Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Keep your IM-using employees on a need-to-know basis

As long as people have competed against others, whether commercially, militarily or athletically, their organizations have possessed information or practices that need to be kept secret.

Naturally, competitors have always wanted to learn those secrets, and history is filled with stories of spies, patents, secret codes and inadvertent disclosure of confidential information. Everyone knows that Coca-Cola guards the secret formula for their elixir; most American football fans are aware of the New England Patriots' recent transgression of videotaping an opponent's signals and everybody knows that “loose lips sink ships.”

Information technology departments always find themselves reacting to an innovation in hacking, breakthrough in spyware or another way for the big-mouthed employee to tell the company's secrets to others. One by one, security professionals address the vulnerability and close down the holes, while somewhere, someone is figuring out how to find the next one.

Over the past 10-to-15 years, email represented the biggest conduit for confidential information to leave organizations, whether maliciously or negligently. Sometimes leaks are deliberate and malicious, other times they are simple negligence. Certainly, there have been thousands, if not millions, of emails sent with data, information or intellectual property that were not supposed to be distributed outside the “four walls.” Email filtering companies, that could scan the content of an email for keywords, regular expressions, number sequences and patterns that indicate whether the message should be sent, emerged.

Still, people will find a way around or through new security measures. Once email was effectively “locked down,” it didn't take long for employees to find a very simple alternative: instant messaging.

Emergence of IM in a workplace
The top consumer IM networks – AOL Instant Messenger, Windows Live Messenger and Yahoo Messenger – all provide free use of their client software and networks after a quick, simple download. With an internet connection at work, it is a simple matter for an employee to install the client and use the IM network to communicate, send and receive files, play games, open up webcam sessions and even make telephone calls, all free of charge and all outside the control of the IT department.  

The use of consumer IM in the workplace has exploded over the past few years. Instant messaging is a valuable, productivity-enhancing communications medium. The business benefits of instant communication and the ability to see presence (who is online, who is busy and who is offline) are indisputable. However, with those benefits comes a set of new risks and liabilities.  

There are four major categories of risk to corporations where consumer IM is in use:
Security risks – IM networks are conduits for hackers' attacks, socially engineered messages leading to websites that download malware and propagation of infected files.
Compliance risks – Business communication over IM is bound by the same regulations and laws governing email and other electronic communications. Organizations must archive relevant IM chats and monitor to make sure that illegal conversations (e.g. insider stock tips; health care privacy breaches, etc.) are not occurring.
Inappropriate use liabilities – Corporations have potential hostile work environment, sexual harassment or threat of violence liabilities when employees use company computers and LANs to transmit inappropriate content. An Akonix survey in 2007 found that 31 percent of respondents said they had personally experienced harassment over IM in the workplace. With over 100 million people using IM at work, that's a potential for 31 million hostile workplace lawsuits.
Leakage of confidential information – IM presents employees with a new and effective means of transmitting information. The risk of losing confidential data or proprietary trade secrets through the actions of a malicious or negligent employee is huge, and the impacts are potentially devastating.

Information leakage through instant messaging
There are two ways in which employees can transmit confidential information through instant messaging: (1) typing messages in the chat window (e.g. “Hey, I hear the FDA approval is coming next week”), or (2) sending file attachments.

Employees who deliberately and knowingly use IM to transmit confidential information are often quite resourceful. There are cases in the financial services industry where employees “buried” messages within seemingly innocuous chats.

Most employees are not quite so resourceful, as they mistakenly assume that the use of public IM networks cannot or will not be monitored by their companies. A significant amount of confidential information leakage occurs by simply passing along some good news about upcoming product releases or new regulatory approvals. Whether the intent is innocent or not, employees may not divulge insider information. When they do, both they and the employer may share some liability and negative consequences.  Another category of information leakage through IM is the transmission of private data, such as social security numbers or credit card numbers. Because of the instant and informal nature of IM, and the mistaken belief that it exists only until the chat windows are closed, people in business commonly share information about themselves or their customers. Consumer IM networks transmit text messages in the clear, and can be intercepted by enterprising individuals intent on finding confidential information.

Use of the file transfer utility in public IM clients also creates a major risk for corporations. Since most email systems have limits on the size of files that may be attached, many people have discovered it is just as easy to simply click the paper clip icon in the messenger window to send them. An employee bent on moving large amounts of confidential information out of an organization's four walls can easily send spreadsheets, documents and PDFs to a recipient outside the company.

Getting control of IM information leakage
The solution to the problem of information leakage through IM should be a very familiar one to IT and security professionals: Take the same steps we all took to get control of email over the past few years.  
The starting point must be a sound policy for appropriate use of IM in the workplace. The IM policy should probably look a lot like the email policy, and in fact, by changing the word “email” to the phrase “electronic messaging,” and adding a definition of it to include instant messaging, one can have a single, unified policy for the use of all email, IM and other communications applications.

IM policy generally should include rules for what IM clients may be used, what types of communications are forbidden and a standard disclaimer noting that using company-owned computers and networks to gain access to an IM client, even a free public consumer IM network, means that the employee is subject to the company's monitoring. Policies must be written, consistent across employee roles and should be communicated and reinforced on at least an annual basis. For companies and organizations subject to tight regulation of electronic communication, the corporate policy should also educate employees on the legal and regulatory requirements that govern the use of IM in the workplace. People who are responsible for drafting and creating policies should always consult legal counsel.

The second component to gaining control of IM in the workplace is the technical aspect of monitoring usage and enforcing policy. The two pieces – human and technology – must both be addressed in order to create and enforce policy and maximize the benefit of using IM while minimizing the risk.

n order to manage and control the use of IM, IT departments must purchase and implement purpose-specific products. Trying to use firewalls, routers or gateways is futile due to the ever-changing protocols. In addition, the use of any product not licensed by IM networks to intercept their traffic in a corporate network creates a breach of the license agreements the company and its employees agree to when installing AOL Instant Messenger, Windows Live Messenger or Yahoo Messenger. Therefore, organizations are advised to evaluate and select one of the devices certified and licensed by AOL, Microsoft and Yahoo to manage IM use.

IM management gateways and appliances perform all of the functions necessary to gain control of IM for the purpose of managing information leakage, as well as most or all of the other functions necessary to manage the other risks inherent to corporate use of IM, including security, compliance and filtering for inappropriate use. Importantly, these products also provide content filtering to identify confidential, illegal or inappropriate words or phrases. Administrators may configure their systems to search for specific keywords or regular expressions (e.g. “stock tip”) and to identify numerical combinations that may signal a message containing private information.

The ability to set and enforce policy and protect the organization from information leakage is put into the hands of the administrators, while the ability to safely and appropriately use IM for business benefit remains in the hands of the employees who have embraced this powerful yet simple communications medium.

- Don Montgomery is vice president of marketing at Akonix.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.