Might as well dive in, the water is going to keep rising anyway
- By William Jackson
- Sep 04, 2007
Seems as if it's always something. If it isn't viruses, it's spam, and if it isn't spam, it's phishing. First it was diskettes, then it was e-mail, and now it's instant messaging delivering the malicious code to our enterprises.
Akonix Systems Inc., an IM security vendor, reported recently that it identified 38 new IM attacks in August, double the number it found in July. That brings the total number of new attacks this year to 264.
'It's not a huge number,' admitted Don Montgomery, the company's vice president of marketing. Compared to the number of buffer-overflow and denial-of-service attacks that are circulating, it is actually a pretty small number. But it is rising steadily at a time when IM is becoming a more common business tool. And there appears to be little management of IM applications in the workplace, making it likely that some of those attacks will make it into the enterprise.
Montgomery cited estimates that some 75 percent to 80 percent of Internet-connected workers are using IM in the workplace, while only 15 percent to 20 percent of them are sanctioned and managed. That would mean that more than 50 percent of those workers could be exposed to IM threats, putting the entire enterprise at risk.
Are those figures accurate? I don't know, and Montgomery obviously has an interest in painting the threat as darkly as possible. But the numbers do seem plausible. IM appears to be following the traditional trajectory of information technology adoption in the workplace - the trajectory marked by the appearance of the first PCs through e-mail and the Web to today's cell phones that are advancing beyond managers' ability to keep up. First, new technologies are merely toys or novelties; then they are brought from home to the office, where they become a nuisance to the IT department, which rejects them; they infiltrate the workplace anyway and gain grudging acceptance when workers begin relying on them to remain productive; then they become fully managed business tools.
It is not just IM applications that are making their way into the workplace today. There are myriad USB devices and increasingly mobile and powerful handheld devices that offer any number of innovative ways to network and communicate.
'Everyone seems to be focused now on USB sticks and rightfully so,' said Nick Cavalancia, vice president of marketing at ScriptLogic Corp. Such devices are tiny, and they can hold not only a lot of data but also malicious code to automate the collection of that data. However, it is BlueTooth that worries Cavalancia. Files could be transferred from a PC to a Bluetooth-enabled phone or other mobile device and then immediately e-mailed to another site.
'Since you're not going through the traditional methods of file transfer, nobody can see what's happening,' he said.
Once you've addressed that threat, there will be another one behind it. The key to managing wave after wave of threats is not to ignore, deny or reject them outright. Your efforts to keep them out of the workplace probably would be no more effective than King Canute ordering back the tides. And completely blocking or locking down a technology will have a negative impact on productivity ' although that is all right if you feel the risk warrants it.
The best way to deal with any new technology is to recognize it early, study it, and then come up with a policy and a plan for managing it. Anticipate its adoption; allow it to the extent it is useful, with the proper controls; and restrict it where appropriate, putting the proper tools in place to enforce policy.
It is a never-ending job, but you might as well make up your mind to go ahead and get your feet wet now because the tide is going to keep rising.
William Jackson is a Maryland-based freelance writer.