Latest Buzz on Online Marketing: Risks of Using Skype for Buisness

With the recession in full force, I am getting more questions from Gartner clients about the security risks associated with Skype. Business executives view Skype as being “free” — they see it as a way to cut communications charges, but most are blind to the security risks. Gartner has highlighted these risks in our research (see Q&A: Securing Skype in the Enterprise), namely the fact that Skype’s proprietary signaling protocol makes it hard to secure, the challenge of managing vulnerabilities in the Skype clients, and the threat from the IM features of Skype. Because of these issues, our position has been that most organizations should block access to Skype, and if that is not possible, that they should take precautions to make Skype more enterprise friendly and secure.

Pressure on IT executives to allow Skype is growing, so it is becoming increasingly difficult (politically) to say not and just block Skype. Since there has not been a widespread, high-profile attack against Skype (save for a 2-day outage in August 2007 that was the result of a bug in the Skype system), it is difficult for IT execs to persuade business execs (many of whom are already using Skype) that Skype introduces security risks to the organization. The politically smart choice for many IT execs is to allow Skype, albeit with the appropriate precautions.

Skype Version 3.8 (business version) provides some enterprise-friendly features that enable organizations to run the application more securely. For example, IT managers can implement version control of the Skype client (so that all users are running the same version). Version control is a huge problem with Skype. One network manager recently told me that he counted 11 different versions of the Skype client amongst their 6500 desktops! The business version of Skype also enables centralized policy configuration and control for the Skype clients. So, most organizations should be able to mitigate Skype’s risks enough to allow it in their environment. But, the process of mitigating these risks involves operational and support costs, so Skype should not be considered “free”

Author: Lawrence Orans