Sure, IM is a valuable tool that frequently speeds corporate communications and decision-making. But without the proper safeguards and compliance processes in place, P2P software can poke numerous security holes in a corporate network.
Indeed, more than 2,400 software security threats targeted corporate and consumer instant messaging systems in 2005, according to IMlogic, an instant messaging specialist in Waltham, Mass. (which Symantec acquired in January). The threats ranged from worms and viruses to rogue code that attempted to exploit security holes in P2P software, reports IMlogic.
Eager to combat such threats, many companies now have IT security policies that specifically bar employees from using P2P and IM software. However, such policies are useless without proper enforcement procedures in place.
"Tomorrow's workforce is going to insist on peer-to-peer software," says Jill Cherveny-Keough, director of academic computing at New York Institute of Technology, a college with 12,000 students in Manhattan and Long Island. "Most college students today use IM as frequently as they use their cell phones. As those students move into the workforce, they are going to expect IM much in the way that we all take email and voicemail for granted."
Recent college grads aren't the only users demanding P2P software.
"If I had to guess, I'd say roughly half of all employees in large businesses use IM or P2P software without their companies' approval or knowledge," says Roland Voyages, a former CIO at a major financial services firm in New York.
This estimate may be conservative. During the second half of 2005, 93 percent of corporate users deployed software not sanctioned by their IT department, according to corporate IM software specialist FaceTime Communications of Foster City, Calif. Moreover, 30 percent of corporate users who experienced a virus attack in 2005 said the rogue code was spread through IM.
The weak links
Consumer IM systems -- from America Online, Yahoo! and Microsoft -- are popular targets for spreading viruses. But the P2P risks do not end there. Hackers and rogue programs also spread worms and viruses via such popular P2P file-sharing systems as eDonkey.com and Kazaa.com.
Left unchecked, P2P systems can serve as a digital back door into and out of your enterprise. Several Wall Street traders, for instance, have been fined for sending financial information through IM systems that lack proper record retention and archiving capabilities. In 2003, the New York Stock Exchange updated its record retention requirements, telling member institutions that organizations must have retention policies for all forms of written and electronic communications, including IM.
Still, IT executives should not panic over peer-to-peer risks. Instead, they can evaluate third-party tools that: identify rogue IM services; block specific P2P software; or enhance the overall P2P software security.
And, even more good news, some of the tools are free. FaceTime, for instance, offers RTMonitor, a no-cost tool that detects all real-time communications activity within and across corporate networks. RTMonitor generates a detailed report that helps IT executives and network administrators learn who is using IM, P2P and voice over IP (VoIP) applications in the enterprise. Armed with that information, organizations can proactively block specific P2P services that are not approved for corporate use.
The market for network appliances that halt P2P traffic also is growing. FaceTime's Real-Time Guardian network appliance, for instance, blocks spyware, adware and unauthorized P2P use. Similarly, SonicWALL of Sunnyvale, Calif., designs security appliances that block unauthorized use of Skype, the P2P VoIP application that has become wildly popular.
While reliable and free, using Skype exposes companies to specific regulatory and security risks. Skype was designed to evade network tracing and auditing attempts, according to SonicWALL, so it frequently does not comply with industry regulations that require businesses to archive their electronic communications.
Meanwhile, many organizations are evaluating or deploying so-called corporate IM systems. These solutions go beyond traditional consumer IM software, and frequently include such capabilities as data archiving.
IBM Corp., for one, develops Lotus Sametime, a popular IM platform that also offers web conferencing capabilities. Unlike basic consumer offerings, Sametime was designed from the ground up for corporate use and therefore includes such capabilities as archiving to appease federal and financial regulators.
Meanwhile, managed service providers such as Postini, San Carlos, Calif., now offer online spam filters and archiving capabilities for customers' existing IM and email systems. Eager adopters include Holland & Knight LLP, one of the world's 15 largest law firms. Holland & Knight embraced Postini's managed services because the firm had grown frustrated with security appliances that required too much time to configure, according to Chad Manaton, a messaging systems manager at the firm.
Other noteworthy IM security experts include Akonix Systems. The San Diego-based firm's flagship product is L7 Enterprise, an IM gateway that runs on Windows servers and brings management, security and archiving capabilities to enterprise and public IM systems.
Make the effort
Yet despite these P2P security solutions, many organizations remain laggard when it comes to mastering IM security.
"Users are addicted to their preferred IM platforms," warns Ed Golod, president of Revenue Accelerators, a technology consulting firm in New York. "You're not going to get them to abandon IM software from AOL, Microsoft or Yahoo."
Instead, Golod says, give users a carrot: Let them continue to use IM, but be sure to install third-party software that ensures all communications are properly recorded and archived.
"Just like email, instant messages can be used as evidence in a legal case," says Golod. "So it pays to make sure you have IM and P2P software under control in your IT environment."
Consider yourself warned.
RISKY BUSINESS: Pandora's hard drive
If left unchecked, peer-to-peer software can:
Open up back doors into the network, allowing hackers direct access to corporate assets and putting the organization in breach of privacy legislation;
Enable the exchange of copyrighted material, rendering the corporation vulnerable to breach of copyright lawsuits;
Overload network bandwidth with unauthorized file sharing activities;
Allow bundled adware applications to be installed on the network without the user's knowledge.