IM Security: Big Concern, Slow Uptake

by Paul Rubens

If the numbers are to be believed, there aren't many organizations taking IM security seriously. Even if it's an uncertain market, the need is already here.

Here’s an amazing fact: according to a recent poll, only 11 percent of organizations have an instant messaging security system in place. It’s amazing because almost all of these organizations have an anti-virus system in place for their e-mail and probably have stringent security policies to go with it. Yet they seem to be ignoring IM.

That’s pretty strange, since IMs are just as potent a transmission vector as emails for viruses, worms and pretty much any malware you care to mention. In 2004 there were around 21 threats such as Trojans and worms that used IM as an attack vector, while this increased to over 300 last year. Seems like malware writers are increasingly realizing that the nearly 12 billion IMs IDC Research estimates are sent every day offer easy pickings compared to relatively well protected e-mail systems.

It’s not as if organizations have nowhere to turn to. For the last few years three key companies, Akonix, FaceTime and IMLogic – and other smaller ones besides - have been offering IM security systems. All three companies offer systems which are broadly similar in terms of providing products which allow administrators to discover when public IM systems are being used and by whom, securing their use, and archiving IM sessions for regulatory compliance. All in all, you could say it’s a pretty mature market niche in terms of product functionality.

But the big question is really whether it is really a standalone niche at all. Is there, in other words, a need for separate IM security and management products, or should they be subsumed into e-mail security products to become a part of a communications security suite?

Symantec clearly believes the latter: at the beginning of January the company purchased IMlogic for a sum believed to be around the $70 million mark. It is not hard to see the logic of the deal, and we should expect to see Symantec security products with IMlogic’s IM security and archiving features tightly integrated in twelve to eighteen months months.

So what chance Akonix and FaceTime get acquired too? “We think they will lose their independence,” says Peter Firstbrook, a research director at analyst Gartner. “Most companies don’t want different products for e-mail and IM, they just think of messaging or communications, which could end up including SMS, VoIP and webmail as well,” he says. There are no end of security vendors such as IronPort and CipherTrust who would be interested in gobbling them up, he says.

Don Montgomery, a marketing vice president at Akonix, agrees. “We think there is still two to three years of solid growth and independence for ourselves and FaceTime but we are obviously logical candidates for consolidation. IMlogic needed to be bought as they had reached the end of their cash and still weren’t making money, but we think we will be worth much more than $70 million in the next few years.”

Interesting stuff. Because on the one hand, $70 million seems quite a lot to pay for a company which, according to Montgomery at least, wasn’t turning a profit. Other security vendors must be thinking that rather than fork out a similar number of their hard earned greenbacks - or even more - for FaceTime or Akonix, they could probably build their own IM security software for a lot less. And since the total market penetration for these products is only just into double figures, there is still a lot to play for. On the other hand, if the market is going to expand rapidly in the near future – and all it would take is a big IM-borne equivalent of the I Love You, Melissa or Nimda worm or two – then Akonix and FaceTime may soon be worth a lot more, so the time to acquire either of these two companies is sooner rather than later.

And why is this important? Because if you are serious about security then you need IM protection. But should you wait for your e-mail security vendor to include it as part of its current offering, or do you buy Akonix’s or FaceTime’s (or even IMlogic’s) products in the knowledge that they will probably not be around in their current form for much longer? Firstbrook recommends making a tactical investment even though in a few years you’ll probably have to buy something else.

Ultimately IM security is probably not something you should want to be without. The signs are there that a major IM-borne worm will affect you sooner or later if you don’t take security measures, and the time to protect yourself is before, rather than after the fact. There is a great deal of uncertainty in the market at the moment about who will be the major players in the coming years, but don’t use that as an excuse to leave your organization wide open to attack.

This article was originally published on Wednesday Feb 1st 2006