Instant Messaging (IM) has quietly crept in behind the corporate firewall as employees responding to different pressures – personal or business – install popular IM clients to chat with colleagues, partners, and customers and even friends and family. Research shows that over 90% of enterprises have IM within the enterprise and employees are responsible for nearly three-quarter of those. That is, in most cases, use of IM exists in a non-sanctioned or quasi-sanctioned continuum as IS/LOB Managers are reluctant to come down hard on their troops seeing tremendous communication advantages in time-sensitive transactional plays. In others, there is sufficient unease to justify taking the other extreme of a total lockdown on IM use citing regulatory and security concerns, risks of leakage of confidential and sensitive data, loss of productivity, as well as the possibility of opening an unsecured channel for viruses to establish a beachhead into the corporate network. Both approaches are at best near-sighted.
What is happening out there?
IM, like the web ten years ago, is on the fast track to becoming an integral part of corporate communication and broadly speaking management reaction is pretty much a replay of both the laissez faire and draconian stances that were the norm in those days. It is no longer a matter of how to limit use through technological controls but how the business and IT departments can recognize the core benefits that instant messaging brings and balance these benefits against security and privacy concerns.
Nearly everyone on the internet has an instant messaging account. Employees responding to day-to-day business pressures invite colleagues, partners, and customers to sign up and communicate via IM to facilitate quick and easy access to each other. In some instances, employees are compelled to join an IM network due to customers who use it as their preferred mode of communication. The appeal of instantly knowing the availability of any of their contacts is hard to resist.
This is further exacerbated by the fact that users may need to sign in as many as three or four different IM networks to stay in touch with their entire constellation of contacts, e.g., Joe may have a customer on Yahoo! Messenger, another on Google Talk, partners on MSN Messenger, and colleagues on AOL Instant Messenger (AIM). Chatting with any of the contacts would require signing into each chat client, often simultaneously. This can be alleviated to some extent by using a multi-protocol chat client (like Trillian) that consolidates all the different IM clients into a single window.
On the positive side, IM can and does deliver tangible benefits. Research shows savings of 15-40% in voicemail minutes, email traffic and phone bills due to the use of IM. Communications that may seem too intrusive over phone and too short for email can be quickly initiated and disposed. Meetings between a scattered team can be quickly organized by initiating a group IM conference to confirm everyone’s availability before posting the event to the calendar making the meeting organizer’s life simpler and more productive. This can even be extended to dispense with face-to-face meetings and conduct the entire meeting over IM using a combination of text, application sharing, voice and video if supported by the client and network infrastructure.
Risks & Challenges
The above benefits however can be virtually nullified if adequate measures are not taken to eliminate or mitigate both the technical and business risks.
For the network administrator public IM is a nightmare. The proliferation of chat clients means more ports and protocols that need administration. Notwithstanding the problems with supporting non-standard desktops, many of the protocols don’t interoperate, making for wasted help desk minutes as the support engineer patiently explains (ideally!) to the user that you cannot invite contacts on Yahoo and Google Talk into a single IM conference. The constant threat of SPIM (Spam over IM) messages with a virus payload negates the assurance of security within the firewall. Communication over the public cloud it is relatively insecure and even communication between two colleagues within the network runs the risk of being spoofed and sniffed as their IM messages are routed through the public IM provider’s servers.
The LOB Manager, while loath to sacrifice the benefits of faster communication, worries about the lack of regulatory compliance with records retention and privacy policies, leakage and loss of intellectual property, inappropriate use of IM that can lead to ugly lawsuits and productivity loss among other things.
Obviously the way forward is to provide a secure environment that will, on the one hand, enable employees to take advantage of IM’s benefits while allaying the fears and concerns of the IS/LOB managers.
The first step is to regain control of the user desktop: the IM jungle needs to be brought to heel. Establish formal policies that govern the use of IM – a Dos and Don’ts list that sends a clear signal to the user population on what is acceptable and unacceptable behavior on the IM network. IM should no longer bypass the corporate firewall and neither should users be permitted to install ad hoc IM clients.
Deploy a flexible and dependable enterprise solution that, at first, will IM-enable employees within the intranet as well as the extranet. The enterprise IM client will connect colleagues in a secure environment. Extending beyond the corporate network, the enterprise IM solution should support robust interoperability with both the public IM networks as well as other IM servers. Server-to-server federation will allow secure communication with partners, vendors and customers (you may need to use gateway solutions/plug-ins to cross the ‘compatibility bridge’). Many enterprise IM solutions vendors have signed interoperability agreements with public IM providers (AOL, Yahoo, MSN, Google Talk etc) ensuring seamless connectivity with your contacts on any of these networks.
Integrate the IM users with the LDAP Directory to make administration – provisioning, management and access control – simpler and more cost-effective. Centrally manage the rights of what users and user groups can and can’t do with IM.
Establish a message retention and archival policy that is in line with regulatory compliance requirements. An additional benefit of message logging and archival is that it will tend to curb inappropriate behavior.
Where required and possible use encryption, especially for sensitive chats.
Establish a naming convention for user names that will enable chat recipients to clearly identify the source and reinforce the corporate brand. Prevent use of personalized screen names that obscure the corporate identity of the user and may prove culturally offensive to the recipient especially when dealing with international contacts.
IM is becoming embedded into the business community psyche as a facilitator of agile, instant and disposable communication. Significant risks exist in its adoption as a business communication tool. While it may seem far-fetched, it lives within the realm of probability that enterprises can lose business from customers who cite the lack of an IM infrastructure. It is no longer a question of whether IM should be allowed or not but how. A policy-based, risk-assessed approach to deploying an enterprise IM solution should be taken to imbibe the benefits while minimizing the dangers of unregulated IM use within the corporate network.