Move over e-mail, IM is the new workplace threat

In the mid-1990s, corporate management feared the arrival of e-mail in the workplace would bring with it a horrendous amount of employee time-wasting, and while it did increase efficiency, it was feared that productivity would suffer. But by and large, it proved to become one of the most effective business tools in use today.

With E-mail now widely recognised as an extremely positive business tool, the world is now looking to more rapid means of communication among employees, friends and family.

The world is turning to Instant Messaging (IM), which represents a similar, but all the more &quotinstant," and rogue form of communication.

What is IM?

Instant messaging is an Internet chat-like application that is used to engage in &quotlive," user-to-user conversation via a PC. AOL, MSN and Yahoo! each offer free, public IM applications that can be quickly downloaded and set up with any Internet connection. These public IM applications give users the ability to see whether a chosen friend or colleague is connected to the Internet, and enables them to exchange messages and files without delay.

The benefits of IM over ordinary e-mail are easily recognised, offering immediacy of message exchanges. And in addition to just sending straightforward text communication back and forth, today's newer IM services allow for things like voice messaging, online gaming, video conferencing, group IM and file sharing.

In order for IM to work, users on both ends must be online at the same time, and the intended recipient must be willing to accept instant messages (a configuration option). Like e-mail, the IM communication travels through a specified port in order to enter and leave the data network and reach its intended recipients.

So, does this make IM a bigger threat than e-mail to companies?

What's the harm with IM?
In many ways, network security is like airport security, in that there are multiple threats and each needs a specific security measure to tackle it. But IM, like a ban on sharp objects in hand luggage, needs to be understood as a legitimate threat and dealt with accordingly.

With e-mail, fears were originally rife about the potential loss of productivity it could cause. But companies soon realised that IM communication could cause productivity disruptions, while also serving as a carrier of proprietary information to the outside world. Whereas some relatively simple controls and security could be enforced upon e-mail, Instant Messaging is software's equivalent of a free spirit, popping up without warning on desktop PCs and allowing staff to potentially spend hours at the " virtual water-cooler " chatting with friends and colleagues without their managers knowing.

IM represents a far greater security threat than e-mail. Its use has become rampant on corporate networks, and it's going unnoticed by corporate IT mangers.

How?
Public IM applications evade the typical controls associated with network security. While network administrators believe they can block the use of IM by blocking its native, or dedicated IM port, public IM applications cleverly hop to other open access points in and out of the network, often via the same port that allows users to access Web pages - port 80. This lack of control has created a gaping hole in the security infrastructure.

Shhhh I've got a secret
Primarily, there is the inclination that corporate management should be concerned about the loss of personnel productivity associated with using IM. A recent UK research project reported more than 80 percent of IM users admitted to non-business chatting.

While controls on phone and e-mail usage have helped alleviate unproductive communication, IM poses an even greater productivity risk, as it cannot be overheard. The real-time nature of IM traps users into having the 'virtual water-cooler' conversation, a conversation that is difficult to monitor because of IM's agility in the network.

The ability to chat with anyone at anytime also raises the issue of compliance. As IM traffic itself is often not monitored, employees could make commitments and enter into communication on behalf of a business that goes unrecorded or unchecked. Confidential company documents might be shared over IM and be sent out of the organisation completely unmonitored, causing the company great liability risks.

As an example, take a disgruntled finance manager of a publicly traded company who gets an early look at the company's quarterly results. As part of his or her retribution, the employee decides to voice the displeasure to an outsider, and share the results. Could make for a messy situation.

But it's not just the liability and the conversation that puts companies at risk. Let's not forget that IM applications can send files and links to Web sites. IM conversations passing in and out of the network can also serve as a carrier of virus-infected files and links to malicious code and scripts on Web sites.

Log it, manage it, control it
With all the possibly dangerous effects of IM, the first instinct of many would be simple - just block it. However, for many, IM has already been recognised as an excellent tool for enhancing employee productivity, eliciting faster replies than e-mail. Equally, it can be a useful way of communicating rapidly with important customers and partners who want immediate responses.

The key is to put effective controls in place at a level that is appropriate to the organisation. A tool that can provide these controls, yet be modified based on user groups and evolving business circumstances, is a must. For many companies, blanket usage policies are simply overly restrictive. Technologies are being developed today that allow controls to be imposed upon IM usage, but which can support granular policies so controls can be tailored to the individual employee or department depending on job function.

Granular policy tools will enable IT managers to take complete control over all IM activity in the organisation. Some new solutions on the market provide control over IM, allow specific users to run IM, and define groups that can communicate using IM. To further ensure that only appropriate messages leave an organisation, there are products that will log the entire IM conversation. Additionally, network administrators now have the power to allow and deny specific aspects of IM, such permitting text and denying file transfers. Management alerts can even be raised on specific key words within the transfer.

IM is a relatively new phenomenon, and its business benefits have yet to be fully explored. It does pose a risk both to productivity and enterprise security, but companies today are becoming empowered with tools to take control over it, rather than ban it. Like e-mail, the proper management and control can turn IM into a truly useful business tool, while negating the associated risks.

Acknowledgement - Nigel Hawthorn is European Marketing Director of Blue Coat Systems (www.bluecoat.com). Blue Coat is the overall market leader in Secure Content Management Appliances with 33% market share (source IDC July 2003).