IM under control

Organisations are finally acknowledging the growing use of instant messaging within the corporate network and are turning to a new breed of specialists to help manage it.

By Gary Eastwood

A recent survey commissioned by instant messaging (IM) management specialist, Akonix Systems found that while one in five employees now use IM at work, 62 per cent of companies are still totally unprotected from the threats of its misuse.

A quarter of respondents to the You Gov survey also said that they had used IM to say something that their manager would not approve of – most commonly in the 18-29 age range, where numbers reached 40 per cent. A minority (seven per cent) in the same age group use IM to liaise with potential employers while at work, 80 per cent use it to chat to friends and family, 25 per cent download music and/or film trailers, while 25 per cent admit to using IM to gossip about work colleagues.

Although 21 per cent of companies do have a general policy in place regarding IM use, only 19 per cent had technology installed to manage and/or block messages.

According to Bill Harmer, MD for EMEA at Akonix, the growing maturity of e-mail management and security means that spammers and virus writers are targeting IM as an alternative, easier route into the enterprise.

“In the first quarter of 2004, we picked up five viruses or worms on IM,” he says. “In the first quarter of 2005, we found 25, a five-fold increase in one year. But in the second quarter of this year we have tracked and blocked 121 viruses, with a record 48 in April alone.”

As the benefits of IM are increasingly acknowledged, vendors are offering more sophisticated business tools. “Traditionally, IM was simple text, but that’s changing as IM clients absorb video and audio conferencing, file exchange and even whiteboards. But, in turn, this means more security vulnerabilities to attack,” explains David Kennedy, analyst at information security services provider CyberTrust.

When it comes to IM, it seems that most CIOs and IT directors are ‘burying their heads in the sand’, with many claiming that IM is not even used in their enterprise. This is a misnomer.

“Whether they believe it or not, every organisation with more than a few hundred employees will have IM installed on desktops,” agrees Jim Moffat, EMEA chair for the IM Focus Group, a forum for industry watchers, IM security companies and organisations that use the technology.

“If you want to take the objective view, the threat and cost to business of IM is a fraction of that of e-mail. However, there is huge potential for the misuse of IM as it is doubling every year – we estimate that the use of IM will reach the same levels as e-mail in three to five years,” he adds.

According to industry analyst Gartner, that could happen even quicker, with research suggesting that by the end of 2006, 40 per cent of e-mail communication will have been replaced by IM.

In the US it is estimated that 74 per cent of employees already have ‘consumer’ IM tools – MSN, Yahoo and AOL, to name a few – loaded on their desktop. Users are bringing the real-time communication and ‘presence’ benefits of IM from their homes, into the enterprise. IM is moving into the communication mainstream.

Of course, the medium is also subject to regulatory and legal obligations for storing all communications regarding, for example, financial, share-price or personal-dispute information. At the same time, it is being used increasingly to communicate with suppliers, partners and customers, sometimes leading to unmonitored ‘leakage’ of intellectual property outside the corporate firewall.

But perhaps the most pressing reason to get IM under control and introduce tools that can help monitor and manage communications, is one of competitive advantage.

As a result, many forward-thinking organisations and executives are moving ahead of the curve and investing in a growing range of IM management, security and policy enforcement tools for the enterprise from specialists that include IM Logic, Akonix, FaceTime Communications and IM-Age Software. IM is also becoming an integral part of enterprise software suites from established players such as IBM and Microsoft.

“The biggest driver around the use of IM management tools is that of the increasing velocity at which companies do business – there are real benefits to getting information quickly from disparate sources,” explains Francis deSouza, CEO of IM management tools vendor IM Logic. “If you need to find a supplier for a spare part

immediately, IM will show who’s online and available, and then you can phone them knowing they’re around to take the call. Another benefit is real-time communication – for example, when negotiating a contract.”

IM Logic’s IM Manager offers a simple ‘one-stop shop’ tool for monitoring, risk management and policy compliance enforcement. IM Detector, a free tool for tracking and stopping stubborn users who try to circumvent company policies, is another option.

According to deSouza, there are four main elements to IM Manager: two-way security for protection against viruses, worms and malicious code; monitoring of message content to aid compliance, for example; systems monitoring that detects how much IM traffic is being sent; and, collaboration management and policy control.

The solution does not provide the communication system itself, but sits atop “13 major IM networks” to monitor and control the flow of traffic, and enforce policies.

Like most of the tools available, it has been designed to scale from companies with a handful of employees to those with thousands. One of IM Logic’s latest customers, Bridema, was concerned with poor management of the increasingly prevalent IM communication within its corporate network. The IT-components distributor selected IM Manager to ensure employees comply with the IM security policy and build a centralised control and reporting process.

“We still use e-mail and phone for particular activities, but IM is prevalent throughout the business for quick questions and responses,” says Dean Nielsen, CEO at Bridema. “We have established a tight security policy on all e-mail communications and wanted to replicate this for IM. IM Manager enables us to set out guidelines for employees and block the use of non-Bridema identities. From our employees’ viewpoint, they have access to previous conversations made over IM, ensuring there is no confusion or lack of awareness of delivery dates or pricing commitments to our customers or suppliers.”

Akonix’s L7 Enterprise, meanwhile, focuses on virus protection and enforcing policy controls. “From the organisation’s perspective, we get them to think about policy in terms of a spectrum, from letting everything through to letting nothing through,” explains Harmer of Akonix.

He continues “You need to think carefully about different policies for groups, departments and users. For example, we can allow the sales department to receive certain files as an IM attachment, while blocking those files if they’re sent to the marketing department.”

Other IM specialist products include IM-Age Software’s IM Policy Manager and FaceTime Communications’ IM Auditor.

But rather than offering ‘stand-alone’ packages, IBM is integrating IM using a collaborative approach, whereby clients, features and controls are built into existing products.

According to Stuart McRae, workplace strategist at IBM, most of the infrastructure for managing IM is already in place. “We treat IM messages as small e-mails. The infrastructure already exists, it’s just about leveraging what’s already there,” he says.

IBM employees already have access to a number of IM products and systems, but one in particular, NotesBuddy, blurs the lines between e-mail and IM. As an independent application, some of its features have already been incorporated into Big Blue’s Lotus e-mail and calendar software, and more will follow, according to the company – although the product is not commercially available.

“We believe that IM will disappear into the infrastructure, and that IM management will move away from free-standing products to become integrated into applications. Our new version of Notes, for example, has a built-in IM client,” says McRae.

To that end, IBM has an ‘ecosystem’ of business partners to make this happen, from security to message routing, right through to the use of IM in business applications, such as call-centre communications.

Aside from the technical aspects, David Kennedy, analyst at information-security provider CyberTrust, believes that there are ‘softer’ effects on the workforce too.

“When a company installs a solution and says: ‘We have a central IM management system’, it puts employees on ‘alert’ – and it means they stop using it for flirting with colleagues. It gently influences employees to ensure that they retain a professional and business focus with their IM usage,” he says.

In fact, says IM Focus Group’s Moffat, these new tools for managing and securing IM usage are so powerful that they can throw up additional concerns. “These are now very powerful tools – they are more than sufficient for dealing with today’s threats. But they are almost too effective, which can create all sorts of ethical and legal issues, such as whether all IM conversations should be logged, how long employees are logged on for, and so on,” he says.

A carefully planned policy is therefore essential. “The vendors supply 40 per cent of the solutions,” admits Akonix’s Harmer. “The rest is how the company defines policy and how well management adopts that. We just define where a company needs to be on the spectrum, the technology is the relatively simple bit.”