Tag Archives: Ferris Research

About 1909 days ago Computer Security

Minimize Security Threats from IM

our beautiful site

It’s no secret that instant messaging (IM) is wildly popular. It’s faster than e-mail, and so discreet that two people in the same business meeting can use it to communicate across the room virtually undetected. To top it off, it’s easy to get: many public IM software packages, such as Google Talk and MSN Messenger, are offered as free downloads. But IM carries the same security risks as e-mail — it can fall prey to worms, viruses, Trojans, and “spim” — unwanted spam sent via IM instead of e-mail. It can be intercepted by competitors, allowing trade secrets or confidential client information to fall into the wrong hands. And all of these risks can create the same types of security problems for your business — including regulatory and e-discovery non-compliance risks — that e-mail can. Chances are, you already know what type of e-mail system your office uses, have established guidelines for its use, and are vigorously protecting it with firewalls, anti-viral software, and the like. But are you aware if public IM systems are being used in your office? “It’s one of those stealth technologies, where people just install it, and it’s not blocked by an organization’s gateway,” notes Richi Jennings, an analyst with San Francisco-based Ferris Research. “You could ask many companies, ‘do you use IM?’ and they would say no, but they actually do.” Here are some tips from the experts on ways to minimize your risk: Develop an office-wide IM policy. Put together a written policy for your employees, and take the time to educate them about it. While it’s best to shut down any public IM systems in use in your workplace, companies need to decide such things as whether to allow employees to use public systems for personal use only, such as to family members. “You have to make a decision and stick with it,” says Rob Koplowitz, principal analyst for information and knowledge management for Cambridge, Mass.-based Forrester Research. Choose an office-wide internal IM tool. Invest in a secure product, such as IBM’s Lotus Sametime, that features encryption, limited access, and top-class antiviral software for internal business use. Don’t use consumer-based products, such as Google Talk or Yahoo, experts warn. Limit access.Joel Dubin, an independent security consultant and author, recommends configuring buddy lists to only known parties, and limiting internal access to those employees who must communicate real-time. Oversee screen names. Because IM is a very casual form of communication, some employees use offbeat, irreverent, or even racy, screen names that might not fit the corporate image, notes Jennings. “It’s important to not only control who uses it, but to control the screen names employees choose,” he says. Monitor use. As with e-mail, experts recommend monitoring use to detect any internal improper use or external efforts to sabotage the system. Some solutions, such as FaceTime’s, will warn employees in real-time that they are violating acceptable use policies. For businesses wanting to bundle their corporate IM service with other technologies, experts note, there are “a number of anchor points,” notes Koplowitz. “If you have an on-premise e-mail system, you may look to [link IM in with] e-mail,” he says. “But you can also link IM with telephony, or with some other business vendor.” Companies that offer full-service packages that include IM include FaceTime, whose Unified Security Gateway solution provides URL filtering, public IM, VoIP and P2P, and can work with unified communications suites offered by IBM Lotus Sametime and Microsoft’s Office Communications Server, according to Frank Cabri, FaceTime’s vice president of product management. These types of integrated solutions are likely to become more common at the enterprise level, and to trickle down to small and mid-size business-scale products as well, says Koplowitz. Whatever option you choose, experts advise that you take IM security as seriously as email security. The risks are real.

About 2426 days ago E-Commerce

Can Instant Messaging Work for Business?

