Employees aren't supposed to use email or IM to transmit sensitive patient information, according to the security policy in Lane Timmons' organization. Doing so could violate HIPAA, expose patients to identity theft and damage the company's reputation.
But Timmons, a security systems analyst for a medical research facility in Texas with 4,000 users and 7,500 Exchange mailboxes, can't say with certainty that everyone plays by the rules.
"Policies don't always mix with reality, as far as what some people might do," he said. "I worry that despite the policies and the strong perimeter security we have in place that some people may still send out health information via email and IM."
His department has an extensive security program to prevent malware infections and data leakage that might come by way of messaging technology. But the possibility that something bad could happen is never far from his mind.
He's not alone, if an exclusive SearchSecurity.com survey of 250 IT professionals is any indication.
More than 80% of those who took the survey in August said they worry about the loss or leakage of confidential information via email or instant messaging, and more than 60% said they've been forced to spend more time on messaging security issues this year than they did last year.
More than 80% of respondents said they also worry about the loss or theft of mobile devices housing sensitive data, and about malware infections that could spread from mobile devices to the main network. Timmons recently had to contend with the latter problem, when about six machines in his environment were compromised by a worm exploiting a three-year-old vulnerability.
"Some laptop comes in with that worm and shares the wealth," he said.
More mobile messaging, IM means more trouble
Respondents acknowledged the adoption of mobile messaging devices in their companies may be moving faster than their ability to secure them. Nearly 70% said they are giving more of their users mobile messaging devices like Blackberries or Treos, and nearly half admitted that the proliferation makes the threat of worms and viruses an ongoing problem.
Brian Joyce, an IT director for Joseph Decosimo and Co., a Chattanooga, Tenn.-based accounting firm with more than 250 employees in eight offices in the Midwest, southeast and Cayman Islands, acknowledged that mobile messaging security is something his company needs to look at more closely.
His department has solid procedures in place to deal with email and IM threats, but "the exception is the mobile devices like Blackberries," he said. "We are looking into the risks now and what we can do to defend against those specifically."
As they grapple with the proliferation of mobile messaging devices, IT professionals are also watching IM use explode across their organizations. Many lack a solid strategy to deal with the security side-effects.
More than half of respondents said they see IM as a breeding ground for malware, yet the same number said they don't have a sound written policy to police IM usage and nearly 70% said they do not ban IM in their environments.
Timmons would like to limit or block IM in his organization but said there are a lot of people that oppose the idea. He and upper management are now discussing how best to define the rules for IM usage.
The biggest threats
Asked what they consider to be the biggest messaging security threats, nearly 60% said phishing, including Joyce.
"With email, we know our biggest vulnerability is the potential that an end user might fall to a phishing expedition," he said. "That's an ever-present danger we try to mitigate with education and we have strong policies and good products in place [from Postini and Symantec] for this defense."
But while employees in his organization are very conscientious, he said, it only takes a split second for someone to fall for the unexpected "I love you!" email trick before they know what has hit them.
"We feel pretty confident that we are doing the right things to mitigate our risks," Joyce said. "But it's almost impossible to be 100% secure and still be productive."
As for other messaging threats, 75% said email-based malware is an extremely or somewhat significant threat and nearly 50% said IM-based malware is a big problem. Meanwhile, 50% said botnets pose a significant threat to all messaging programs and 63% said inadequate data controls on mobile devices are a serious danger.
Sixty-one percent said viruses and spyware on mobile devices are an extremely or somewhat significant threat.
Despite problems, most claim success
Despite all their concerns about messaging security, respondents are at least confident that they're devoting the necessary attention to the problems and solutions.
Asked how effective they are at securing email over mobile devices, 58% said they are somewhat or extremely effective at protecting stored data. Sixty-three percent said they are effective at enforcing access control and 58% said they are successfully configuring and locking down their mobile servers.
Asked how effective they are at securing core email systems, 82% said they have mastered the patch management process and 84% said they are successfully securing remote and Web-based email access. Nearly 95% expressed confidence in their antivirus deployments and updates and 74% said they are successfully configuring and locking down messaging servers.
Respondents reported less success in defending against SMS text messaging spam and spyware on mobile devices, however. Only 30% said they are effectively dealing with the SMS text messaging spam and only 38% said they're effectively dealing with spyware on mobile devices.
Email is easier to deal with than other messaging programs because there is a better audit trail to work with, Timmons said. "We can block certain sensitive items that might otherwise go out via email," he said, noting that his organization monitors email transmissions and can block forbidden activity using an intrusion prevention box from Austin-based TippingPoint, a division of 3Com.
No silver bullet
But while security vendors have made a variety of tools available to deal with these problems, no one product can guarantee 100% messaging security, respondents said.
"Despite our filtering software, a user might receive a legitimate-looking email or IM and click on an enclosed link, allowing malware to disrupt that user's work or spread to impact more of the agency's operation," said Wendy Nather, information security officer for the 800-employee Texas Education Agency.
Nather agrees with Joyce that employee awareness is most important to the organization's security.
"We put a lot of effort into awareness programs in various forms, since we feel that informed users are less likely to fall victim to attacks, whether they come through IM or email," she said.