NASCIO: Keep IM on enterprise

NASCIO IM Brief

Organizations that use instant messaging applications should block consumer IMs, according to a report issued by the National Association of State Chief Information Officers.

NASCIO released the report this month identifying potential IM security holes within state governments. While the document, “TLK2UL8R: The Privacy Implications of Instant and Text Messaging Technologies in State Government," indicates that IM can improve office communications, the authors say instant messages face the same issues as e-mail: privacy of users' personal information; viruses; and electronic records management.

Among the group's recommendations were blocking consumer services for IM, providing guidelines for enterprise uses and findings ways to archive IM conversations. NASCIO also suggested:

• Keeping IM services within the firewall

• Implementing an intrusion detection system to track unauthorized use

• Installing a proxy server

• Filtering content for sensitive key words

• Encrypting IM messages

• Security awareness

• Blocking file transfers and specific contractor IM products

• Controlling who uses IM within the state and to whom they send IM

• Activating an automatic logoff to prevent access by unauthorized individuals, and

• Installing anti-virus and anti-spyware applications.

The way for people to communicate real-time with others via online text messages is rapidly growing in popularity. Last year, the Pew Internet & American Life Project concluded that 21 percent of IM users use the technology while at work. Gartner Group predicts IM will surpass e-mail by the end of this year as the primary way people communicate electronically.

"States should look to how their [acceptable use policies] address email and Internet use by state employees and update them to address IM use as well," according to the report.

State employees can use instant messaging to talk to contractors or colleagues. Federal agencies such as the Defense Department, the National Institute of Standards and Technology and FEMA already use IM.

But IM can interrupt productivity, security and privacy, some experts say. According to Pew, about one-third of instant messaging users in the workplace employ the technology to talk to family and friends, while 40 percent use it to communicate with co-workers.

IM is not immune to malicious code and spam. Symantec estimates that IM security threats double every six months. And instant messaging users in departments such as state tax agencies can expose private information, such as the income of acquaintances, to other friends online.

And storing instant message conversations may give rise to privacy issues.

"State law may or may not require that the archiving party provide the other party with notice that the conversation is being archived," NASCIO's report states. "Given the immediacy of IM and the potential for a consumer to perceive IM communications as informal, a consumer could have IM discussions archived without his or her knowledge or consent and later divulged to others without authorization."

Paul Proctor, vice president of the risk and privacy practice at Gartner, agreed with almost all of the report’s conclusions regarding security and privacy implications. He also commended the document’s citation of security best practices.

"Each organization has to make its own decision, based on acceptable risk, whether to allow communications but they should use security policy and awareness to prevent employees from sending sensitive data," Proctor said. "The enterprise IM systems are much safer and their usage is controlled by definition."

He also rattled off a few horror stories from private industry.

"There have been a couple of Fortune 100s who had their networks shut down for brief periods because they were infected with the Kelvir or the Bropia worms," Proctor said. And a large software company found that intellectual property was transmitting, in clear text, across a public IM server, he said.

The report briefly mentions that government text message-enabled phones carry the same benefits and concerns as IM. Stolen or lost phones also can compromise stored sensitive information.