Instant Messaging in the Workplace

Instant Messaging (or IM) has a growing corporate following. The ability to carry on a live chat with others has an appeal to many corporate users. In many companies IM is used for contact between project team members, between customers and vendors on a project, and between employees and their family. Even if not officially sanctioned by corporate management or the IT department, many departments or sub-groups are using Instant Messaging. It is easily downloaded for free and works in many corporate network environments without any special request to the IT department. Because IM was developed for the consumer market, there are few security features in the free products. The use of free, consumer-grade IM products in a corporate environment exposes the company network to several security risks.

Security Risks of Instant Messaging

What are the risks in using Instant Messaging in a corporate environment? One risk is that like email, IM programs can carry viruses. A virus can be sent through a chat session to a machine inside a corporate network. While many companies have virus scanning running directly on their email server, the IM chat messages do not travel through the email server. As with email viruses, IM viruses can be sent from an infected computer without the sender's direct knowledge. Because the employee is chatting with someone he knows, he may accept or open a file sent to him via the IM program. A good, updated anti-virus program is the only line of defense at that point.

Another risk of using IM in a corporate environment is that the chat messages are not secure. Chat messages can be intercepted and, as they are transmitted in plain text, can be read by the person intercepting them. Some IM products also offer the option to log the chat sessions. The message text from the chat is written to a text file on the logging computer's hard drive. If the computer is accessed by either another user inside the company or by someone outside the company, these persons could potentially read the stored chat logs. The primary problem with intercepted messages or stored chat logs is that corporate employees may be discussing sensitive information using IM. Private conversations regarding project status, pricing, customers, vendor bidding, and other employees may not be private at all.

In March of 2001, stored chat logs from the CEO of a company were posted to the Internet. The chat logs included conversations regarding the company's partner companies and discussions about employees. The publishing of these "private" conversations caused turmoil within the ranks and with the company's partners. About a week after the publishing of these logs, several top-level management personnel resigned. Partners began to publicly distance themselves from the company, which is subsequently no longer in business.

Making Instant Messaging More Secure

Are there solutions to the risks of IM? A primary solution, if Instant Messaging is in use, is to assume that all conversations are public. That in combination with a good, regularly-updated anti-virus program will protect a company from most IM problems. If a company does not want IM products in use (because of a highly sensitive industry or sensitive data), IT departments can consider blocking common IM traffic ports. Although that does not completely prohibit IM use, it will block the bulk of IM products from communicating outside the corporate network. Another solution is enterprise-grade IM products. Several IM products designed for use in corporate environments are becoming available in the market. These products are not free like the consumer-grade products, but they offer more security and encryption features. The best protection is awareness of the risks of IM usage. Consider whether IM usage is advantageous to your organization and implement protections based either on using IM or blocking it.

This article originally appeared in the October, 2002 issue of FrogTalk.