Using software such as AOL’s Instant Messenger or Yahoo Messenger, 50 percent of employees are using consumer instant message (IM) programs via company computers, according to a 2006 survey of 416 primarily small and midsize businesses by the America Management Association and The ePolicy Institute. These consumer IM clients frequently quietly slide their way on to company networks because employees often use the same programs to chat with friends and co-workers when they’re off the clock, too. But consumer IM programs also can enable something that many companies won’t even risk these days when it comes to e-mail: Unfettered, unmonitored and unencrypted communication over the public Internet. What’s worse is that only 47 percent of employers are aware of the IM programs running on their systems, according to the AMA study. “IM is nothing more than turbo charged e-mail — and all the IM risks that exist are the same as with e-mail,” says Nancy Flynn, executive director of The ePolicy Institute and author of several books including, Instant Messaging Rules: A Business Guide to Managing Policies, Security, and Legal Issues for Safe IM Communication.   IM poses some of the same risks to a business as e-mail, from allowing employees to disseminate confidential company information to exposing company computers and networks to a virus, worm, or Trojan Horse that quickly spreads. And with those risks come the potential for a firm to be subject to the same legal liabilities for employee conduct over IM. So then the question becomes: Should companies allow employees to use free consumer programs or should they install enterprise IM that come with more security features? Here’s how to do decide if a business should go with business IM: Does your company need to conduct business via IM? Employees might not even have a legitimate business reason to be IMing the outside world, in which case a company could forgo allowing IM programs altogether. But if employees need to IM each other, vendors, or clients to conduct business, then a company needs to use secure IM, says Richi Jennings, lead e-mail security analyst for Ferris Research, a San Francisco-based research firm. “If they are going to use a consumer-based service, IMs should still be encrypted,” he says. “And there is no substitute for having good antivirus, spyware, and malware control in place.” Enterprise IM programs also can assign company-branded, professional screen names to employees. Does your company need to archive IMs? Regulators in the financial services arena, for instance, have made it clear that they don’t make a distinction between e-mail and when it comes to retention requirements. “When employees engage in IM chat via public IM tools, your electronic business records are not being retained,” Flynn notes. “It’s essential for all businesses–no matter what your size or industry–to retain your records if you’re in a regulated field.” For many companies, complying with regulations like Sarbanes-Oxley means logging and archiving IM sessions between employees and clients–or anyone. IM management tools or enterprise IM products can offer a built-in logging and archiving feature for legal or regulatory compliance. Free consumer IM programs, on the other hand, do allow users to choose to save individual chat sessions, but they don’t include enterprise-wide records management or archiving features. Does your company need to secure IM? If IM is being used on company time, experts say the answer is always, “Yes.” But there are different approaches to boosting IM security. IBM Lotus Sametime, Novel GroupWise Messenger, and Microsoft Live Communications Server (LCS) are among the enterprise IM programs that offer an entire IM infrastructure installed on a company’s internal servers to enable archiving or defenses against threats like malware or IM spam (a.k.a. spim). Enterprise IM programs can be integrated with a user’s e-mail program or allow Web conferencing as well. For instance, Microsoft LCS can allow employees to IM people who use public IM programs but it still encrypts and logs messages. IMB Lotus Sametime even encrypts users’ buddy lists. IM management or gateway products — such as Akonix, Akeni, FaceTime, or Symantec’s IMLogic–can also add layers of security to existing IM products like Google Talk, Yahoo Messenger or MSN Messenger by archiving messages, scanning for viruses or blocking messages containing restricted phrases to prevent that data from leaving a business’s network. Depending on the level of security, management and additional features offered, enterprise IM can cost up to $5,000 for FaceTime’s RTG500 gateway product to about $500 for Microsoft LCS for five users to $10 to $40 per user for Akeni or IMLogic. AOL’s new AIM Pro powered by WebEx, which encrypts IMs and allows users to securely share documents or conduct conference calls, is free. No matter what the size of a business, experts say there are affordable solutions for adding the necessary security needed if employees are going to be IMing on the clock: “It only takes one employee to accidentally transmit the company’s client list or employees’ social security numbers, for example,” Flynn says. “If you decide to allow IM, you have to decide if you’re going to install an enterprise grade system or use freebies with IM gateway management technology to give your company the ability to monitor, filter, purge, and retain IM chat just like you do e-mails.”

