CyberSecurity Institute

A report released Wednesday by SurfControl contends that a sizeable number of U.S. businesses have yet to formulate or put into practice any official guidelines for dictating how workers may use IM on their networks.

A recent survey conducted by the IT security company found that 90 percent of the 7,500-plus businesses it spoke with have established policies to manage the use of e-mail, but 49 percent have no official rules in place to govern IM and peer-to-peer software usage.

Companies that fail to address the issue are increasingly susceptible to attacks, as a new crop of threats delivered via IM has appeared over the last several months.

“Instant messaging may be viewed as convenient to end users, but the business costs are too great to leave IM usage unchecked by security policy,” Jim Murphy, director of product marketing for SurfControl, said in a statement. “Numerous IM-borne viruses, worms, spyware applications and blended threats can all jeopardize network security and cost companies hundreds of thousands of dollars in clean-up costs.”

In the past month alone, multiple new variants of existing IM threats have appeared, looking to take advantage of people’s ignorance of the method of attack. The vast majority of the threats–in particular, the Bropia worm variants that use Microsoft’s MSN Messenger to spread–are hidden in IM messages that appear to have been sent by a known contact. The missives encourage people to click on a Web link or to download an attachment enclosed in an IM, but in reality, the messages hide some form of malicious code.

Since January, antivirus researchers have identified more than a dozen such threats, which typically are Trojan horses rather than flaw-exploiting viruses. That’s more than three times the number of similar attacks seen on public IM networks in the same period last year, according to figures from IM security company Akonix Systems.

Respondents to SurfControl’s survey ranked confidential data protection as one of their top security goals, with 83 percent of the companies interviewed citing it as a major concern.

Murphy said it is ironic that companies claiming to be tightly focused on securing their systems have let IM usage slip through the cracks. “Left ungoverned, instant-messaging applications are an easy vehicle for accidental or malicious disclosure of sensitive corporate data, including company financials, personnel records and customer data,” he said. “Clearly, companies must combine detailed acceptable-use policies with effective technology to manage instant messaging at work.”

http://news.zdnet.com/2100-1009_22-5631658.html

The first year of complying with section 404 of the Sarbanes-Oxley Act has come at a steep cost for many businesses, with greater-than-anticipated personnel, consulting, auditing, and software expenses, according to a survey by Financial Executives International, a professional association of CFOs, treasurers, and financial controllers.

The good news is that the cost of compliance efforts is expected to decrease this year as IT projects undertaken to meeting the financial-reporting requirements of section 404 progress.

Companies like Eastman Kodak, SunTrust Banks, and Toys R Us have reported accounting problems that may preclude their issuing such a statement in their 2004 annual reports.

Uncertainty over auditing procedures for section 404–final guidelines weren’t adopted by the Securities and Exchange Commission until late last year–was cited as a major reason for the variance between estimated and actual costs.

Ninety-four percent of the March survey respondents say the costs of Sarbanes-Oxley compliance exceeded the benefits.

Personnel and external costs are expected to decline by 39% on average through adoption of more-efficient compliance processes and procedures.

http://www.informationweek.com/story/showArticle.jhtml;jsessionid=20JC5RPZDVSV4QSNDBGCKHSCJUMEKJVN?articleID=159904261