Report: Companies unprepared for IM attacks

Many businesses are ignoring the emerging security threat posed by instant messaging software, a survey shows.

Matt Hines
Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
2 min read
Many businesses are leaving themselves vulnerable to the emerging crop of IM-borne attacks because they aren't managing employee use of instant-messaging software, a new report finds.

A report released Wednesday by SurfControl contends that a sizeable number of U.S. businesses have yet to formulate or put into practice any official guidelines for dictating how workers may use IM on their networks. A recent survey conducted by the IT security company found that 90 percent of the 7,500-plus businesses it spoke with have established policies to manage the use of e-mail, but 49 percent have no official rules in place to govern IM and peer-to-peer software usage.

Companies that fail to address the issue are increasingly susceptible to attacks, as a new crop of threats delivered via IM has appeared over the last several months.

"Instant messaging may be viewed as convenient to end users, but the business costs are too great to leave IM usage unchecked by security policy," Jim Murphy, director of product marketing for SurfControl, said in a statement. "Numerous IM-borne viruses, worms, spyware applications and blended threats can all jeopardize network security and cost companies hundreds of thousands of dollars in clean-up costs."

In the past month alone, multiple new variants of existing IM threats have appeared, looking to take advantage of people's ignorance of the method of attack. The vast majority of the threats--in particular, the Bropia worm variants that use Microsoft's MSN Messenger to spread--are hidden in IM messages that appear to have been sent by a known contact. The missives encourage people to click on a Web link or to download an attachment enclosed in an IM, but in reality, the messages hide some form of malicious code.

Since January, antivirus researchers have identified more than a dozen such threats, which typically are Trojan horses rather than flaw-exploiting viruses. That's more than three times the number of similar attacks seen on public IM networks in the same period last year, according to figures from IM security company Akonix Systems.

Respondents to SurfControl's survey ranked confidential data protection as one of their top security goals, with 83 percent of the companies interviewed citing it as a major concern. Murphy said it is ironic that companies claiming to be tightly focused on securing their systems have let IM usage slip through the cracks.

"Left ungoverned, instant-messaging applications are an easy vehicle for accidental or malicious disclosure of sensitive corporate data, including company financials, personnel records and customer data," he said. "Clearly, companies must combine detailed acceptable-use policies with effective technology to manage instant messaging at work."