Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, July 13, 2006

Symantec says enterprises failing to secure instant messaging

Cupertino, Calif.-based security giant Symantec Corp. surveyed 400 CIOs on their organizations’ IM security policy, and found that 57% of them had no security or availability policies for their IM systems. The survey also found that only 22% of organizations archive their employees’ IM messages, a serious oversight that can lead to the leakage of confidential data or other sensitive information.  The results of the survey are especially surprising considering that the number of IM threats increased by more than 1,600% from 2004 to 2005, according to statistics gathered by Symantec. Last year the vendor recorded a total of 2,400 unique IM threats.

Despite the fact that instant messaging technology is nearly ubiquitous in the enterprise, and has been for some time, according to a new survey nearly 60% of organizations do not have any security technologies in place to defend against IM threats.  Nearly all enterprises have developed email archiving, retention and inspection policies, but the survey results suggest few organizations have extended that to their IM systems.  It starts with visibility. Most IT departments don’t have any visibility into the IM deployments in their enterprises,” said Andrew Burton, senior product manager at Symantec.  Burton said IM security is an issue, but enterprises should also address IM usage policies, data leakage and risk management. “These three areas have been addressed in email security,” he said, “but most organizations haven’t viewed them as something they need to address with IM.”

Some industries, most notably financial services and securities trading, have developed regulations that specifically govern the usage of IM clients and require logging and archiving of IM conversations. Other industries are beginning to follow that lead, Burton said, but slowly, for the most part.  “With regulatory compliance, life sciences and health care are starting to see the need for this. Government is coming on board, too,” he said. “In terms of governance, we’re seeing a broader movement across industries to secure IM in order to comply with audits and IT governance requirements.”

Burton attributed the increase to several factors, but noted that IM attacks often are more effective than email attacks, given the ease with which threats can spread through a user’s contact list.

“There’s a larger footprint [for IM] now, and the number of users attracts attackers,” he said. “Plus, the effectiveness is higher. Once someone is infected, the social engineering aspect of IM increasing the likelihood that other people will fall victim to the attack.”,289142,sid14_gci1199145,00.html

Posted on 07/13