Using Instant Messaging Safely

Instant Messaging (IM) is a form of electronic communication enabling ad hoc collaboration through sending and receiving messages almost instantaneously across a network connection. This can be via mobile communication devices or via Internet connected computers. Since the introduction of popular messaging tools such as ICQ and MSN Messenger, more and more people are enjoying the convenience and ease provided by real-time messaging in their day-to-day life.

IM is not only popular with home users, but is increasingly common in the workplace. IM has found a place in business, for services such as communicating with customers and partners, offering customer support, receiving real-time alerts, as well as management and project coordination.

Though IM is an effective and easy means of network-based communication, it presents a number of security risks if proper security measures are not enforced. Public IM is rapidly becoming an alternative channel for spreading viruses and other malicious codes. By default, common public IM services usually lack native encryption to protect the information being transmitted.

Tips for Instant Messaging End-users

The following tips are designed for end-users using IM as regular communication tool.

DO'S
Before opening a file received via IM, verify with the sender and scan the file with anti-virus software. Keep your IM software (and other system components) up-to-date with the latest patches, enable personal firewall protection, and install anti-virus software with the latest virus signatures. Enable all notifications when incoming messages/calls/files are received to ensure nothing happens in the background without your knowledge. Disable all network services provided by the IM service. Disable sharing of resources and disable remote activation of microphones and video cameras when using IM service.
DON'TS
Don't set your IM client to automatically accept file transfers. If you do, you place yourself at very high risk of automatically accepting virus-infected files unknowingly. Don't click on URL links from un-trusted / unknown contacts in IM. Don't send personal or sensitive information over IM networks without encryption. Don't disclose contact lists used for batch submissions.

Tips for Instant Messaging Enterprise Users

If an organisation decides to use an IM system, the following set of security controls should be considered and implemented:

• Implement an enterprise IM (EIM) solution instead of using public IM clients. Organisations should explore the possibility of deploying their own enterprise IM architecture within the network environment, and integrate their IM system with the existing authentication mechanisms.

• Develop an IM Usage Policy and clearly disseminate to all users of IM. The IM usage policy should be technology and product neutral.

• Implement IM hygiene solutions which are a collection of services that allow organisations to enforce IM usage policies by monitoring usage, managing IM traffic and filtering content to block unwanted messages, computer viruses and offensive material, as well as logging all IM messages for audit purposes.

• Ensure all external IM traffic goes through a specific gateway.