Just in case you failed to notice, the ubiquity of instant messaging (IM) among home users is making an impact in the corporate environment as well. The analyst firm IDC projects that roughly half of the 506 million IM users in 2006 will be corporate users.

This rapid adoption of corporate IM is changing the nature of communications at work. Corporate users find the interactive nature of IM communication particularly useful for open collaborative discussions. Yet, with all its benefits, IM offers a unique challenge to the corporate security manager. Initial attempts by corporate security departments to ban or limit its use have been met with user pushback. For many organizations, IM is now a low cost productivity and collaborative tool that is integral to the work environment. The reality is that corporate IM is here to stay and security managers must learn to deal with its implications.

Why Is Instant Messaging a Security Priority?

Why does the use of IM in the corporate environment pose such security challenges? There are a few noteworthy reasons. First, today’s extended IM functionality opens the enterprise to a wide variety of threats. Unlike the purely text-based IM transmissions of five years ago, IM users today may link audio, video and file attachments to message transmissions. As such, IM may be exploited as a means for launching and propagating malicious attacks such as worms or trojans. Many perpetrated attacks in the recent past have taken advantage of e-mail as a means of launching malicious code. Infection is often initiated when the user clicks on an attachment or embedded URL. With IM’s extended capability for attachments as well as embedding URLs, hackers can exploit IM in a similar fashion.

Second, corporate IT organizations are still playing catch up with regard to secure IM policies. Many security teams have been slow in responding to this proliferation of IM. The use of IM has thus far been unregulated in many organizations and hence poorly managed. Often, users may be running older versions of IM clients that could be vulnerable to exploits. In some cases, there is no patch management policy is in place for IM since it’s not an “official” corporate application. Users are often uneducated with regard to the risks associated with IM. Besides the risks of malicious code attachments, unintiated users may treat IM as a secure communication medium when in fact IM communication is primarily unencrypted and can be read off the wire.