Seven steps to keeping your employees' instant messaging secure.

Instant messaging is a phenomenon that infiltrated corporate Australia like bedbugs in a backpacker hostel. It burrowed its way into companies a few users at a time, became fruitful and multiplied, and today has become a popular tool for employees to carry on business and, yes, exchange the occasional message with buddies scheduling that night's cocktail hour.

Yet IM can introduce some nasty by-products to a company's security posture. The wildfire-like growth of the technology has led to a spike in the number of Internet bloodletters who have found a new and vulnerable target for their attacks. And the speed with which an IM worm can propagate leaves a typical e-mail attack looking like a funeral procession down Main Street. "The fastest-ever e-mail threat took about 10 hours to hit 500,000 sites. On IM, it takes about five to seven minutes," says Francis deSouza, CEO and president of IMlogic, an IM security company acquired by Symantec early this year. According to antivirus vendor Sophos, the second-ever virus aimed at the Macintosh operating system propagates itself to other computers via iChat. Fear not, CIOs: You can defend your company against the IM nasties. This story takes a look at how popular IM has become, why banning it may be wishful thinking and what steps you can take to secure your IM networks. (Hint: Sticking your head in the sand and denying there's a problem isn't one of them.)

Market researcher Radicati Group says IM is being used in 85 percent of enterprises; that the number of IM messages being sent each day will increase from 11.4 billion in 2004 to more than 45.8 billion in 2008; and that the number of IM users will grow from 320 million to 592 million in 2008. And IM isn't just for 12-year-old kiddies talking about crushes, Brangelina and the latest episode of Big Brother. Responsibly used, IM can make workers more productive.

"From a general, philosophical standpoint, we try to keep our headcount lower to have lower operational costs and to be more efficient. We try to give people all the reasonable tools they need to expedite their jobs; one is IM," says Steve Rubinow, CTO of NYSE Group, an electronic stock market. Brian Trudeau, CIO at Amerex Energy, supports IM because some of the company's brokers rely on it. "It's kind of been an organic growth through the industry. One person starts it, now some traders won't talk to you unless you have an IM handle. It's instant gratification, not like e-mail, for which you have to wait. The nice thing about it is the ability to transmit information instantly," he says.

In today's business environment where speed thrills, that makes IM a winner. But, as with e-mail, IM channels are vulnerable to malware, and CIOs and security execs need to be cognizant of the risks. The problem is that security is often an afterthought when it comes to IM in the workplace.

The security risks are real. The predominant IM networks in use in companies are insecure public networks. Employees can download those clients easily and at no cost. Malware is propagating rapidly - IMlogic's Threat Centre reports that in 2005 there was a 1693 percent increase in reported incidents of new threats, 2403 unique IM and peer-to-peer threats, and that 90 percent of IM-related attacks included worm propagation. It also notes a dramatic increase in the sophistication of attacks. In addition to those risks, IM also offers employees an all-too-easy method of sending intellectual property outside the borders of your company, accidentally or intentionally.

So there's the bad, but here's the good: Take the steps below and you can sleep a little more peacefully at night. But look lively. If you haven't already done steps 1 and 2 at the very least, you're way behind.

1.Find out how much IM is going on inside your company.

Before making decisions about IM security, it's good to know what's crossing the wires every day. Who's using IM? What public networks are they using? How much traffic is there? What are people using it for - Games? File transfer? Arguing the merits of a flat tax or debating the latest steroid scandal? You may be able to determine much of this using standard network tools, or you might choose to dive into an IM-specific security tool to get a handle on IM activity.