Instant messaging: Collaborative tool or security threat?

For end users, the advantages of IM over other communications and knowledge-sharing mediums is clear. But, because of IM’s origins as a consumer medium, it is still treated with suspicion by many IT managers, who cite as problems a lack of corporate control over the medium and the risk of security breaches. By Jessica Twentyman

Until 2004, picture library company Getty Images did not officially support the use of instant messaging (IM) in the workplace. But user feedback and desktop software audits soon demonstrated what the IT department already suspected: employee usage of IM, an internet-based person-to-person communications tool, was thriving. Not only that, but employees were able to provide a solid case for using IM, built on legitimate business needs. Photographers in the field, for example, used IM to communicate with the picture desk and IT workers used IM to co-ordinate technical development, quality assurance and support tasks.

Rather than clamp down on that usage, Getty Images decided to put in place and support a corporate IM system. “In my experience, if IT doesn’t provide users with solutions that meet their business needs, they’ll usually just find a way to go around you,” says Margaret McDonald, information security manager at Getty Images.

That example demonstrates a co-operation between IT and the business that the thorny issue of IM usage has struggled to generate elsewhere. When executives at systems integration giant EDS, for example, issued a ban on employees using IM in May 2002, they expected some resistance. They did not, however, anticipate the furious backlash that occurred.

Employees responded to the ban immediately and vociferously. Instant messaging, they argued, was critical to communication and collaboration at EDS, both internally and with clients. Globally dispersed software teams used it as they co-developed programmes; client services managers used it to negotiate service level agreements with outsourcing customers; support staff used it to advise colleagues and clients at remote sites on technical issues.

EDS’s management was forced to back down and revoke the ban, despite perfectly legitimate fears that IM usage left the company vulnerable to infection by computer viruses. Instead, it hurriedly began to search for IM software that met its stringent security standards.

Many companies have found themselves in similar situations over the past three years. Since the mid-1990s, tens of millions of consumers worldwide have adopted IM. That take-up has gradually filtered into the work place: according to IT industry research company Meta Group, IM users in the enterprise will grow from 12 million in 2002 to 95 million users by 2007.

Others, however, recognise it as a valuable tool for real-time collaboration and information sharing between employees. More importantly, they recognise that take-up of IM is happening at their companies, whether they are prepared to support it or not.

For end users, the advantages of IM over other communications and knowledge-sharing mediums is clear, according to a recent Meta Group survey of 300 individuals from companies worldwide.

The findings suggest that IM offers a number of benefits: efficiency (including faster response than e-mail, rapid problem resolution and multitasking); presence (the ability to see if someone is online and available for discussion; and cost savings (through a reduction in the use of long-distance telephone calls).

However, because of IM’s origins as a consumer medium, it is still treated with suspicion by many IT managers, who cite as problems a lack of corporate control over the medium and the risk of security breaches.

In response, a number of IT suppliers (including IBM Lotus, Sun Microsystems, Microsoft and Yahoo, as well as smaller specialists such as Jabber and Gordano) have released ‘enterprise IM’ products that offer policy-based rules, logging, archiving and encryption capabilities to address those concerns. However, the cost of these packages – which averages between $15 and $25 dollars, per user, per year, say Meta Group analysts – deters some companies from implementing it. As a result, their employees continue to use public IM networks such as AOL, MSN and Yahoo! to send and receive business information.

That, says Forrester Research analyst Nate Root, has created a “ticking timebomb” at many companies worldwide. “They need to wake up and realise that unchecked IM usage creates problems,” he says.

The reasons for that are technical: in essence, consumer IM is a peer-to-peer technology, meaning that there is no central point at which the content can be vetted, no real user authentication and no means of archiving it except on individual users’ PCs. Enterprise IM vendors, by contrast, have attempted to redress these shortcomings in packages that monitor, manage and archive instant messages – and, where required, limit IM usage to internal conversations only or with a limited network of trusted partners.

Among the problems created by unchecked IM use is legal and regulatory liability, as rules on document and e-mail retention increasingly apply also to IM. In the US, for example, the Securities and Exchange Commission has required members to record and log all IM communications in a fixed format for at least two years. Other industries worldwide are expected to follow suit.

“Huge standards of governance need to be met and organisations need to realise that they will be called upon to produce audited records of instant messages,” says Neil Laver, head at Microsoft UK of the Real-Time Communication (RTC) product, which integrates multiple real-time communications modes – including IM, voice, video, and access-to-voice conferencing and web conferencing – in a single application. Enterprise IM products address these pressures by logging messages and enforcing conversation barriers between parties, such as brokers and analysts.

Security is another challenge: IM can leave a company exposed to viruses. In November 2004, for example, Microsoft’s MSN network was attacked by another in a long line of IM-borne ‘worms’, dubbed Funner. “Although it caused widespread IT headaches, Funner wasn’t close to how bad IM viruses will get,” says Root.

