Scott Christie, president of Christie Capital Management of Sarasota, Fla., has used instant messaging for years, relying on it to exchange large, sensitive files with hundreds of clients. He started with a consumer-based service and eventually switched to a business-based product.
"When I used consumer-based IM, I had no idea when I was being hacked," Christie said. "How would you know, when there's no way to monitor unusual activity? If you send files electronically and a hacker is sitting outside your firewall, you need to know that your communications are secure. Some people have big, expensive security systems. But I have a four-man shop, so I can't do that."
As businesses grow more dependent on instant messaging to trade files with clients and keep in touch with a growing mobile workforce, they're quickly finding the technology comes with a host of security headaches.
Employees get their IM client from a variety of big-name providers. IT departments have little or no control over these consumer-based services, which can be vulnerable to hacking and incompatible with company networks. Most enterprises have decided it's not worth the time and money to buy more security hardware. Instead, they're adopting business-to-business instant messaging with built-in security protocols and requiring that employees use it for anything work related.
In Christie's case, his company now uses the Secure Instant Messenger (SIM) system provided by Atlanta, Ga.-based Validian Corp. The product manages itself, monitoring suspicious activity, ensuring all messages and files are encrypted, and authenticating messages so the person who receives them knows the sender is not a hacker disguised as someone else.
"For me, it's a big deal to be able to transfer files of any size without having to worry about them being stolen or studied," Christie said. "It's much cheaper being able to transfer secure files through IM. I'm saving hundreds of dollars a month I was spending to FedEx files."
Krysia Jacobs, vice president of technical services for the Chicago Stock Exchange, can't recall any past security breaches that used IM. But like Christie, she decided it was better to be safe than sorry. She looked at two products -- IM Logic and IM Auditor -- and decided on the Auditor system provided by FaceTime of Foster City, Calif. For added security, she also decided to go with the company's IM Guardian program.
"From an IT perspective, we're not worried so much about the content of an IM conversation because it's no different from phone or e-mail conversations," Jacobs said. "The big thing for us is that we don't want someone to be able to take files we don't want out there. We also want to make sure trademarked items can't go back and forth, so this investment made sense to us."
Like SIM, the FaceTime products are designed so IT departments can control how IM is used in their companies, allowing them to enforce user policies and ensure the services employees rely on to conduct business mesh with the rest of the network. Several other vendors have a strong presence in the IM security space, and more are expected in the coming year.
"There are a number of free, non-secure IM systems out there that are not interoperable and leave the door open for a security breach, and there's not much IT departments can do about it," said Andre Maisonneuve, president and CEO of Validian. "IT departments want to be able to take control of the IM environment because of the security and legal concerns. The need to log IM transactions is also important to them."
Maisonneuve believes that as IM becomes more essential for companies to function, business-based systems will become the rule, not the exception. He said IT managers are "not going to get people to remove their personal IM systems, and they're reluctant to get more hardware. Adding another server in the middle won't cut it. So the answer is for them to invest in something they can control."
As that happens and more products flood the market, he said companies won't wait three years to see the return on investment of their security systems.
"They'll have to prove their worth quickly," Maisonneuve said of the vendors.