The study, surveyed 7,593 of the company's customers concerning IT management policies governing Internet-based communications at work. While more than 90 percent of the respondents surveyed said they had an Internet access policy, nearly half (49 percent) reported that they had no policy concerning the use of IM and peer-to-peer applications within the organization. SurfControl experts warn that this can render an organization vulnerable to a host of emerging security threats that can be delivered via instant messages.
"Instant messaging may be viewed as convenient to end-users, but the business costs are too great to leave IM usage unchecked by security policy," said Jim Murphy, director of product marketing for SurfControl. "Without the proper policies and protections in place, instant messaging can become an instant message for IT managers. Numerous IM-borne viruses, worms, spyware applications and blended threats can all jeopardize network security and cost companies hundreds of thousands of dollars in clean up costs."
Internet messaging has proliferated due to the widespread availability of public IM applications via the Web and their ease of use. Osterman Research reports that about 90 percent of organizations had employees using at least one form of IM applications in 2004. A growing number of American workers have embraced IM as a faster and more reliable way of communicating with co-workers and customers. However, very few organizations officially sanction IM usage. A recent American Management Association study found 78 percent of workplace IM users had download free IM software from the Internet, unaware of the threats posed by such downloads. Most troubling is the fact that serious security vulnerabilities such as buffer overflows, denial of service attacks and encryption weaknesses continue to be found -- and exploited -- in all of the popular instant messaging clients.
Survey respondents also ranked confidential data protection as one of their top security concerns, with 83 percent of respondents ranking it as a "major concern." Murphy noted this irony, stating that IM and P2P communications and data transfer are often sensitive in nature. Unfortunately, they are almost never encrypted or cryptographically signed, making them susceptible to network snooping, modification, hijacking, and impersonation attacks, and making non-repudiation impossible.
"Left ungoverned, instant messaging applications are an easy vehicle for accidental or malicious disclosure of sensitive corporate data, including company financials, personnel records and customer data. Clearly, companies must combine detailed acceptable use policies with effective technology to manage instant messaging at work," said Murphy. "IT managers need to work with HR professionals to ensure that all employees are governed by enforceable rules, so they can minimize risk to the organization and assure network resources are properly used."
SurfControl offers the following guidelines to help companies safeguard against IM and P2P threats:
- 1. Create a well-defined corporate usage policy on the appropriate use of IM and P2P within the organization.
- 2. Communicate these policies to employees to assure proper use of these resources as well as consequences for misuse.
- 3. Advise users to never follow any link in an unsolicited or suspicious IM communication. The simple visit to a Web site could trigger multiple IT threats.
- 4. Implement a filtering tool that is able to identify and block in realtime both the use of instant messaging applications (AOL/ICQ, MSN and Yahoo!) as well as the most popular P2P networks (Gnutella, FastTrack, and WinMX).
