UK firms failing to meet IM measures

Company directors could find themselves in court for failing to comply with new corporate-accountability legislation - all because staff are chatting over IM.

Many UK companies are still failing to crack down on the use of consumer IM applications, such as those produced by AOL, MSN and Yahoo, when they should have made a move to secure enterprise IM packages.

Many free-to-use packages do not have the necessary built-in security and archiving to make them compliant with new regulations such as Sarbanes-Oxley and Basel II, which have been brought about by the need to safeguard against future scandals such as Enron, which rocked the entire business world.

Anybody exchanging financial information, sealing deals, accepting 'verbal signatures' or discussing almost any business matter that could be brought to account needs to be more compliant than freeware IM applications will allow.

However, UK businesses appear to be trailing behind much of Europe in introducing robust strategies for coping with IM use.

In France 60 per cent of IT directors said they monitor IM traffic, with 40 per cent claiming to archive all IM data. In Germany those figures are 41 per cent monitoring and 18 per cent archiving, while in Spain they are a highly impressive 70 per cent monitoring and 63 per cent archiving, according to findings from Hitachi Data Systems.

In the UK only 22 per cent of companies monitor IM traffic while a pitiful nine per cent archive.

While Tony Reid, director of solutions marketing at Hitachi, expects the UK figures to rise rapidly as the need to become compliant gets more pressing but the figures reveal a widespread ignorance already in place regarding the threat that IM poses to the enterprise.

Even before the threat of changing legislation, IM posed a serious security that has passed by the majority of UK companies.

According to Vincent Gullotto, vice president of AVERT at McAfee, virus writers view IM as an easily exploited vulnerability because in the firewall age it provides the most direct route back to the desktop, along with other peer-to-peer applications such as file-sharing services.

As long as companies fail to secure IM and to treat the threat seriously, they are merely setting themselves up for the first major exploit. However, the similarity between security and legislation is that in both cases it normally takes a couple of high-profile 'fall guys' before everybody takes note.

According to separate research from ILOG and ACORD, only 17 per cent of UK insurance companies are putting in place IT strategy to ensure compliance with new legislation.