Spim Follows In Spam's Footprints

Unsolicited commercial instant messages, known to many as spim, are expected to reach 1.2 billion in 2004, up from 400 million last year, according to a report by the Radicati Group, a technology market-research firm. Another research firm, Ferris Research, puts the spim count at 500 million for 2003. The Yankee Group, yet another research firm, estimates that 5 percent to 8 percent of corporate IMs are spim.

Michael Osterman, president of Osterman Research, a messaging research and consulting firm, says spim isn't a severe problem, though it is growing. According to a survey his company just completed, 70 percent of corporate IM users get no spim, 18 percent get 1 or 2 spim messages a week, 4 percent get 3 to 5 a week, and 7 percent get more than five per week.

That's nothing when compared with the billions of E-mail messages sent daily--some 60 percent of which are spam--but they're nonetheless a significant security risk. The Radicati report, issued last week, says 70 percent of spim involves pornography. Moreover, notes Scott Chasin, chief technology officer at E-mail security vendor MX Logic Inc., E-mail worms that hijack a user's IM identity to send spam already have been documented. He compares the security threat posed by spim to the risks that accompany spam.

Enterprise IM systems--such as are offered by Bantu, Jabber, Lotus, Microsoft, and Novell--offer a degree of control absent from E-mail. They are inherently more manageable and secure.

The problem is that IM users are taking matters into their own hands. As research firm IDC observed last year, "An increasing number of employees are circumventing IT and installing public instant-messaging clients. Left unmanaged, public IM puts companies at greater risk of security vulnerabilities, breaches of confidentiality, virus infection, legal liability, and violation of privacy regulations."

According to IMlogic Inc., a maker of enterprise IM infrastructure software, there are more than 50 million enterprise users of the public IM networks maintained by AOL, MSN, and Yahoo--and IT oversight hasn't kept up with user demand. In May 2002, Giga Information Group, now part of Forrester Research, found that 60% or more of midsize and large companies use IM, but 90% had no formal IT support for it.

Messaging-management and content-filtering vendors such as Akonix, FaceTime Communications, IMlogic, Omnipod, and SurfControl have been working to bridge that gap. But the issue remains. "There are more IT departments that have taken a proactive stance with regard to IM, but the broad majority still don't have any IM management policy in place," says Francis Costello, chief marketing officer at IM management vendor Akonix.

IM adoption at petroleum marketing and distribution company Truman Arnold Cos. offers an example of the trend. Due to the business value of instant always-on communication, IM use grew on its own until the company's IT staff reined it in.

"IT noticed it and realized how much of a security hole it was," explains Josh Lawrence, E-commerce support, who adds that while IM spam was a concern, viruses and unauthorized file transfers were more troubling. The company, which uses Yahoo Instant Messenger, chose to implement Akonix's IM management product, L7 Enterprise.

With corporate IM users on the rise--numbers vary, but Osterman estimates there will be 37 million by 2005, up from 24 million by the end of this year--IT departments need to develop and implement IM-management policies and tools before IM spam and related security threats force the issue.

This story courtesy of InformationWeek.