In-Depth

Instant Messaging: Balancing Security with Real World Business Needs

  • By Charles Biggs
  • 01/01/2001

Does this sound familiar? Your company's inside sales team has come to rely on instant messaging (IM) as its main avenue of communication with business partners, field offices and even significant clients. The rank and file workers love its realtime capabilities, but as an MIS professional, you're losing sleep over the security risks. Your inclination is to cut access to instant messaging across the board, but fear an outcry if you take it away. When you suggest it in a conversation with the sales director, she has a fit.

What's the solution to this nagging problem? What are the real risks of technologies, such as instant messaging versus their benefits to your company? Can an entrepreneurial organization operating in the hand-to-hand combat environment of modern business afford to simply dismiss such powerful communications tools out of hand?

More than any other security management issue I've encountered in my 26 years in this industry, the instant messaging issue calls all of these questions into play. In many ways, instant messaging draws attention to a core issue affecting enterprise level security. Can the good old days of centralized MIS control over all aspects of security be reconciled with employee needs in the modern, Internet-connected company?

It's an issue that I've grappled with in my own job - both as a security professional and as a businessperson. At what point does network security change from being reasonable and smart to being Draconian and counterproductive?

In the case of instant messaging, I use it, and many of my colleagues use it. Because it really is quick and interactive, you're able to converse with the person at the other end. You don't get the stilted flow of an e-mail exchange. This makes it a very powerful tool for advancing business communications. Plus, you can talk to several people at once, without the formality of a conference call.

Despite the fact that instant messaging programs like those offered by AOL, Yahoo and Microsoft were really designed for personal chat, business use has taken off with a vengeance. By giving employees an always-on, always-open line for dialogue with customers and each other, businesses are at a significant advantage over their competitors. Forrester Research recently reported that in a poll of 50 Fortune 1000 companies, 36 percent had employees that used instant messaging to keep in touch. That number is predicted to rise to 46 percent by year's end. In fact, Forrester estimates that there are already more instant messages traveling on the Web than e-mail. Even with the unresolved interoperability issues between the different messaging programs, the proof is in the pudding - instant messaging is a runaway hit in the office place.

The Security Risks

So, why would an MIS department want to cut off access to a tool that's as popular among top executives as it is among entry-level employees? I'll be honest, instant messaging isn't exactly the safest thing in the world. Since IM security issues cannot be fully mitigated without shutting such programs down, the natural tendency is to simply prohibit use of IM-type programs and avoid all risk of a security breach.

As for the specific concerns, there are several. For starters, the code behind messaging programs, as they're written now, is less than ideal from a security standpoint. The code simply isn't written tightly enough for use on a large network. This makes it susceptible to forced failure and stack overflow.

More significantly, instant messaging opens the door to Trojan Horses and worms. Field employees utilizing instant messaging to send files to local hosts may be increasing corporate exposure to viruses. In addition, instant messaging uses the Internet and thus requires a company to open ports in its firewall, increasing the risk of attack.

These threats, however, aren't what I would call major risks. In fact, they're remote considering there are measures you can take to make things safer (more on this later). In my mind, the real concern for MIS folks should be that messages are sent without regard to encryption. Information carried on instant messaging systems is open to snooping. Key information about that sensitive acquisition plan that your company president just shared via IM with the field office is completely open to outside eavesdropping.

In many ways, instant messaging is like talking to a colleague in the hallway, you're not as careful about what you say. With e-mail, it's more like a formal meeting. A lot more thought goes into the message, attachments, etc. With IM-type software, there's a totally different etiquette and style. The casualness of this form of communication, coupled with the lack of content security during conversation sessions, is in itself the biggest risk. It's very easy for someone to hijack these sessions as they move through cyberspace.

People just aren't security conscious when using instant messaging. By comparison, many people have come to understand that e-mail is a formal communications tool that is digitally stored, archived and even reviewed by an employer. The ease and casualness of the IM process encourage a similar attitude toward the security of message content. It's down right sloppy at times.

Minimize the Risks

The easiest and most effective way for the MIS department to minimize the risks posed by instant messaging is to better communicate standard security strategies with employees. Remember that IM-type programs are a very efficient and effective way to do business. They don't need to be turned off; people just need to be more careful about what they say. MIS pros should make employees aware of the fact that using instant messaging is a little like talking about business in a crowded restaurant. Usually, nobody is listening in on your conversation, but you can never be completely sure. That doesn't mean you can't talk business, you just have to be a little more discreet.

