IM Confidential

Love it or hate it, instant messaging has potential for security problems. Here’s how to avoid them. By Jennifer McAdams

Celebrity tabloid headlines would scream if the Screen Actors Guild- Producers Pension and Health Plans (SAGPH) suffered an instant messaging breach that spilled sensitive medical information about the nation’s biggest stars. So, like many other organizations, this benefits provider enforces rules to prevent IM from jeopardizing its data security.

Aside from the bulk of financial services corporations, most companies aren’t totally shutting employees out of IM communication in the workplace. In fact, in an exclusive Computerworld survey of 113 IT managers, 40% said their companies use instant messaging as a sanctioned form of interoffice or intercompany communication.

But while companies are recognizing a plethora of legitimate business uses for the technology, many are moving slowly to incorporate security technologies that drastically reduce IM risks like spyware, virus infiltration, phishing and data compromise — the same vulnerabilities often associated with e-mail. In fact, in a February survey of 192 IT executives by Enterprise Strategy Group Inc., nearly 30% of respondents said they hadn’t deployed any IM security technology.

The Pain of Progress

Upfront recognition of IM as a powerful business tool also requires upfront employee accountability for its use. Companies embracing corporate IM are controlling its use through guidelines and policies, and IT executives are sorting through a variety of security technologies, such as URL filters, proxy servers, firewalls and stand-alone IM security tools.

“Very few companies can ban IM usage outright,” says Peter Firstbrook, an analyst at Gartner Inc. “It has simply become too valuable a communication tool. However, some enterprises are restricting both the type of IM network employees use and advanced features such as file transfers and gaming.”

They may be reluctant to curb or ban IM, but companies expect their employees to behave appropriately, says Kevin Donnellan, SAGPH’s assistant CIO. “The most important action enterprises can take in controlling instant messaging use is to ensure employees are using it under prescribed guidelines,” he says.

SAGPH relies on Symantec Corp.’s IM Manager to enforce usage policies. IM Manager provides security and archiving capabilities for several IM functions, such as text messaging, and application and file sharing — including audio and video swaps, which have become common in IM exchanges. SAGPH and other health care organizations must also contend with IM-related compliance and data retention requirements of major statutes such as the Health Insurance Portability and Accountability Act.

Too Risky

Meanwhile, another heavily regulated sector has looked long and hard at IM and still isn’t convinced that it’s worth the risk. “The financial services industry has had to focus on this area for a few years now because Securities and Exchange Commission regulations require retention of IM communications for three years,” says Richard Wolf, managing partner at Lexakos LLC, a West Orange, N.J.-based business advisory firm that specializes in compliance and records management.

SEC oversight and those hefty regulations factored heavily into an IM ban at First National Bank of Bosque County in Valley Mills, Texas. “We looked at all the benefits and risks and decided some time ago that the risk far outweighs any benefits we might realize,” says Brent Rickels, a vice president at the bank. “E-mail can do many of the things that IM can accomplish, and there is just too much opportunity for information to leave the institution without approval.”

It seems that organizations either love or hate the idea of IM. “Companies are taking one of two approaches. Either they’re embracing the technology and installing IM-centric security devices, such as proxy servers, or they’re banning IM in the enterprise altogether,” says Robert Hoffer, managing director at San Mateo, Calif.-based NewForth Partners LLC.

The mergers-and-acquisitions advisory services firm relies on IM extensively. “We use IM to manage all of our software engineers in Thailand, Russia and India,” Hoffer says.

Along with using IM internally, NewForth advises and educates clients on the business case for IM. Hoffer offers some tactical advice to companies poised to formally invite IM into the organization. “Purchase an IM proxy server that can be scaled to your needs quickly,” he suggests. “Make sure that your proxy server vendor supports multiple IM networks’ native protocols for file transfer. Always keep in mind that IM is supposed to be ‘instant messaging,’ so don’t implement solutions that try to wrap in e-mail-type interfaces around IM. Let IM be what it is.”

While companies such as NewForth are at peace with IM, Atlanta-based Royal Food Service Co. is among those resolutely opposed to it. “We don’t allow IM at all in our organization,” says Jerry Maze, CIO at the supplier of produce and dairy products. “In addition to the security concerns, we feel IM allows employees to waste a lot of time. We don’t feel it serves any purpose that e-mail can’t serve in our industry.”

Royal uses San Mateo-based ScanSafe Inc.’s IM Security-as-a-Service offering to shut out IM use in the organization. Businesses less opposed to internal IM use, however, can use ScanSafe's managed IM service to help fight threats such as spam for IM, or “spim.” Like many other IM security products and services now on the market, the ScanSafe service also fortifies accountability by linking screen names to employees.

Vendors selling IM security appliances include Akonix Systems Inc., FaceTime Communications Inc. and iAnywhere Solutions Inc. Meanwhile, some software providers are offering IM security and management services in enterprise suites, such as IBM Lotus Sametime. In addition, some security vendors, such SonicWall Inc., are incorporating IM control functions in content-security offerings.

Despite the wealth of security technologies now available, IM is still a communications medium that not everyone has embraced. “I find IM very intrusive myself,” Maze acknowledges.

Hence, enterprise IT executives poised to sanction internal IM use will likely find themselves contending with the strong convictions of company officials and regulatory realities that can make it a tough decision.

IM Nation

Does your company use instant messaging as a sanctioned form of interoffice or intercompany communication?
 Yes 40%
 No 53%
Dont know/not sure 7%

Base = 113 IT managers

Business Basics

What type of IM product does your company use?
 A business-specific package 58%
 One of the popular AIM/Yahoo types 42%

Base = The 45 respondents who said their company uses IM

Half On-board

Does your company have a policy that covers employees use of instant messaging?
 Yes 51%
 No 31%
Dont know/not sure 18%

Base = The 45 respondents who said their companies use IM

McAdams is a freelance writer in Vienna, Va. Contact her at

Find out more about Web 2.0 Security:

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon