Instant messaging can bring both great business benefit and far greater risks to your network systems, says John Korsak
The use of instant messaging (IM) as a means of business communication has been growing rapidly in companies of all sizes around the world. Analysts predict that within just four years, there will be hundreds of millions of corporate IM users globally. Imagine the numbers ten years from now.
Until recently, instant messaging in business was proliferated through the familiar, free consumer products we have all used to communicate with family and friends. Now, employees are also enlisting it for relevant business uses. It is one more form of communication that can increase efficiency and productivity, while at the same time create a number of IT security problems for businesses.
Why you should be concerned
Many problems plague users of free, consumer IM products. Service interruptions occur with free IM services, which affects productivity. Many IM services generate network traffic as unencrypted text, open to skilled hackers who can intercept messages during transmission. A virus-infected file attached to an instant message will not be detected by virus scanners until it reaches the desktop. Most IM services use a ‘deliver and forget’ methodology, making tracking and archiving impossible.
It is obvious that the quick growth of IM usage in the business world has occurred without the involvement of IT departments. Without their sanction, IM has simply spread with few security protocols or policies accompanying it. Now, with the promise of ubiquitous corporate IM, associated security issues are fast becoming a major concern of IT managers.
Balancing security and convenience
Free consumer IM products allow anyone to create a user account, simply by creating a username and password. There is no way to verify who that individual is. That person can begin communicating with other IM users in a corporate environment and obtain confidential information with relative ease. As with other forms of business communication that may be confidential, private or otherwise sensitive, the main issue for IT is maintaining control and ensuring security.
While it is important to provide flexible means for employees to get work done, companies are increasingly concerned with balancing speed, convenience and productivity with the ability to monitor network traffic, to encrypt sensitive information so it does not wind up in the wrong hands, and to adhere to privacy and security regulations imposed by the corporation itself or by industry best practices guidelines. Corporate IT departments need IM solutions that enable free-flowing communications, but with security and control checkpoints firmly in place.
The need to ensure security has spawned a number of IM client-server solutions designed for corporate use. With these solutions, it is possible for IT to keep IM communications encrypted behind the corporate firewall, rather than allow these messages to travel unencrypted over the internet where hackers or other malicious eavesdroppers can listen in on conversations.
When considering corporate IM, there are four categories of communication to be concerned about: user credentials (name and password); text messages; file transfers or attachments; and presence information.
Keeping in control
When sensitive company, customer, financial or employee data is being shared via IM, it is important to be able to create and control user accounts, log conversations, and ensure the communications are encrypted and not passing from client to client, but rather from client to server to client. In some industries, such as health care and finance, it is actually required. It is also useful to be able to limit the size of text messages and attachments so as not to consume huge amounts of bandwidth.
Other features not necessary in consumer products, such as the ability to provide a conversation history for individuals joining a discussion or the ability to send group messages, become desirable in corporate IM solutions. Enhanced functionality implies increased management and security needs. Central control by the IT department becomes a necessity and an advantage to ensuring productive use of IM within the corporation.
Corporate instant messaging is in its early growth phase. Standards have emerged, but no single one has been accepted, and companies are just beginning to establish guidelines for the use of IM. It is inevitable that policies and standards will emerge, just as they have for email communications. In the meantime, however, companies need to keep pace with the myriad of ways that people want to communicate, and need to ensure the security of those communications as a top priority.
John Korsak is product marketing manager for Ipswitch, Inc. (www.ipswitch.com).