While text has taken over as the main form of communication in the business environment, instant messaging (IM) is still used. The convenience of IM for the midsize market is plain to see: ease of use, fast response, and exchange of ideas and commentary – an especially useful tool for telecommuters or companies with multiple locations. However, the drawbacks must be weighed against these conveniences, and any potential security issues must also be resolved.
In today’s highly competitive workplace where most employees wear several hats and do more than one person’s job, time is of the essence. To help lighten the burden, one way is to use IM. But most of the time, end users install IM programs themselves without the system administrator’s knowledge or permission. This is not recommended.
IM allows for files to be shared, which creates some security risks because sharing is done ad hoc between end users. This means that admins have no control over files being shared. In addition to file sharing, IM opens several holes in the system security. The program opens a hole in the firewall or uses an already-opened port in the firewall and announces the IP address of the originating client, which acts as a beacon to malware and hackers. Admins can stop IM from traversing the Internet by shutting off specific ports, however, certain IM applications can act as rogue apps which scan all ports to find an open one to use.
When someone sends an IM to another person within the same company, the IM does not stay within the company. Unless you have a server such as Office Communications Server 2007, your IMs will always leave the technology borders of your company and travel to a third-party server before they return to the intended recipient. This allows anyone with the correct software to intercept the IM and read it using a man-in-the-middle type attack.
Another problem with IM in its current form is the lack of support for encryption. IM programs do not natively support encryption of text within IMs between users. Some third-party programs do add an encryption plug-in. Companies such as Trillion work with multiple chat networks and can encrypt IM messages that the client sends to the server. While this does not help with file sharing problems, it will provide confidentiality in one direction. To protect file exchange, clients need a virus scanner.
Because most people leave IM open on their desktop so that they can receive IMs in real time, the hole will remain open until that particular instance of IM is closed – which doesn’t happen often because most users tend to leave IM open all day. Broadcasting your IP address is one of the easiest ways for an attack to happen – it’s similar to opening a door and inviting everyone in, both good and bad.
While IM is fast and easy, it is not without risks. Text content can be compromised. Attached files, if not properly scanned, can be corrupt and infect a network or the host. And finally, if you need secure IM (which, if your company permits IM, this is crucial), then you must have your own IM server.
Will you reconsider IM in your business now?
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.