Instant security breach

As corporate workers everywhere have discovered, instant messaging makes communication quick and easy. The problem is, it makes a lot of other things quick and easy, too — such as security breaches. And it’s getting worse.

For example, Time-Warner announced a few weeks ago that the Federal Communications Commission had decided to allow the AOL Instant Messenger to carry streaming video. So now you can do more than send quick notes; you can also send videos instantly, right from your desk, and you can attach files, photos, music, and other types of binary information to regular messages.

If you’re a security manager, you’re probably breaking a sweat just from reading that. Public IM applications are the perfect means of compromising your company’s security because your employees can send out information through a channel that’s usually not well-protected. They can receive binary information,  including worms and viruses, in the same way. Plus, none of this is encrypted, so it’s possible for someone with a sniffer in the right place on the network to read your messages.

The easy answer is simply to ban all instant messaging from your network. But as a productivity tool, IM is probably valued by your company’s managers. Another solution is to train employees not to discuss sensitive subjects using IM. Of course, if an employee is sending company secrets to your competition over IM, such training isn’t going to change anything.

Fortunately, there are other options. One is to use a secure IM application that only communicates with other employees. We’re trying out one such application, the Groove collaboration package, at InfoWorld, but there are plenty more. The biggest downside I’ve seen so far is that most of the enterprise IM applications I’ve played with are clunky. But not so clunky that your employees won’t use them.

Some of the corporate IM applications I’m hearing about promise auditing and recording. If there’s ever a question about what happened during an IM conversation, you can check an archived copy to get the real scoop.

What’s even better is AOL’s talk of a secure, corporate version of its IM software. This package would be very popular (heck, even I use AIM software, despite its security holes) because it’s easy to use and highly intuitive.

So instead of worrying about IM security, provide a (more secure) alternative that your employees will use and set up a way to monitor IM traffic from the outside. You can use most network monitoring software to do this, thereby giving your employees what they want while staying secure.