Beyond The Net
Many companies' instant messaging systems not secure
By Janine Warner
How private are your Instant Messages? The first time I saw two people sitting side by side in cubicles using an Instant Messaging program to chat, I was puzzled. Why would they type messages when they could so easily turn around and talk to each other?
Then I realized it was the only way to have a ''private'' conversation in an environment where casual comments are easily overheard by all of the people sitting around you. But are all those Instant Messages people are sending around the office really private?
''It's not that hard to eavesdrop when you're using a public IM system,'' said Jeremy Dies, offerings manager of the Advanced Collaboration Group for IBM's Lotus Notes Group. ``That's a risk a consumer may be willing to take, but businesses should know better, and many are taking steps to protect themselves.''
Dies has a vested interest in touting the value of secure Instant Messaging. His group sells a sophisticated online collaboration system called Sametime designed to help companies control access and verify who's talking to whom around the company, even when staff members are spread around the globe.
IBM's Lotus group was the first to market when it launched Sametime in January, 1999, but the importance of keeping online conversations truly secret has led to several new software solutions designed to make Instant Messaging more robust and more secure. In a report released earlier this year, Yankee Group, a Boston-based research and consulting firm, recommends that companies shift to secure IM systems, such as Lotus Sametime, Jabber, Hub IM, or Microsoft Exchange.
Without secure systems, Yankee Group found, companies are vulnerable to exposing confidential information. In an especially ugly case last year, CNET reported that messages from the CEO of an Internet company called eFront were posted on websites.
The casual dialogue, stolen from an ICQ log, included disparaging comments about business partners and employees. Clearly the CEO never intended them to be made public and the security breach caused serious problems for the company.
For years employees in many companies have been downloading free Instant Messaging programs, such as the ones offered by Yahoo!, AOL, and Microsoft, and using similar programs such as IRC and ICQ to carry on everything from ''water cooler'' conversations to serious work exchanges.
The research firm, IDC, projects that the number of global corporate IM users will increase more than tenfold over the next three years, from 18.4 million this year to 229.2 million. IBM reported triple-digit growth in sales of their Sametime system last quarter and boasts that at least 60 of the global Fortune 100 are now using their proprietary collaboration system.
If you're still not sure why you'd want Instant Messaging in your business in the first place, especially with all of these security concerns, consider how Ryder, a Miami-based logistics and transportation company, is using the secure IM features in IBM's Sametime system.
''We use it instead of the telephone all the time,'' said David Baildon, group director of knowledge management for Ryder. ``We have people in the U.K., in Mexico, Latin America, Canada, the U.S. Wherever possible we're trying to eliminate the need to make those expensive phone calls.
''Even within the U.S., we use Sametime to get someone's attention to find out if they're available for a phone call. We won't place the call until we find out if the person is available,'' he said. ``That eliminates numerous rounds of telephone tag, which is unproductive and costly.''
Baildon said Ryder also uses IM in its call center because it makes it easy for operators to share information without interrupting customer's calls.
Security is important at Ryder and the reason the company invested in the Lotus Sametime system instead of using free programs.
''Let's say it's a highly sensitive shipment,'' Baildon said. ``We don't want anybody to be able to track it or steal it. We have a secure server and everything we do with IM, employee to employee, is done on our intranet, not the Internet.''
In March, CERT, a federally-funded security center at Carnegie Mellon University, issued a warning to users of IM programs that tens of thousands of computer systems had been infiltrated by crackers who were posting offers of free software, music and pornography on IM boards as a trick to gain access to computer systems.
When a user downloaded the free item, a Trojan Horse or other virus came with it. Just being able to see if someone is available on an IM system through a mechanism that indicates when someone is active can provide valuable information to business competitors.
For example, if I know the ID of my competitor, I may be able to tell if he's staying up all night to finish a proposal on a contract for which we're competing.
Next time you're ''chatting'' away on IM and thinking you're having a private conversation, think again. In the digital world of communications there are ever more ways to eavesdrop.
First publication, The Miami Herald, Mon, Sept. 9, 2002
