CIOs need to raise awareness of the security, compliance and liability risks that businesses face when employees use instant messaging (IM) within a company.
Grass-roots adoption of IM is rampant in companies today. Employees are downloading public network IM clients from AOL, Yahoo, MSN and now Google, and using them extensively for business communication. Like it or not, IM can be a very useful business productivity tool.
The benefits of business use of IM is readily apparent, but so are the risks.
According to Osterman, IM can allow rogue protocols, worms, viruses and other threats into a network. Because IM buddies must be added to your buddy list, people on your buddy list who send you messages are assumed to be trusted. However, if one of your buddies becomes infected with a worm, for example, you could be tricked into opening that worm-generated message and possibly spread the worm to your buddy list.
Beyond the obvious security threats, IM presents other headaches to businesses.
Nancy Flynn, founder and executive director of the Columbus, Ohio-based ePolicy Institute said workplace IM usage creates electronic business records just as email does. And those records must be retained for both compliance and liability reasons.
"A court makes no distinction between old-fashioned paper records or electronic records," Flynn said. "It's the content that counts, not the tool that created it. We have seen IM used as evidence in lawsuits already. It is not as prevalent as email right now, but it will be.
Many companies allow, even encourage, the use of IM. Those that don't invest in enterprise IM solutions simply allow their employees to download public network IM clients.
Keep it clean
Experts say that CIOs need to know if their employees are using IM. If so, CIOs should consider deploying IM "hygiene" technology, tools that can secure and archive IM.
Many IM "hygiene" vendors, such as Akonix, offer appliances that detect IM traffic passing through the perimeter of a company's firewall, inspects those IM messages for viruses and other malware, and archives them for compliance and liability protection.
Don Montgomery, vice president of marketing and customer support at San Diego, Calif.-based IM hygiene vendor Akonix Systems, said his company recently polled 300 companies about their use of IM.
"We found that 11% of companies surveyed had some sort of IM hygiene or security in place. Forty-six percent said it had never even occurred to them to think of it," Montgomery said.
The ePolicy Institute's Flynn said employers are challenged when it comes to dealing with email. "When you throw IM into the mix, things get even more challenging," she said.
Denial is a huge part of the problem, Flynn said. IT managers -- even human resources managers and compliance officers -- say there's a real disconnect between senior management's perception of IM and other emerging technologies and the use of those technologies by employees.
Eric Gruber, IT manager at Fandango, the Los Angeles, Calif.-based online seller of movie tickets and other events, said awareness of the security and compliance vulnerabilities among CIOs is high. Convincing the rest of the business of the necessity of an investment in IM hygiene is another matter.
Gruber said it's no secret that IM can create a lot of problems -- at least not among IT managers. But, other departments are an entirely different story and aren't likely to see the value in investing in security products for IM until it's too late.
"If a big virus hits, that will bring it to the surface," he said. "It's one of those communications products overlooked for danger."
Gruber, whose company now uses Akonix's products for securing and archiving IM messages, said Fandango's CEO encouraged the use of IM as a communications tool early on. But IM security wasn't an early concern.
"My concern had been there since I'd been with the company," Gruber said. "Unfortunately, spending money to do something about it didn't occur until we had an issue with IM."
Gruber said an IM conversation among employees that "could have been deemed inappropriate by someone" was reported. But without any archiving of IM messages, there was no way to prove the conversation took place. This incident motivated Fandango to take action. But before it could actually deploy the product, the company was hit by a virus through AIM.
"It pretty much locked up any of the users of AIM in the company," he said. "It spread quickly."
Gruber said that CIOs who are looking at IM use in the company should first determine if there is a true business need for the technology in the company. "After you determine there is a business need, there is no going halfway with IM. Protect yourself 100% with something like Akonix, or realize that you're opening yourself up to attacks or abilities to have conversations that are not monitored where employees might be sharing trade secrets or other material that is not suitable to being discussed."