How 2 Luv IM!

Seven steps to keeping your employees' instant messaging secure.

In today's business environment where speed thrills, that makes IM a winner. But, as with e-mail, IM channels are vulnerable to malware, and CISOs and IT leaders need to be cognizant of the risks. The problem, according to some, is that security is often an afterthought when it comes to IM in the workplace. When asked about the state of IM security in companies, Kailash Ambwani, CEO and president of IM security company Facetime, says, "It's nonexistent mostly. The good news is that they're aware they need to do something about it; a year and a half ago, that awareness didn't exist."

The security risks are real. The predominant IM networks in use in companies are insecure public networksAOL, Yahoo and MSN, to name a few. Employees can download those clients easily and at no cost. Malware is propagating rapidlyIMlogic's Threat Center reports that in 2005 there was a 1,693 percent increase in reported incidents of new threats, 2,403 unique IM and peer-to-peer threats, and that 90 percent of IM-related attacks included worm propagation. It also notes a dramatic increase in the sophistication of attacks. In addition to those risks, IM also offers employees an all-too-easy method of sending intellectual property outside the borders of your company, accidentally or intentionally.

So there's the bad, but here's the good: Take the steps below and you can sleep a little more peacefully at night. But look lively. If you haven't already done steps 1 and 2 at the very least, you're way behind.

1. Find out how much IM is going on inside your company.

Before making decisions about IM security, it's good to know what's crossing the wires every day. Who's using IM? What public networks are they using? How much traffic is there? What are people using it forGames? File transfer? Arguing the merits of a flat tax or debating the latest steroid scandal? You may be able to determine much of this using standard network tools, or you might choose to dive into an IM-specific security tool to get a handle on IM activity.

2. Determine your posture toward IM.

The first question to ask: Should we allow it or block it? The easiest thing to do, of course, would be to say, I don't want to deal with this headache, let's just ban it. For starters, Don Montgomery, VP of marketing and customer support at IM security company Akonix, says that trying to block it from a technology standpoint is darn near impossible. "Once the public clients, which are free, are installed, they are port-seeking clients. So you can identify a protocol and try to shut down the port it uses at the firewall, but all of these clients use multiple ports, and they seek the next open one," says Montgomery. An IMlogic report titled "Understanding the IM Security Threat," notes that any attempt to secure IM "using purely network-layer tools and techniques such as combinations of port, IP and URL blocking is bound to be partial at best."