No longer simply a chat tool among college students, instant messaging (IM) has started to take corporate environments by storm, both as an opportunity and a risk.

It is a very powerful communications medium, but it is also a security threat that too often circumvents standard email and web safety nets. Converting IM into an invaluable business tool means acknowledging its vulnerabilities and creating a plan for protecting your organization against the IM security risk.

IM-borne viruses and malware are on the rise (increasing by no less than 300 percent in the first three months of this year according to the IMlogic Threat Center) and the likely reason is that hackers and virus writers view IM as a new frontier. The challenge for corporate America is that few executives know the extent to which their staff are using IM and the potential risk this poses. There are five primary avenues for malware and hackers to attack corporate networks through IM.

The first is through viruses and worms which can be attached to IM messages. These attacks are the most commonly reported IM threats, and typically arrive by file transfer or embedded html, bypassing traditional gateway antivirus security. IM attacks might create buffer overflows or boundary condition errors on clients such as AOL, MSN and Yahoo!, creating openings for Trojan horses and spyware.

Next comes identity theft and authentication spoofing. Most consumer IM systems such as AOL, MSN, and Yahoo! allow users to create anonymous IDs that do not map to email addresses. That means a hacker or phisher can create an ID such as janedoe@enron to "spoof" an accepted ID and compromise the identity of a corporate user.

Tunneling is another threat, where IM clients exploit any open port on the firewall, including those used by other applications (such as port 80, the standard port for websites). These "tunnels" are often invisible to security gateways, and expose the network to viruses, identity theft, and other risks.

Instant messaging can also be a channel for information security leaks, allowing users to send out classified or private information. IM might be used to send data via text or file transfer, bypassing the IT department's best forensic monitoring or filtering capabilities.

Instant messaging has also become a channel for spam. Spam over IM (SPIM) is far more disruptive than email spam because it automatically pops up on users' screens and appears from a legitimate user.

SPIM is also used in conjunction with email spam and phishing as a blended threat to attack end-user computers.

With so many potential threats associated with IM, firms could be persuaded to ban it altogether. But it does have a role to play in business and just needs to be properly controlled.

Instant messaging need not be a chief security officer's worst nightmare. Understanding the risks, mapping out a plan and employing best practices for IM's use will eliminate the vulnerabilities and introduce a valuable real-time communications tool to your company.

Jon Sakoda is chief technology officer and vice-president of products for instant messaging vendor IMlogic.