IM boom in financial services: Can it be secured?

Just as e-mail pushed its way into standard business communications, instant messaging (IM) has already become a staple in most financial services organizations. Like e-mail, it also has serious implications for security and compliance issues. Mark Vernon describes the threat environment and offers some tips for handling IM in financial services IT.

Stay up to date with the latest IT news and information affecting the world of finance with TechRepublic's free Financial Services IT newsletter, delivered each Wednesday. Automatically sign up today!

Nearly 200 million individuals will send instant messages (IM) this year, according to IDC, and next year over half of them will be business users. Many of them, in turn, will be in financial services, the business sector that has taken to IM more than any other.

It has enjoyed such a meteoric rise in financial services because the convenience and productivity it puts into users' hands, at very little cost, particularly appeals to bankers, traders, and insurers.

"Instant messaging is becoming a more mainstream business tool," says Andrew Brown, CTO of Global Infrastructure Services for Merrill Lynch. "IMlogic gives us enhanced capabilities regarding access control, reporting and management."

However, as corporate adoption of IM peaks this year, many commentators are becoming concerned about the need to secure the informal networks upon which IM depends, both to protect against hackers and to meet regulatory requirements.

The Big Bang in IM security threats

The warning signs are there to be read. For example, in February, Microsoft cut access to its MSN Messenger IM service to halt the exploitation of a security flaw: a vulnerability, which allowed malign attackers to take control of affected systems in all but the latest versions of the messenger clients, was posted on the Internet.

In addition, IMlogic has reported that the incidence of IM security threats increased by 50 percent in the first three months of this year; that more than one hundred of the most common IM viruses had grown by 30 percent in the same period; and that IM spam now accounts for up to seven percent of all traffic. In other words, IM malware has undergone a "big bang".

Financial sector authorities have already responded to the threat. As far back as December 2002, the Securities and Exchange Commission fined five large Wall Street firms $8.25 million for failing to archive and supervise their electronic communications.

The industry itself has taken note too. The Financial Services Instant Messaging Association (FIMA)—whose members include Bank of America, Citigroup, Credit Suisse First Boston, Deutsche Bank, J.P. Morgan Chase, Lehman Brothers, Merrill Lynch, Prudential, and UBS Warburg—exists to pressure vendors into standardizing IM platforms in order to promote compatibility and security. Furthermore, the National Association of Securities Dealers (NASD) recently told its 5,300 brokerage firm members to retain IM records for at least three years as proof against future disputes.

Handling IM security in financial organizations

On the other hand, taking responsibility for IM is not always as easy as might be thought. For example, if a firm decides simply to ban IM—in a similar manner to which some banks tried to ban e-mail—then determined employees will readily find ways around bars on the network. Moreover, programming corporate IT systems to scramble any instant messages that are sent is tricky and time consuming, since most IM platforms are proprietary and change fast.

A ban may also not prove effective because IM penetrates the organization under the radar: it is routinely embedded in office software, for example.

Arguably the more sensible route to take, not least because it has become part and parcel of modern business communications, is to control the use of instant messaging. IMlogic's approach is typical: its product, called IM Manager, archives every IM conversation across a network. IM Manager can track messages, reconstruct exchanges, and monitor for attacks.

In short, like e-mail, IM has become part of the communications landscape. Financial organizations must embrace and secure it, not fear and try to dodge it.

Editor's Picks

Free Newsletters, In your Inbox