'Unsecured Instant Messaging'- Are You Leaving the Backdoor Unlocked?

Dan Schutte

By now almost everyone has heard of Instant Messaging or IM. Depending on your generation, you either are an  avid user or your children use it. What started out as a social networking tool for adolescents on the home  computer is now gaining recognition in the office environment as an alternative communication tool. Do you  know all of the capabilities and risks of this casual tool?

Instant Messaging use has merit - it is quick, direct and conversational - like a phone conversation, yet you can still multi-process it supports group talk - several people in one conversation or session accounts and usage is typically free via the major providers - MSN, Yahoo, AOL

Since it is often not formally implemented by the company as a work tool, it is considered personal and lacks oversight. Many employers do not even have a written usage policy in HR. IT views it as one less area to monitor  and support. Here is where the problems can begin.

Two factors every employer needs to consider if you opt to ignore IM in your workplace -

With the recent Supreme Court clarification on e-discovery rules, responsiblity and accountability for workplace behaviour lies with the employer. Any digital data stream that occurs on a company asset (i.e. workstation, laptop) is subject to review an retrieval upon request. The history span covered is usually three to seven years, depending on your industry's compliance initiatives (i.e. SOX, HIPPA, NASD, etc.). An employer needs to show reasonable efforts to manage the entire corporate network. A company also needs capability to produce specified content reports and dialouges on requested employee(s) over a given time period. Typically the courts allow up to thirty days to comply. Failure to deliver has shown favor to the plaintiff in recent cases and in some rulings, punitive fines for non-delivery were rendered as well. That's the legal consequence and can be a daunting enough reason to take measures for controlling IM.

IM technology has also become more versatile, and is continuing to evolve. You can still chat with your friends as originally designed. However, did you know you can also play interactive games, gamble, watch videos, draw on whiteboards, video chat or transfer files of all sizes. All of this activity is outside the network's scrutiny - 'under the radar' - with no record of activity. This is becoming a preferred way of passing along new viruses, malware and worms.

Left unchecked, at minimum it will cost you productivity and bandwidth. It can become a conduit for losing

Intellectual Property, attracting viruses, sexual harassment, litigation or more. Your company could be in line for a PR nightmare and costly litigation.

A common reaction for a company is to 'shut it down and do not allow any IM'. Are you sure? We had a large  prospect that was positive no personal IM took place on their corporate network due to controls they put in place. They allowed us to monitor (look only) at their network environment for one week with our systems. We counted  1.6 million unsanctioned messages that crossed their network - unchecked or tracked.

Instant Messaging is not coming - it's here. The laws now say we need to manage the technology the same as we do for email.

Dan Schutte is the owner of Enclave Data Solutions, htt;://enclavedata.com specializing in messaging security, content filtering, anti-spam software, email/IM archival and compliance. Visit our website to read actual Case Studies of how companies have successfully protected their data network and met compliance requirements. Free trials and downloads are available on all of our products to assess the vulnerability of your data environments. Please feel free to republish tis article provided a working hyperlink remains to our site.