posted 3 Aug 2005 in Volume 8 Issue 10
Instant messaging: Collaborative tool or security threat?
For end users, the advantages of IM over other communications and knowledge-sharing mediums is clear. But, because of IM’s origins as a consumer medium, it is still treated with suspicion by many IT managers, who cite as problems a lack of corporate control over the medium and the risk of security breaches. By Jessica Twentyman
Until 2004, picture library company Getty Images did not officially support the use of instant messaging (IM) in the workplace. But user feedback and desktop software audits soon demonstrated what the IT department already suspected: employee usage of IM, an internet-based person-to-person communications tool, was thriving. Not only that, but employees were able to provide a solid case for using IM, built on legitimate business needs. Photographers in the field, for example, used IM to communicate with the picture desk and IT workers used IM to co-ordinate technical development, quality assurance and support tasks.
Rather than clamp down on that usage, Getty Images decided to put in place and support a corporate IM system. “In my experience, if IT doesn’t provide users with solutions that meet their business needs, they’ll usually just find a way to go around you,” says Margaret McDonald, information security manager at Getty Images.
That example demonstrates a co-operation between IT and the business that the thorny issue of IM usage has struggled to generate elsewhere. When executives at systems integration giant
Employees responded to the ban immediately and vociferously. Instant messaging, they argued, was critical to communication and collaboration at
Many companies have found themselves in similar situations over the past three years. Since the mid-1990s, tens of millions of consumers worldwide have adopted IM. That take-up has gradually filtered into the work place: according to IT industry research company Meta Group, IM users in the enterprise will grow from 12 million in 2002 to 95 million users by 2007.
Others, however, recognise it as a valuable tool for real-time collaboration and information sharing between employees. More importantly, they recognise that take-up of IM is happening at their companies, whether they are prepared to support it or not.
For end users, the advantages of IM over other communications and knowledge-sharing mediums is clear, according to a recent Meta Group survey of 300 individuals from companies worldwide.
The findings suggest that IM offers a number of benefits: Efficiency (including, faster response than e-mail, rapid problem resolution and multitasking); Presence (the ability to see if someone is online and available for discussion; and cost savings (through a reduction in the use of long-distance telephone calls).
However, because of IM’s origins as a consumer medium, it is still treated with suspicion by many IT managers, who cite as problems a lack of corporate control over the medium and the risk of security breaches.
In response, a number of IT suppliers (including
That, says Forrester Research analyst Nate Root, has created a “ticking timebomb” at many companies worldwide. “They need to wake up and realise that unchecked IM usage creates problems,” he says.
The reasons for that are technical: in essence, consumer IM is a peer-to-peer technology, meaning that there is no central point at which the content can be vetted, no real user authentication and no means of archiving it except on individual users’ PCs. Enterprise IM vendors, by contrast, have attempted to redress these shortcomings in packages that monitor, manage and archive instant messages – and, where required, limit IM usage to internal conversations only or with a limited network of trusted partners.
Among the problems created by unchecked IM use is legal and regulatory liability, as rules on document and e-mail retention increasingly apply also to IM. In the
“Huge standards of governance need to be met and organisations need to realise that they will be called upon to produce audited records of instant messages,” says Neil Laver, head at Microsoft UK of the Real-Time Communication (
Security is another challenge: IM can leave a company exposed to viruses. In November 2004, for example, Microsoft’s
“Imagine, for example, an IM worm that spreads automatically, rather than requiring users to execute an attachment, as Funner did. Imagine further that, instead of only linking the user to pornographic web sites, as Funner did, the new worm corrupted key operating system files. Cleaning up after such a virus could cost a single organisation millions,” he says. His advice? “Implement an enterprise IM service that enforces mandatory virus scans and limits incoming traffic to messages from trusted parties.”
A third challenge is the cost of supporting consumer IM in the enterprise. “Although most employees that use IM today use public IM clients that they have downloaded themselves, they don’t call
A mix of different IM clients and versions is difficult and costly to support, and companies that attempt to pull the plug on IM usage by blocking traffic at the firewall face the equally daunting support task of keeping up with constant IM protocol changes and new IM clients that are smart enough to hunt for ports that IT hasn’t yet shut off. By standardising on a single, enterprise IM client that offers maintenance-free blocking of unsanctioned IM traffic, the IT department can do much to tackle these costs.
The case for enterprise IM is fairly clear, then, for many companies where it is already being used successfully (albeit over public networks) for knowledge-sharing and collaboration. The technology, however, should never be implemented before a company has worked out a comprehensive policy on IM usage, experts warn. Meta Group’s survey, for example, found that, of the 61 per cent of respondents that said that they used IM at work, 57 per cent said that they used IM to send and receive personal (non-business) messages.
That may be acceptable at some companies. At others, however, it may not – so companies need to decide, as many have already done with corporate e-mail, how employees will be allowed to use IM. “This is a substantial education process at many companies, whose first response is to ban IM and then try to figure out where it can go from there,” says Stuart McRae, WorkPlace strategist at
Most companies lack that kind of policy, according to Root of Forrester. Before shopping for technology, he advises, they need to convene a summit of legal representatives, records management policy owners and financial compliance experts in order “to document information usage policies that comply with the letter of the law”.
In order to be effective, those policies should describe what IM should be used for (this involves outlining in detail sanctioned business activities), what it should not be used for (unacceptable use), which messages should be kept and which disposed of (retention policy), and what IM technology should be used (the preferred IM system, standardised across the company).
“It’s critical to provide guidelines,” says Laver of Microsoft. “At the very least, you have a duty to make employees aware that discussions carried out over IM are recorded and stored.”
So far, however, companies have made slow progress in both implementing enterprise IM technology and formulating policies, warns Tzirimis of Meta Group. “In our research, 84 per cent of small-sized companies and 71 per cent of mid-size companies lack a private enterprise-level IM solution, so there is plenty of reason for concern. Larger organisations appear to understand the dangers of unsanctioned IM use and have the financial resources to implement an IM solution, but more need to do so soon given the rapidly increasing penetration of this technology.”
IM shopping list Enterprise
User authentication is vital if IM is to be considered a secure environment for collaborating with colleagues and customers, says Stuart McRae, WorkPlace strategist at
A big differentiator of enterprise IM products is their use of a central directory - either an existing corporate directory such as NT Directory (Microsoft), LDAP (lightweight directory application protocol), Notes Address Book (
Encryption technology, meanwhile, ensures that the content of messages cannot be intercepted and read by unauthorised personnel and, even worse, hackers as they pass across the internet. Most enterprise IM products, including SameTime, MindAlign, Jabber and Groove Deskspace, provide encryption options. WiredRed Software’s e/pop, an IM conferencing system, offers higher-level RSA security.
“The public IM networks simply cannot offer appropriate levels of protection from snooping for valuable corporate information,” says Lisa Kirman, sales and marketing director at IM specialist Gordano. “You can have every security in place internally, but once corporate information is outside the firewall, it’s very much out of your control and vulnerable to unauthorised access,” she points out.
Most enterprise IM products offer functionality for automatically storing content into a searchable format, while also providing the user with a display of their most recent messages whenever they re-visit a channel. “An instant message will frequently contain information that makes it a vital record of a business transaction. It needs to be kept just like any other record and it needs to just as easily retrieved on demand,” says Neil Laver, head of the RTC product at Microsoft