Most Firms Are Clueless About Instant Messaging Risks
The instant messaging service many of us enjoy via our Internet service providers is a potential security weakness for businesses, but most companies seem blissfully unaware of the danger, experts say.
Instant messaging, which allows two individuals to have a “real-time” conversation by typing messages back and forth over the Internet, presents “hundreds of vulnerabilities,” states Robert Elliott, technical project administrator for eRiskSecurity, based in Burbank, Calif., “and each of them can be devastating.”
These vulnerabilities, says Elliott, may allow an intruder to execute “arbitrary commands, such as formatting your hard drive or controlling your computer [to launch] more insidious denial of service attacks.” Software applications that enable such attacks are freely available on the World Wide Web, he adds.
“A lot of companies have their heads in the sand, thinking that if they cant see a hacker, a hacker cant see them. Thats just not true,” asserts Elliott, whose company performs vulnerability analyses on computer networks.
While instant messaging isnt often regarded as a business tool, it is increasingly taking hold in business settings, “usually without managements knowledge,” says Elliott. This may happen when employees use instant messaging for personal communications. In addition, “a lot of IT pros themselves use it,” Elliott points out. In that case, even if proper firewall protection is in place, “IT staff might go around it or put a hole in your firewall” in order to use instant messaging themselves.
“ITs job should not be to allow instant messaging clients, unless its only internal,” says Elliott. “On a flat networkwhere every machine can be seen by every other machinemost computers are trusted. If a hacker gets hold of one of them, he has them all.”
According to Elliott, Trojans (A Trojan is a virus that, once it gets into a computer, will allow access to that computer from outside sources) and other viruses “are easy to deliver via the instant messaging client.”
Elliott notes that people may tend to trust instant messaging attachments more than they do e-mail, because the instant message is usually from someone they know and trust. Thus a hacker who has gained access to your friends computer can assume your friends cyber-identity and send malicious attachments to you at your business address.
Such risks are naturally of concern to those who issue business insurance, notes Philip Pierson, founder and manager of Swett & Crawfords cyber-insurance facility, e-Sher Underwriting Managers, Irvine, Calif., a wholesale brokerage owned by Aon.
“Studies say the prevalence of instant messaging is moving from personal to business usage,” says Pierson. “Were sure it will be utilized [in business settings] and were sure it will be [a security] issue. Companies must protect themselves, specifically againsta new breed of viruses and worms that target instant messaging applications.”
In response to this risk, Pierson says his company will now start asking potential insureds: “Is instant messaging in the game plan for your company? If so, how are you dealing with security?”