As an aside, keep in mind that given the dramatic rise in instant messaging use among businesses (coupled with vendor efforts to facilitate interoperability between different messaging programs), instant messaging is sure to improve over time. Complementing this improvement, MIS departments can look forward to the improvement of anti-virus software designed to work with instant messaging programs.

Keeping up with the latest patches and updates will be just as essential with IM software as it is with Outlook, and other tools that use the Internet.

Still, you don't have to sit and wait for the software to catch up with the security issue. There are several specific measures that MIS professionals can take to preserve employee access to instant messaging, while minimizing exposure to security breaches. For instance:

Design Your Security for Insecurity. What commonly happens is that MIS departments erect a monolithic security system centered on one big firewall. This is usually followed by simply turning everything off at the firewall level, until a very strong case can be made for restoring specific tools or capabilities. Companies would be much better served, however, if they identified important resources that really need to be secure, as opposed to those that don't need as much security.

By safeguarding specific areas of the network using internal firewalls and tighter intrusion detection policies, for instance, companies can fully protect some areas (i.e., human resources, payroll and finance), while loosening control over other areas. Such a structure enables one to set up protocols appropriate to different departments, instead of one giant, across-the-board protocol completely out of line with the business needs of the different groups. By prohibiting use of instant messaging exclusively through human resources' inner firewall, for instance, the MIS department can continue to allow folks handling supply chain management to use the tool with their business partners. Also, don't forget that a good security design assumes that a hacker may be inside a company and thus puts measures in place to detect such internal threats.

Devote More Resources and Effort to Training. Spending some extra money training MIS staff will help them better understand how security tools and hackers work. This knowledge will empower the MIS folks to understand the trade-offs associated with security measures and, perhaps, look at alternative solutions to hard line measures. Since security solutions are never as simple as just turning them on or off, you need to make sure smart decisions are made up front. It's important to realize that, generally, security is seen as overhead and bringing on additional staff may be a hard sell.

Additional money for training, however, is far less difficult to obtain. Finally, don't assign security to the most paranoid person on your staff. Try to put someone in charge of this function who understands the real world IT needs of employees and the organization itself.

Invest in Intrusion Detection. Intrusion detection is expensive so you may not want to put it everywhere on your network, but a firewall alone isn't enough. Shelling out money for the latest intrusion detection options isn't a lot of fun, but not doing so is, as the old saying goes, "penny wise, but pound foolish."

Learning to Live with Some Risk

I've managed MIS departments and, believe me, I understand the kind of pressures they face and the temptation to be heavy handed in order to create airtight security. As companies grapple with issues, such as instant messaging, however, they must ask this question: What do I have to do to create a secure network that also allows access to the kind of resources that help the company compete and make money?

Look, if nobody uses instant messaging, then turn it off. But, don't make it too hard to turn it back on and don't decree that there shall be no IM under any circumstances.

MIS departments are going to have to move away - at least a little bit - from the old idea of having one universal policy for the entire network. Protecting high security resource areas independently from other network areas is one affordable option. Better educating employees can help, too. What doesn't help is simply saying "no" to employees who are making the company more profitable.

In real life, employees commonly find ways around security policies, so that they can do their jobs, MIS just doesn't know about it. And, that is the bigger risk!

Tools, such as instant messaging, are here to stay and can even give your organization a competitive advantage. In the future, as instant messaging becomes ubiquitous, it will become a business necessity. Burying one's head in the sand and pretending IM doesn't exist is just plain short sighted.

The solution isn't over reacting, it's smart reacting.

Surviving the Virus: Inoculation Doesn't Mean You Don't Need an Antidote by Chris Gray

E-mail has been embraced as a business-critical communications tool because it offers companies a cost-effective medium for quickly and conveniently communicating with employees, existing and prospective customers, suppliers and business partners globally. However, since it's readily accessible and has an extensive reach, e-mail has also become a major conduit for, and victim of, thousands of computer viruses that are engineered and distributed regularly by hackers. To date, companies have implemented a variety of solutions, such as firewalls and anti-virus software, to help detect, diagnose, inoculate and protect mission-critical information and applications from being infected. But, none of these solutions are failsafe.

There are a variety of solutions on the market that often block or limit the spread of virus infections before they cause any damage. However, these solutions cannot prevent these infections entirely, because new viruses are constantly being introduced or modified and are not always immediately recognizable. In addition, of all the hardships endured because of viruses - from corporate-wide e-mail systems being down to the inability to access and distribute business information for days - the most devastating is the deletion or irrevocable destruction of documents, files and databases. As a result, it is important to not only have a prevention process in place at all times, but also have a containment and recovery plan in case a virus attack is successful.