About 2791 days ago Computer Security

How to Avoid Scammers, Spammer and the Rest of the Bad E-guys

The first e-mail message was sent sometime in the early 1970s by Ray Tomlinson, an English computer engineer working for the Defense Department’s Advanced Research Projects Agency. Nobody remembers what it said: possibly “testing” or “QWERTY.” Tomlinson wasn’t thinking about history; he was just trying to create a quick, informal way for a closed universe of research scientists to communicate with one another. Ease of use was the point, not security. Defense scientists 30 years ago, after all, did not have to worry about armies of malicious nerds with laptops and cable modems. The openness of e-mail, though, the thing that makes it so revolutionary, is also what makes it so vulnerable to viruses, worms, ID theft, denial-of-service attacks, and a host of other threats. Scammers are constantly cooking up new ways to use your e-mail system against you. Phishing attacks, for instance. Your employees or customers get an official-looking e-mail saying there is a problem with, say, their credit card account. Would they please click on the link below, then type in their account or Social Security number? MessageLabs, a security firm that tracks phishing attacks, says the number of phishing e-mails grew to 4.5 million in November 2004 from 337,050 that January. Then there’s spam. The Radicati Group estimates that 45% of all e-mail is spam; other experts think it may be as much as 80%. According to Ferris Research, an e-mail and communications consulting firm, the worldwide cost in lost productivity and resources devoted to fighting spam will be $50 billion in 2005, more than a third of that coming from U.S. companies. It’s not all bad news, though. Anti-spam laws have started to show some teeth. In April, Jeremy Jaynes, who was reportedly sending out 10 million junk e-mails a day, was convicted of felony charges in Virginia and sentenced to nine years in prison. Couldn’t have happened to a nicer guy. As you may have noticed, though, spam, viruses, and the rest haven’t gone away. You still have to protect yourself. Which defense is best for you is a function of how big your business is and how much control you want over your security. Many fixes can help not only with keeping your system safe but also with archiving messages and making sure your system complies with your policies and the law. One solution may not be enough. “You cannot expect to buy a single layer of security protection and sleep at night,” says Sara Radicati, of the Radicati Group. Your choices fall into three main categories. Managed Services Letting somebody else do it is an attractive option if you have a modest (or nonexistent) IT staff. The tradeoff is loss of control: You’re trusting an outsider with a key part of your business. Managed providers offer a range of security services that include spam filtering, virus protection, encryption, mail monitoring for compliance with regulations or company policy, and even archiving. Fees are typically per user, per month or year, and the price generally drops the more licenses you buy. Most vendors offer 30-day free trials. Postini’s Perimeter Manager Small Business Edition (starts at $25 per user per year) includes protection from spam, phishing, and viruses. It also provides defense against directory harvest attacks, in which cyber miscreants try to get your employees’ e-mail addresses by bombarding your server with messages sent to every possible address–jfried@inc.com, johnfried@inc.com, etc.–and seeing which ones bounce back. Perimeter Manager handles only inbound e-mail, however. If you need to keep tabs on internal or outbound mail, too, you can upgrade to Postini’s enterprise edition (starts at $33 per user). SingleFin’s Global Gateway Service includes e-mail, Web, and instant messaging content filtering, as well as archiving ($12 a month, or free for businesses with fewer than 10 users). A light version of the suite, which simply marks spam and forwards it along to you and also filters viruses out, is free for any number of users. MessageLabs offers anti-virus, anti-spam, content, and policy control services. Pricing is based on company size. A business with 250 to 499 employees, for instance, pays a monthly $3.83 per feature per user. Other big players worth checking out in managed services are Frontbridge, Symantec, and McAfee. Appliances Not refrigerators or microwave ovens. These are security hardware systems–literally boxes that contain e-mail watchdog and filtering systems. They are the fastest-growing segment of the security industry, according to the Radicati Group. They are generally easy to install and customize and they leave your own tech people in charge. Appliances are, however, not cheap. IronPort’s C-series comes in four sizes, depending on the number of people in your business. The midline C10 (around $9,000) is designed for companies with up to 1,000 employees and features anti-spam and virus protection, as well as content filtering for policy enforcement and monitoring. CipherTrust’s IronMail appliance (starts at $5,995 for the S-10 model, which is designed for companies with 100 or fewer users) has strong compliance tools. Other companies that make security hardware include Borderware, Barracuda Networks, Mirapoint, and Alladin. Software Security software is plentiful and comparatively cheap. Most security experts, though, say this stuff is most effective when used in combination with an appliance or a managed service. They also warn that given the constant evolution of viruses and other threats you (or your IT staff) may be constantly managing patches and updates. WebRoot’s Spy Sweeper Enterprise ($300 for a one-year subscription with 10 licenses) and PepiMK Software’s SpyBot Search & Destroy (free) will keep your business computers clean of spyware programs, which can steal your data or even turn your computers into spam-generating “zombies.” Symantec’s Norton AntiSpam 2005 ($320 for a 10-user pack) will clean your computer of junk mail; Computer Associates’ Server Protection Suite ($1,055 for five users) offers a range of security tools, including anti-virus, anti-spam, and spyware protection; Clearswift’s MIMEsweeper ($2,628 for 100 licenses) series has a variety of monitoring software solutions; Sophos’ PureMessage Small Business Edition ($2,850 for 100 users) offers protection from viruses and spam; TrendMicro’s NeatSuite for Small and Medium Businesses ($59.34 per user for 25 to 100 users) has anti-virus, anti-spam, and content security.