Manage Learn to apply best practices and optimize your operations.

How to manage SMS, IM and protect your company

Text messaging, or SMS, may be a simplified way of communicating. But, if left unmanaged, it could become a nightmare for IT.

Even if you can decipher something like "b gr8 2 c u 2m" (loosely translated as "It will be great to see you tomorrow"), do you know what is really being said in all those text-based messages employees are punching into their cell phones? For that matter, do you have a handle on instant messaging in general in your organization? If you answer "no" to either question, you aren't alone.

Introduced almost a decade ago, the two messaging formats, instant messaging (IM) and Short Message Service (SMS), or text messaging, are conversational in tone and link between the cell-based text world and the IP-based instant messaging environment. Both formats also entered the corporate world without the blessing of IT and network managers, and both have the potential to circumvent information security systems.

More mobile computing news
IPhone improvements OK, but not a sure thing

IPhone: CIOs ponder personal tech toys in the office
"Instant messaging clearly presents major challenges, and people aren't even starting to address SMS," said Ted Ritter, a research analyst at Nemertes Research Group Inc. If users transmit or receive confidential company information or any content that could factor into a legal action, "they are exposing the company to potential issues," he said. And IM and SMS communications typically aren't archived, even as call records, for future retrieval in response to a lawsuit or regulatory actions.

Ritter said even people who aren't actively participating in SMS messaging may find themselves receiving text messages through clients such as Research In Motion Ltd.'s BlackBerry, as well as standard cell phones.

Watch for SMS to present even more of a challenge in the future. It has not only gained popularity in the experienced U.S. workforce, but it may also be a staple of life for the future workers who are of college and high school age today and for all ages groups in Europe and Asia. Research firm IDC estimates that there were 102 million SMS subscribers in the U.S. in 2006 -- one third of them business users -- with that total expected to reach 184 million subscribers in 2011. However, the number of messages sent will climb even faster, according to IDC, growing from 157 billion in 2006 to 512 billion in 2011.

CIOs and their staffs have to stay ahead of that wave, Ritter said. "The whole issue is electronic information. Once it's in electronic format it's discoverable, and IT needs to be dealing with it on the front end, not the back end."

Experts offer their suggestions on what IT professionals need to do to protect their companies from messaging misconduct.

Craig Mathias, principal of Farpoint Group, a consultancy, said that even though IT is already pressed to its limits with other projects, it must acknowledge that IM and SMS are out there and will have to be managed. However, adequate SMS, IM management and auditing tools may be five years away. So he tells clients to ban IM for now, and take control of SMS by buying and managing cell phones for employees. "Discourage your users from using instant messaging, and don't buy them an instant messaging plan or SMS plan on their cellular network. As a matter of policy, force everyone to use email," he said.

By purchasing phones for those who need phones for business, companies can control which applications are available, and can shut down lost phones.

As a matter
of policy,
force everyone to use email.

Craig Mathias
principalFarpoint Group
Ritter said many companies are banning what is commonly called "public IM," the free downloads from America Online, Yahoo Inc. and others, as well as the instant messaging-like capabilities in about 100 other applications, such as Facebook. Those companies are replacing public IM with enterprise-class IM systems that feature archiving capabilities but also restrict IM communications to company employees or approved third parties.

For employees accustomed to unlimited messaging access, a hamstrung version of IM or an SMS-less cell phone may seem unjust. Ritter and Mathias agree that it is crucial that messaging policies be carefully thought out and communicated.

Ritter said IT must first identify where messaging is being used -- and why -- to identify areas for corporate exposure. Then, if there is a danger of confidential information being mishandled, IT should work with the corporate legal department or compliance office to define new policies. "It comes down to the exposure to the corporation and trying to get people to be accountable for their role in the company culture. It has to start with education," Ritter said.

Mathias added, "Whenever you communicate a policy, there are several ways you can do it. One is to say, 'If you do something wrong we'll fire you.' The other is to say, 'We don't want to use this technology because it doesn't create an audit trail, which we need for industry reasons and internal control reasons. And, it's not secure, and we have to make sure that all of our information is property managed.' If you explain it nicely up front, most people will deal with that."

James M. Connolly is a contributing writer based in Norwood, Mass. Write to him at

Dig Deeper on Small-business infrastructure and operations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.