The Security Risks Associated With Instant Messaging In The Workplace
Instant messaging (IM) is an increasingly popular form of text-based communication, allowing written messages to be passed between two or more people over the internet, and offering a range of other ways to share data, such as voice calls, video calls and file transfers.
As services such as such as MSN Messenger, Yahoo! Messenger and Skype are free, they have become popular with many businesses as a way to collaborate on projects and keep in touch with remote employees. But in the corporate workspace, IM can pose a number of serious risks, including time-wasting and threats to security, many of which can be avoided with the introduction of an acceptable use policy.
For example, it is wise to prohibit the sharing of personal opinions by IM as conversations can be saved and made public, just like emails. This danger was highlighted by financial training software provider eFront, which suffered serious damage to its reputation when the CEO's IM conversations were made public and revealed personal comments about shareholders and partners.
IM also carries all the same threats as emails when it comes to phishing scams, which seek to illicit personal information, and viruses, which can be hidden in transferred files. An acceptable use policy could simply prohibit the practice of sharing files and links, but many businesses prefer to simply advise all users to avoid clicking on any unsolicited links, to only accept file transfers from trusted sources and to avoid giving away personal information via IM at any time.
For staff intent on stealing or spreading confidential information, IM offers a means to transfer information by text or file transfer without the use of a browser or email that would leave a more obvious trace. With typical upload speeds currently in the region of 296 kb per second, it is possible that a user could transfer up to 8 gigabytes of information in a single working day.
Sensitive company information can even be spread unintentionally via IM, as illustrated in a survey from security firm Akonix which revealed that 16% of employees have accidentally sent or received business information that was meant for someone else. To help avoid this, your acceptable use policy should require that business and social chats are kept separate. This could mean either having a separate IM ID for work, or sorting contacts clearly into business and social groups to reduce the risk of hitting send to the wrong person.
Of course, an acceptable use policy is only effective if it is understood and adhered to by all employees, so however you decide to regulate IM usage, it is important that this is fully communicated to staff and that behaviour is monitored to ensure that misuse is detected.
If you are concerned that an employee may be sharing information inappropriately via IM, it is wise to engage the assistance of a computer forensic analyst, who will be able to recover evidence from the suspect's computer without corrupting the evidence, thus preserving its admissibility in court or at an employment tribunal.