“Imagine, for example, an IM worm that spreads automatically, rather than requiring users to execute an attachment, as Funner did. Imagine further that, instead of only linking the user to pornographic web sites, as Funner did, the new worm corrupted operating system files. Cleaning up after such a virus could cost a single organisation millions,” he says. His advice? “Implement an enterprise IM service that enforces mandatory virus scans and limits incoming traffic to messages from trusted parties.”

A third challenge is the cost of supporting consumer IM in the enterprise. “Although most employees that use IM today use public IM clients that they have downloaded themselves, they don’t call AOL or Yahoo! when they have problems – they call the IT help desk,” says Root.

A mix of different IM clients and versions is difficult and costly to support, and companies that attempt to pull the plug on IM usage by blocking traffic at the firewall face the equally daunting support task of keeping up with constant IM protocol changes and new IM clients that are smart enough to hunt for ports that IT hasn’t yet shut off.

By standardising on a single, enterprise IM client that offers maintenance-free blocking of unsanctioned IM traffic, the IT department can do much to tackle these costs.

Comprehensive policy

The case for enterprise IM is fairly clear, then, for many companies where it is already being used successfully (albeit over public networks) for knowledge-sharing and collaboration. The technology, however, should never be implemented before a company has worked out a comprehensive policy on IM usage, experts warn. Meta Group’s survey, for example, found that, of the 61 per cent of respondents that said that they used IM at work, 57 per cent said that they used IM to send and receive personal (non-business) messages.

That may be acceptable at some companies. At others, however, it may not – so companies need to decide, as many have already done with corporate e-mail, how employees will be allowed to use IM. “This is a substantial education process at many companies, whose first response is to ban IM and then try to figure out where it can go from there,” says Stuart McRae, WorkPlace strategist at IBM. “Where employees are using IM to create wealth for your business, you would be mad to ban it. But you have to decide how it should and should not be used,” agrees Lisa Kirman, sales and marketing director at IM specialist Gordano.

Most companies lack that kind of policy, according to Root of Forrester. Before shopping for technology, he advises, they need to convene a summit of legal representatives, records management policy owners and financial compliance experts in order “to document information usage policies that comply with the letter of the law”.

In order to be effective, those policies should describe what IM should be used for (this involves outlining in detail sanctioned business activities), what it should not be used for (unacceptable use), which messages should be kept and which disposed of (retention policy), and what IM technology should be used (the preferred IM system, standardised across the company).

“It’s critical to provide guidelines,” says Laver of Microsoft. “At the very least, you have a duty to make employees aware that discussions carried out over IM are recorded and stored.”

So far, however, companies have made slow progress in both implementing enterprise IM technology and formulating policies, warns Tzirimis of Meta Group. “In our research, 84 per cent of small-sized companies and 71 per cent of mid-size companies lack a private enterprise-level IM solution, so there is plenty of reason for concern. Larger organisations appear to understand the dangers of unsanctioned IM use and have the financial resources to implement an IM solution, but more need to do so soon given the rapidly increasing penetration of this technology.”

Enterprise IM shopping list

Enterprise instant messaging technology enables companies to monitor and manage the flow of instant messages in, out and around their companies. In particular, prospective customers should look for three features in an enterprise IM: user authentication; encryption; and archiving.

USER AUTHENTICATION

User authentication is vital if IM is to be considered a secure environment for collaborating with colleagues and customers, says Stuart McRae, WorkPlace strategist at IBM. “If I receive an instant message that appears to have been sent to me by [IBM CEO] Sam Palmisano, I need to be very, very sure it really is from him and not just someone that has set up an IM account in that name on a public IM network,” he says.

A big differentiator of enterprise IM products is their use of a central directory – either an existing corporate directory such as NT Directory (Microsoft), LDAP (lightweight directory application protocol), Notes Address Book (IBM/Lotus), or a proprietary authentication service that is provided with the IM package.

ENCRYPTION

Encryption technology, meanwhile, ensures that the content of messages cannot be intercepted and read by unauthorised personnel and, even worse, hackers as they pass across the internet. Most enterprise IM products, including SameTime, MindAlign, Jabber and Groove Deskspace, provide encryption options. WiredRed Software’s e/pop, an IM conferencing system, offers higher-level RSA security.

“The public IM networks simply cannot offer appropriate levels of protection from snooping for valuable corporate information,” says Lisa Kirman, sales and marketing director at IM specialist Gordano. “You can have every security in place internally, but once corporate information is outside the firewall, it’s very much out of your control and vulnerable to unauthorised access,” she points out.

ARCHIVING

Most enterprise IM products offer functionality for automatically storing content into a searchable format, while also providing the user with a display of their most recent messages whenever they re-visit a channel. “An instant message will frequently contain information that makes it a vital record of a business transaction. It needs to be kept just like any other record and it needs to just as easily be retrieved on demand,” says Neil Laver, head of the RTC product at Microsoft UK.