Survey: Instant messaging poses cyber threat to organizations

According to the results of a new survey conducted by IT security firm Symantec, many organizations are opening themselves up to cyber threats transmitted through instant messaging platforms because they either don't adequately monitor the IM activities of their employees or have a policy to govern its use.

Among the findings of the survey, which included responses from 77 corporate IM users, were:

- 61 percent said they used instant messaging to communicate with people outside the company.
- 43 percent reported that they would use IM to share non-work related content compared to just 18 percent who said they use email to do so.
- 25 percent of respondents said they "always trust" URLs in their work IM service.
- 29 percent say they would send information via IM that they wouldn't want their boss to know about.
- 58 percent of organizations feel that their vulnerable to experiencing data loss through instant messaging, but only 19 percent said they had a policy governing IM use and only five percent stored IM logs.

"Most people are doing a great job about locking down email, they understand the principles behind it and to the same degree, they're doing the same things with the web," said Nick Emanuel, senior product manager at

Emanuel said organizations that fail to adequately secure their instant messaging systems are opening themselves to potential malware infections. About two years ago, Emanuel said that one out of every 70 URLs inserted into an IM stream lead to a malicious website or contained malware. But, according to another recent analysis by Symantec, that number has now increased to one in every 11.3 URLs.

"That's an exponential growth and it's an area of concern," he said. "And we know that most people will operate and interact with IM very differently from how they will with email."

Emanuel added that one thing he's seen with respect to many recent IM attacks is that they tend to have some elements of "social engineering" in them. For example, a message delivered to a user may have their username or a variation of it embedded within.

"What we have to remember with IM is that unlike email where you can craft an email as long as you want; there are effectively no character bandwidths on email, with IM that's just not the case," he added. "People that are either malware writers or people trying to pass malware through IM tend to be very short and snappy. All they want you to do is click on the link because then you're driven to their website or to the compromised website and they've got a much better chance to download something onto your laptop or device."

Emanuel said he believes that many people fail to realize the dangers of IM communications because there is a lack of information in the marketplace. To fill this security gap between instant messaging and the other cyber security needs of organizations, Symantec is offering its new Instant Messaging ( solution with support for Microsoft's Lync IM platform.

"To us, the IM market and the security products around it until this offering have not been strong enough in giving customers what they need," Emanuel said. "We've built the service on three key pillars or principles and those are data loss, compliance and security."

For more information about Symantec's new service, visit