Volume 1, Issue 1
April 18, 2006
The Risks of IM in the Workplace
By Carlos Valiente, Jr., CISSP,CISA,CISM
Risk # 1: Bypassing of Firewall Restricted Ports
Instant Messaging (IM), that popular collaborative business tool for instant electronic communica- tion, brings with it serious security exposures that organizations need to address in order to avoid potential financial liability and the risk of public embarrassment. Originally created in the late 1980s as Internet Relay Chat (IRC), instant Mes- saging technologies began to evolve in the mid to late ’90s and have rapidly become a highly popular method for communication across global net- works, instant Messaging has also become a sup- plement to and– in some cases– a replacement for e-mail. It allows users to communicate instantane- ously with friends, coworkers and business part- ners. A major ant-virus company reported that the e-mail ’Sasser” worm attack took only 14 minutes to compromise 95 percent speed, consider that Instant Messaging worms could infect all IM-using computers in under 14 seconds.
Corporate Web users with the requisite technical capa- bilities can reconfigure their IM application o route traf- fic through external proxy serves (many of which are free on the Internet) and can bypass corporate firewalls by using non-restricted ports (e.g., those used for stan- dard Web, SSL or other legitimate business access) for activity initiated from within the internal network.
Risk # 2: Legal and Copyright Liabilities
After several high-profile lawsuits with multi-million dol- lar settlements that revolved around the contents of corporate communications, companies should be aware that simply by using IM, they are exposing themselves to an additional potential source of legal liability. It is im- perative that organizations develop a comprehensive IM content policy that includes:
A computer industry study projects that IM ser- vices will be employed n 70 to 80 percent of en- terprises, and that those services will most fre- quently be self-installed by individual users for in- terpersonal communications. Users install public non-standard IM technologies largely primary to establish communications with friends, business, colleagues, clients, vendors, and loved ones. IM use may also be driven by the desire to use such new functions or features as voice chat (net phone) and web cam (video phone) that have involved in this technologies. But, regardless of the reason for their use, the widespread use of these technolo- gies on corporate systems represent a growing risk today.
In past studies, assessments of Instant Messaging capabilities have ranged from those that catego- rized them as a complete waste of resource and a productivity-lowering waste of time to those what envision that as a critical application for workplace connectivity. While the truth may lie somewhere between these extremes, it is safe to assume that IM has made significant impact in the way we work, the way we communicate, and the way we collaborate. While concern for the risks posed by IM technologies may lead businesses to consider eliminating public IM services from their corporate networks, consideration must also be given to per- sonal and business reasons why users continue to use these services.
list of ‘’instant messaging risks’ to make users
aware of the potential harmful effects of their tions. If you don't want it posted on an Internet letin board, then don't hit the send button.
⇒ The policy should expressly state that the IM system is not to be used for the creation or distribution of any offensive comments about race, gender, age, sexual orientation, pornography, religious or political beliefs, national origin or disability. Furthermore, mention that employees should not use IM to dis- cuss competitors, potential acquisitions or mergers or to give their opinion about another firm.
⇒ If you are going to monitor the content of your em- ployees’ instant messages, you must mention this is your IM policy (In most countries/states you are al- lowed to monitor your employees’ emails if your employees are made aware of this).
In addition, IM applications enable the downloading and exchange of files; these files may contain copyright mate- rials (e.g. music, video, software), and may even include offensive material that-if shared with clients or other external users-could expose your organization to poten- tials harassment lawsuits and public embarrassment. Sharing copyrighted files or unlicensed software could also result in legal liability. Each organization needs to take the appropriate steps to ensure that their confiden- tial information is safeguarded from external exposures and that its organizational culture supports staff ‘awareness’ of what it considers acceptable business practices.