Instant Messaging Security. Is It Possible?

About 200 million people will use instant-messaging (IM) services this year, according to IDC, and next year over half of them will be business users. Many of them, in turn, will be in financial services, the business sector that has taken to IM more than any other.

It has enjoyed such a meteoric rise in financial services because the convenience and productivity it puts into users' hands, at very little cost, particularly appeals to bankers, traders, and insurers.

"Instant messaging is becoming a more mainstream business tool," says Andrew Brown, CTO of Global Infrastructure Services for Merrill Lynch. "IMlogic gives us enhanced capabilities regarding access control, reporting and management."

However, as corporate adoption of IM peaks this year, many commentators are becoming concerned about the need to secure the informal networks upon which IM depends, both to protect against hackers and to meet regulatory requirements.

The Big Bang in IM security threats
The warning signs are there to be read. For example, in February, Microsoft cut access to its MSN Messenger IM service to halt the exploitation of a security flaw: a vulnerability, which allowed malign attackers to take control of affected systems in all but the latest versions of the messenger clients, was posted on the Internet.

In addition, IMlogic has reported that the incidence of IM security threats increased by 50 percent in the first three months of this year; that more than one hundred of the most common IM viruses had grown by 30 percent in the same period; and that IM spam now accounts for up to seven percent of all traffic. In other words, IM malware has undergone a "big bang".

Financial sector authorities have already responded to the threat. As far back as December 2002, the Securities and Exchange Commission fined five large Wall Street firms $8.25m for failing to archive and supervise their electronic communications.

The industry itself has taken note too. The Financial Services Instant Messaging Association (FIMA) — whose members include Bank of America, Citigroup, Credit Suisse First Boston, Deutsche Bank, JP Morgan Chase, Lehman Brothers, Merrill Lynch, Prudential, and UBS Warburg — exists to pressure vendors into standardising IM platforms in order to promote compatibility and security. Furthermore, the National Association of Securities Dealers (NASD) recently told its 5,300 brokerage firm members to retain IM records for at least three years as proof against future disputes.

Handling IM security in financial organisations
On the other hand, taking responsibility for IM is not always as easy as might be thought. For example, if a firm decides simply to ban IM — in a similar manner to which some banks tried to ban email — then determined employees will readily find ways around bars on the network. Moreover, programming corporate IT systems to scramble any instant messages that are sent is tricky and time consuming, since most IM platforms are proprietary and change fast.

A ban may also not prove effective because IM penetrates the organisation under the radar: it is routinely embedded in office software, for example.

Arguably the more sensible route to take, not least because it has become part and parcel of modern business communications, is to control the use of instant messaging. IMlogic's approach is typical: its product, called IM Manager, archives every IM conversation across a network. IM Manager can track messages, reconstruct exchanges, and monitor for attacks.

In short, like email, IM has become part of the communications landscape. Financial organisations must embrace and secure it, not fear and try to dodge it.

Source: Mark Vernon, Tech Republic, Published: 12 Apr 2005