Instant Messaging (IM) may be used by workers for both business and personal purposes. But his may expose employers to greater risk to security and privacy, and will also give rise to legal liability.
Technology vendors have released IM products for corporate use that authenticate, encrypt, audit, log and monitor IM communications. These new corporate enterprise products help financial institutions use IM technology in a more secure environment and assist in compliance with applicable laws and regulations.
The article identifies the risks in instant messaging and ways to mitigate them using a risk management programme.
What is Instant Messaging?
Instant messaging originated as a free software download for consumers in 1996. The technology provides the ability to chat on-line, as well as to share files. Public IM was not originally developed for commercial use and lacks standard security features.
Instant messgaging has become a popular communication channel because this software is free, easy to install and easy to use. If software is not permitted to be downloaded in a work environment, IM can still be accessed by sending messages directly from a Web browser, such as Microsoft’s Internet Explorer.
Employees restricted by slow home dial-up connections may take advantage of faster networks at work to access public IM and share and download files.
The lack of built-in security, the ability to download files and the built-in “buddy list” of recipients create an environment in which viruses and worms can spread quickly. This threat has additional risks to the workplace network because public IM does not travel through a central server where traditional corporate anti-virus protection software is located. Instant messaging virus protection should include network desktop and laptop solutions to handle both IM methods of delivery (Server Broker and Server Proxy). Since effective virus protection specifically for IM is still being developed, senior management will need a comprehensive anti-virus program to detect the many blended threats that currently exist with the technology.
Public IM transmits unencrypted information, so it should never be used for sensitive or confidential information. The information is on the Internet and may be accessed by anyone. In addition, file-sharing exposes the user’s Internet protocol (IP) address and increases the risk that unauthorized parties could gain access to the computer.
Information received by IM is not authenticated. There is no way to verify that a message really originated from the sender with whom the recipient believes he or she is communicating during the session. Chat sessions can be hijacked and users can be impersonated.
Firewalls should be configured to block incoming and outgoing public IM traffic. Senior management should also consider blocking known Web sites that broadcast nuisance material. This can be difficult to manage because Internet names and addresses may change and senior management may have other legitimate reasons for allowing activity based upon legitimate business purposes.
Intrusion Detection Systems (IDS)
An institution’s information security program should address preventing, detecting and responding to threats. Institutions should consider the use of IDS to detect the unauthorized use of IM. Intrusion detection software may be installed on primary computer systems that actively searches for and monitors Internet traffic.
Mitigating risks associated with Instant Messaging
The numerous vulnerabilities inherent in IM dictate that senior management perform a risk assessment on the business benefit of allowing the use of public IM on financial institution networks. Financial institutions should consider the following practices regarding IM as part of an effective information security program:
- Establish a policy to restrict public IM usage and require employees to sign an acknowledgement of receipt of the policy.
- Consider implementing an intrusion detection system to identify IM traffic. Assess the need for other IM security products.
- Create rules to block IM delivery and file-sharing.
- Consider blocking specific IM vendors.
- Ensure a strong virus protection program.
- Ensure a strong patch (software update) management program.
- Include the vulnerabilities of public IM in information security awareness training.
The risks associated with the use of IM include revealing confidential information over an unsecured delivery channel, spreading viruses and worms, and exposing the network to backdoor Trojans which are hidden programs on a system that perform a specific function once users are tricked into running it. IM is vulnerable to denial-of-service attacks, hijacking sessions and legal liability resulting from downloading copyrighted files.
Financial institutions are required to design and implement a comprehensive written information security program. The security program should include appropriate controls and training to address the risks posed by the use of public IM.
Guidance issued by the Financial Services Authority on instant messaging use in relation to the Markets in Financial Instruments Directive (MiFID), came into effect on the 1st November 2007.
In its Policy Statement regarding Telephone Recording: recording of voice conversations and electronic communications, the FSA quite clearly implicates instant messaging, but also leaves it open to include any subsequent forms of electronic communications:
The term electronic communication has a wide application. It includes facsimile, email, Bloomberg mail, video conferencing, SMS, business to business devices, chat and instant messaging. But it is not limited to these as it captures any electronic communications involving receiving client orders and the agreeing and arranging transactions.
The guidance also specifies that firms – including banks, stockbrokers, investment management firms (in general) and insurance companies – be required to record telephone lines that are used for the receipt of client orders, the negotiation, agreement and arrangement of transactions across financial markets. Firms would also be required to retain electronic communications related to these same activities (including fax, e-mail, chat and instant messaging).
There are IM solutions that are free and available on the Internet. However, as reported in the Actica report: “many of the free variants have no capability to record communications and those that do, commonly provide no way for system administrators to mandate recording/archiving of conversations. Although business processes can be used with these free and Internet-based solutions to record and archive communications, the assurances for these solutions are low.”
There are two legitimate responses to the guidance:
- Allow secured and managed IM to be used in the organization with appropriate usage policies and technological safeguards, or (less plausibly)
- Block all unsanctioned public IM and File Sharing Networks.