Survey: Cost Of IM, Greynet Security Incidents More Than Doubles In A Year
FaceTime Communications recently announced the results of its annual survey, "Greynets in the Enterprise: 3rd Annual Survey of Trends, Attitudes and Impact."
In September, data was collected in a survey of more than 700 employees and IT managers to determine the impact greynet applications have on companies and organizations. Greynets -- real-time consumer applications (e.g. instant messaging, P2P, VoIP) that are often introduced by individual end users and use highly evasive techniques to traverse the network -- pose a myriad of network and information security risks because they provide vectors for malware, intellectual property loss, identity theft and compliance risks.
According to the study, greynet use has increased dramatically within the workplace. An average of nine greynets are in use within the typical organization, and 99 percent of IT managers report at least one greynet in use at their locations. In spite of deploying security infrastructure such as firewalls and IPS products, nine in 10 IT managers have experienced a greynet-related security incident in the last six months. In fact, only about 3 percent have avoided greynet-related security incidents during this period.
While some greynets such as Skype, instant messaging and Web conferencing have legitimate business uses, IT requires visibility and control to ensure their safe and productive use. With other greynets, such as P2P file sharing, video streaming and anonymizers, the risks might outweigh the benefits and organizations need the ability to accurately detect and block them. Greynets can be evasive on the network, often circumventing the traditional security infrastructure that was designed for e-mail and standard Web traffic.
The survey shows that the average cost companies incur in recovering from greynet-related incidents on company PCs has more than doubled over last year. IT managers reported spending an average of nearly $289,000 annually to repair or re-image company PCs after malware attacks over greynets. The cost reported in last year's study was nearly $130,000 per year. On average, IT managers experience nearly 39 incidents per month that require some kind of repair or remediation to end-user PCs and each repair requires, on average, about nine hours of work.
Employees don't always see eye-to-eye with IT management regarding risky behavior on the network. For example, 80 percent of IT managers deem anonymizers -- applications that disguise network traffic to permit anonymous use of the Internet -- risky to corporate networks. In contrast, just more than half of users (57 percent) find them risky, for a 19 percent differential in risk assessment.
The bottom line is that greynet usage makes IT nervous: 40 percent of IT managers report that public IM use at work poses "serious risk," while another 46 percent indicate that IM poses "some risk," for a total of 86 percent of managers who are wary of the public IM networks and their impact on the work environment.
In FaceTime's previous two annual surveys, employees candidly proclaimed their belief that they have the right to download the applications they need onto their work PCs, regardless of whether or not those applications are sanctioned by IT. This trend continues, with 36 percent of employees proclaiming this right in this year's survey. In addition, 40 percent of employees said that they need more applications than are typically installed on their work PCs. This trend underscores the need for IT management to work more closely with employees both to understand changing workplace needs, as well as to educate the workforce on security and compliance issues facing the organization.
In addition, this year's survey reveals:
Eighty-five percent of employees report that they use their work PCs for "personal, non-work purposes," and among these employees, 38 percent send personal IMs or engage in chat while at work.
The personal use of work computers is independent of company size. Across the board, approximately eight in 10 will surf, shop and chat over the company network, testimony to the continued blurring of personal and professional workspaces.
Fewer than half -- 45 percent -- of employees are at work locations where personal IM messaging is monitored by the organization.
The number of work locations with eight or more greynet applications in use has almost tripled in the last three years.
Concerns about the impact of greynets also extend to organizations that have or are actively planning the roll-out of unified communications (UC) applications -- 44 percent of those surveyed. Larger companies, measured by employee size, are twice as likely to roll out UC compared to small companies. And, not surprisingly, security is the top concern for IT managers who are rolling out UC. Eighty-six percent of IT managers ranked security as their top concern, while only 65 percent indicated that return on investment (ROI) is a top concern.
The survey revealed that 45 percent of IT managers are at work locations where enterprise IM or unified communications are deployed. However, even at these locations, 74 percent report that public IM networks are also used by employees.
"Deploying enterprise IM or a unified communications platform can lead an organization to believe that it has given employees all the capabilities they need to collaborate effectively," said Frank Cabri, vice president of marketing and product management for FaceTime. "However, the reality is that employees will continue to download new greynets at their own pace and will continue to use the consumer-oriented applications they are familiar with, both for work- and non-work-related communications."
In addition to security concerns, regulatory and corporate governance requirements have prompted an unprecedented emphasis on compliance for IM and other real-time communications in use within enterprises.
Sixty-eight percent of IT managers are at work locations where there are specific guidelines and polices that govern the archiving and storage of IM, e-mail and chat communications.
Fifty-three percent of IT managers have received guidance from their corporate counsel concerning the archiving and storage of e-mails, IMs, chats and other employee communications.
Forty-five percent of organizations would be unable to produce an archive or record of a specific employee's IM communications, if required to do so for legal purposes.
Thirty-two percent of the companies that have deployed enterprise IM are incapable of producing logs of employee IM communications.