. There are worms that will send themselves to everyone on your buddy list.''

Actually, between 2002 and 2003 there was a 400 percent increase in IM malware, according to Symantec's figures. Since 2002, 25 instant messaging worms have been released into the wild, with about 20 of them coming out last year alone. At least five or six have hit the wild so far this year, reports Chien.

''It's a continuing threat,'' says Steve Sundermeier, a vice president for Medina, Ohio-based Central Command. ''Virus writers are always looking for a new vector for infection... As companies secure their email gateways, virus writers will be looking for alternative or additional ways to get their viruses inside.''

However, with relatively so few viruses and worms targeting instant messaging software, Chien and Sundermeier agree that the biggest security threat comes through unencrypted messages traveling across free, public software.

''What people should be the most worried about is that the IM traffic with the popular free clients is unencrypted today,'' says Chien. ''If you use free messaging, people can sniff the traffic and read your messages. It's something hackers do all the time.''

Chien explains that if an employee is using IM to send a message to a coworker down the hall or even in the next cubicle, the message travels outside the building and through outside servers where it easily could be picked up.

''Even if you're talking to the guy in the cube next to you, your message may go halfway around the world before it gets to the guy in the cube next door,'' says Chien. ''Sensitive business matters are exposed to the general Internet for people to potentially sniff and view.''

Central Command's Sundermeier says the best thing for IT administrators to do is to create a corporate policy regarding IM usage. He suggests that users not be allowed to use any freeware. The company should buy instant messaging software designed for internal communications so messages don't needlessly travel across a remote server. They should also make sure the IM software they're using has encryption capabilities.

Chien also recommends that IM shouldn't be used for sensitive information. And users should be reminded that they need to follow safe computing practices when using instant messaging. That means they should never open an executable and they should be careful around any attachments.