6.Educate and train users.
When asked what the most common IM vulnerabilities are in companies, John Rittinghouse, senior VP of commercial professional services at SecureInfo and co-author of a book on IM security, points to lack of user awareness and training. "Most of the damage we see is done on the inside when people do dumb things," he says. He cites clicking on a link from a spam message as an example. "Bam, you get a payload or rootkit put on your box. The next thing you know it's propagating on the network or going through all of your contacts, causing a denial of service," he says.
Rittinghouse says security execs need to educate users to be acutely aware of the risks IM can bring and reinforce that it's part of their job to protect the business. Employees also need to understand that IM communications are archived. "One of the things that killed Enron is employees not understanding that IM was part of the record. Some of the IM communications were very embarrassing, very damaging. Sexually explicit things were in there from employees to other employees. It's just ignorance," he says.
Employees should be especially vigilant given the stepped-up regulatory environment where there is no distinction made between e-mail and IM traffic. "A lot of companies only find that out when they get into trouble," says Rittinghouse.
He says that awareness and training programs don't necessarily cost a lot in money, but they do in effort. And some companies haven't been willing to make that effort. "Companies seem to find time not to do it," says Rittinghouse. He says security leaders must become evangelists about issues such as IM security and should be held accountable if they fail to educate their users.
7.Consider implementing an IM security product.
A host of companies offer products that allow companies to control and secure their use of IM. E-mail filtering companies such as Postini are starting to offer IM protection services too. At Amerex, Trudeau says security was actually a side benefit - the primary reason he installed a middleman product (IMlogic) was to log IM conversations. The same was true for Rubinow at Archipelago. "From a regulatory standpoint, we had to have that software in place or prohibit the use of IM," he says.
Thomas Pottanat, CISO at Banco Santander, says his bank doesn't currently allow IM, but that's going to change. "That's one of the mediums people are going to use. People are doing trades from New York in Latin American countries. I'm thinking about it, looking for a solution for how best to handle it," he says, knowing that when the bank allows it, regulations will require him to capture his IM data.
"You cannot tell people: 'Don't use e-mail or other telecommunications', because that's a means of doing business now," says Pottanat. "The world has changed, and everything needs to be done immediately."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.