Firms must tighten security for instant messaging, says Gartner

Companies need better controls to comply with the law and block malware spread by IM, say analysts

Firms need to quickly improve instant messaging (IM) management and security or they could face serious risks from emerging IM viruses and from breaches of regulations, according to analyst firm Gartner.

A new report from Gartner predicts that firms without proper IM management systems and policies will suffer 80 percent more IM-related security problems than their peers.

The report says that failure to monitor IM conversations between employees and to impose “Chinese walls” to guard communications could lead to breaches of the law, particularly in heavily regulated sectors such as financial services. It also says that failure to encrypt IM conversations makes it easier for sensitive or controversial data to be sent outside the organization. And the report notes that if firms do not have systems to track users’ interactions they will not be able to ensure compliance with acceptable usage policies governing workplace behaviour.

IM viruses transmitted as attached files or hyperlinks within IM messages are highlighted as a growing risk. David Mario Smith of Gartner said the problem was particularly acute were staff use public network IM systems, such as Microsoft's MSN Messenger. "There are benefits in being able to contact partners and customers quickly so a ban on IM use is not beneficial," he said. "But we would recommend firms deploy internal corporate IM systems that then link to external public systems, as they tend to be better at filtering out malware."

He added that firms should deploy dedicated IM security software, incorporate IM guidelines in their email usage policy, and notify users of risks associated with the technology. "IM really is a blind spot for firms at the moment," he added.

Ian Black, managing director of enterprise governance specialist Aungate, welcomed the recommendations. However, he added that firms should choose IM management software that can detect issues in real time. "You need to be able to alert users if they are in breach of corporate policy immediately, otherwise you are simply storing up the problem and can only take action after the event," he said