IM Security Is One Tough Sell

To their dismay, companies that offer corporations instant messaging protection see the need for their services growing faster than their sales

Each day, hundreds of millions of people communicate via instant messaging, a tool that lets users swap brief, chatty dispatches in a fraction of the time it takes to exchange e-mail. In the U.S. alone, 12% of the population is hooked. And legions are doing it on the clock. Analysts estimate that within 90% of companies, some employees use IM, whether to close a sale, collaborate with a colleague, or just trade gossip or pleasantries with a pal.

No one can deny IM's appeal. Users know the instant they've received an IM and can tell when a recipient is typing a reply. E-mail, on the other hand, often requires the recipient to check an in-box for new messages.

For companies like Amerex Energy, a commodities trading concern based in Houston, IM provides a convenient and vital way for brokers to send traders dispatches on price swings. "The market is moving too fast for e-mail," says Brian Trudeau, chief information officer for Amerex.


  But what companies like Amerex see as a nearly irreplaceable communication tool is increasingly putting corporate technology systems at risk. Attacks via IM grew some 2,800% last year over 2004. And they're increasing 90% each quarter, according to recent studies by companies that make IM security software.

Even as on-the-job IM use skyrockets, only 10% of companies have any sort of formal IM policy and just 5% provide some type of security protection.

Those numbers add up to a source of frustration for three closely held companies -- FaceTime Communications, Akonix Systems, and IMlogic -- that have aggressively evangelized the importance of monitoring and securing IM. Since at least 2001, each has trudged along, losing money as it waits for the market to explode. IMlogic finally cut its losses: On Jan. 3, it announced it's selling itself to Symantec (SYMC) for an undisclosed price.

The deal is a good one for IMlogic and its customers, says Francis deSouza, chief executive of IMlogic. He reckons it will be easier for Symantec to bundle IM products with its existing security software.


  "This is a challenge suited for a big company," deSouza says. "It's really clear that [companies don't view] this as an IM problem or an e-mail problem. They want a policy across all messaging types." IMlogic already has a relationship with Symantec, and both companies focus not only on securing companies' information but also archiving it for compliance and retrieval purposes.

But others speculate the decision to sell means CIOs still feel unready to pay up for IM products. Industry watchers and at least one of IMlogic's competitors say the company fetched in the neighborhood of $70 million. By venture-capital standards, that's not much of a return for a company that had raised at least $30 million in startup funding since its 2001 inception -- and not much of a harbinger of an about-to-explode market. And, says Gartner researcher Peter Firstbrook, IMlogic was slightly bigger than the other two, with a deeper trove of patents.

So what gives? Early on, all three companies won a flurry of contracts from the financial-services industry. Many brokers and traders use IM to talk with customers immediately, but for compliance reasons those communications need monitoring and archiving. For IM, branching out into other industries has proven tougher -- though the tide is turning, say all three companies. Corporations are less likely to prohibit IM use, lest they incur the wrath of employees marching into IT departments with "torches and pitchforks," says Firstbrook.


  But companies still don't want to buy until they feel certain the threat is real and serious. It's comparable to the plight of vendors of software aimed at fending off threats to mobile devices (see BW Online, 1/5/06, "Mobile Viruses: If Not Now, Soon"). And while the volume of IM attacks is growing, few publicized accounts of these attacks doing any real, widespread damage have materialized.

Until that changes, Akonix CEO Peter Shaw maintains, it's like buying fire insurance. "If your house doesn't burn down, you wasted your money," he says. Akonix's pipeline of potential deals has tripled in the last year, which makes him bullish about 2006. But then again, he was bullish about 2005. As of now, all three companies are nearing profitability, but the entire market amounts to less than $40 million, according to analysts.

It's a classic case of IT divisions fighting for increasingly shrinking budgets. So far, IM security just isn't making the cut for most companies. Symantec's entry could help boost those numbers. As when Microsoft (MSFT) enters a new market, Symantec's decision to bite off a new area of security suggests it sees the scope of the problem widening.


  Firstbrook, for one, thinks many potential customers will wait until bigger companies like Symantec bundle the software along with, say, e-mail security and monitoring programs. He started predicting consolidation in this market for more than a year, but he says potential suitors have told him all three companies were asking for too much money. Now that the Symantec deal is done, it sets a precedent, he says.

And both Akonix and FaceTime will have to sell at a similarly modest price or keep slogging away, hoping the market finally takes off. Potential suitors could be e-mail security companies like IronPort or CipherTrust or other broad security companies like McAfee (MFE) or Trend Micro (TMIC).

Akonix and FaceTime say they're not for sale. Revenues, although small, are growing in excess of 100% a year. Besides, Shaw says, Akonix wants to deepen IM management beyond just security and archiving, offering monitoring for when messages are sent and received, for example.


  And FaceTime's focus is broader, protecting all types of so called "greynets," or applications an employee can freely download, often without a company's permission. In addition to IM, that could include peer-to-peer file swapping programs or Web-based e-mail.

One thing is for sure: If this doorway onto millions of desktops remains unprotected, hackers will find a better way to exploit it. When and how damaging attacks will get is just a matter of time. Not that FaceTime and Akonix are hoping for an IM crisis. But they're happy to be ready for the problem. And now that they have a security giant to contend with, their challenge has grown greater still.

Before it's here, it's on the Bloomberg Terminal.