Because IM clients reside on users' desktops and communicate with the outside world using http, it is difficult to identify IM messages from everyday Web traffic. Yet, IM clients are basically interpretation programs, like Microsoft Word, that can execute all manner of attachments, thus creating a backdoor into the corporate network, said Fred Cohen, a principal analyst with the Burton Group.
"Companies that don't have a proper policy in place and the technological safegards to support that policy have big (security) holes," he said.
According to a recent Websense/Harris Interactive poll of employee Web use, 17% of employees admit to using IM and 37% of those users also admit to downloading and opening attachments via IM, yet 64% of companies do not officially sanction its use.
While 17% may not seem like much of a threat, the actual number of users is probably much higher since most employees are not likely to admit they use it, said Francis deSouza, founder and CEO of IM Logic, which makes IM tracking and management software.
deSouza has seen research indicating IM usage is common in up to 84% of companies. Some 20 million employees are estimated to be IM users, he said, yet the commercial IM products, such as Lotus Sametime, account for only a few million seats.
"That tells you ... most of these companies have their users on AOL, MSN or Yahoo!," he said.
As Web-based and browser-based attacks that require no opened attachment from which to launch also increase (such as the recent Sasser virus and Web pages that need only be visited to release a viral payload) IM becomes even more of a threat to corporate networks, said Richard Kagan, vice president of Marketing for Fortinet, a hardware firewall maker.
"It's incredibly common for links to be embedded in IM," he said. "Much more so than attachments; 'Here, check this out' and bang, you're done."