Why Protect E-mail?

Today, e-mail is increasingly being used internally and externally to communicate business strategies and activities and to facilitate transactions with suppliers and customers. In fact, Ferris Research, an analyst firm focused on technologies that help people communicate, recently estimated there was a 50 percent growth in corporate e-mail messages last year and anticipates that it will increase 30 percent to 50 percent next year. However, unlike other communications tools, such as letters and faxes, not all companies have policies in place for retaining, filing and readily accessing this critical information. Consequently, if a virus wipes out important e-mail files, a company could permanently lose information that is vital to its success. So, what option do you have when a virus infiltrates the firewall, goes unrecognized by your anti-virus software and proceeds to destroy, or make unavailable, your business-critical e-mail files?

First, the company can rely solely on backup tapes to restore the e-mail system to a profile captured before the virus attack. This procedure addresses the driving issue of getting the e-mail system up and running. However, it is detrimental to the organization because it does not discriminate between legitimate business and virus-infected e-mail. All messages received after the date of the backup tape are effectively destroyed by the restore procedure. Additionally, this restore procedure may take considerable time and consume precious IT resources.

The second option is the company can implement a centrally-controlled storage system that routinely makes backup tapes of the e-mail server archives, which can be searched when necessary. However, to find an e-mail this system requires administrators to reload a series of backup tapes on a duplicate messaging system and initiate a search. This is a clumsy, expensive and time-consuming process that doesn't eliminate the burden on IT administrators. For example, The Washington Times reported on May 4, 2000, that to obtain the information for the federal inquiry, the White House would need to search over 4,900 backup tapes. The White House is compelled to keep these many backup tapes to provide a historical record of business communications made via e-mail. Unfortunately, this second option doesn't prevent e-mail downtime following a virus attack.

The third option is implementing a message-center archive for the existing e-mail or messaging system, including secure access capabilities to rapidly retrieve any message or attachment. This system would automatically extend the current message store into an enterprise message center. When a new e-mail virus is undetected by existing anti-virus software, then the virus-infected e-mail can be selectively expunged, instead of restoring from an old backup tape. To expunge a virus, the IT administrator will first develop a unique profile of infected messages. That may include a key word or phrase appearing in the message body or attachment, an originating address, a creation date or other unique e-mail property. The message center then executes a search to identify and then delete all messages that match the profile. Importantly, this leaves all the other legitimate business e-mails and attachments in place within the message center. The e-mail service stays up and operational throughout the corrective action, as well.

Other functions can significantly augment the business value of a message center, and may include:

• Superior e-mail server management by providing automatic capture capabilities, integrated support for low-cost mass storage and content-based classification rules. This reduces message store saturation and increases message availability by transforming an organization's temporary cache of messages on a server into an enterprise document management system.

• Fast and efficient access to the historical body of e-mail messages and attachments through full-text indexing and cataloging for employees, as well as for authorized managers and administrators.

• Reduced costs associated with being able to recover messages or documents from an e-mail archive quicker and more efficiently. Creative Networks Inc. estimated in its February 1999 report titled, "E-mail Archive and Retrieval: A Hidden Enigma, A Hidden Cost," that large companies spend an average of $193 per user, per year, to retrieve messages from the archive. An e-mail message solution should help companies reduce this expense.

• Record management that adheres to an organization's formal e-mail policies and enables the company to comply with SEC, federal, state and local e-mail management requirements and regulations.

• Protection of business communications to ensure e-mail records are tamper-proof throughout its life cycle and prevents abuse by monitoring compliance with corporate policy.

"Implementing an e-mail archival and retrieval solution is essential for turning a message store into a corporate asset," says Kym Gentry, Director of Marketing at Creative Networks Inc. "This will enable companies to lower the total cost of ownership for their messaging system, reduce the risk associated with losing information and increase the productivity of its employees."

Today, there are numerous ways to block or limit the spread of virus infections before they cause any damage. However, none of these solutions are effective 100 percent of the time because new viruses are constantly being introduced and old viruses are modified and not always immediately recognizable. Consequently, the ability to rapidly recover business-critical information, from an individual e-mail mailbox on the granular level to an entire database on the enterprise level, is an essential strategic weapon in the battle against computer viruses.

Chris Gray is Vice President of E-Mail Products for OTG Software (Bethesda, Md.). He can be reached at cgray@otg.com.

Charles Biggs, Vice President of Systems Engineering and Vice President of Product Marketing at Netguard Inc. (Carrollton, Texas). He can be reached at cbiggs@netguard.com.

Must Read Articles