Instant Messaging Poses Significant Risks to Business


IM Rule # 4: Originally intended for home use, instant messaging poses significant risk to business users.

Instant messaging undeniably offers a broad range of features and capabilities that can enhance employee productivity and, for some organizations, help reduce the cost of doing business.

Equally true, however, is the fact that it exposes business to potentially costly risks that you just don’t experience when employees communicate with third parties via e-mail or the telephone.

Employers weighing the pros and cons of IM should bear in mind that the technology was originally intended for personal use. It therefore poses a broad range of potential risks to business users. The following are among the primary business, legal, and security challenges employers who are considering IM adoption must tackle.

Security Concerns: Instant Messaging Tops the List of IT Risks

In a 2003 article, instant messaging was identified by industry analyst Gartner as one of the top eleven security issues for 2003.[14 ]

According to a SurfControl survey of IT managers in the United Kingdom, 89 percent view IMas a serious risk to workplace security and productivity. Compounding the problem is the fact that 69 percent of users are unaware of IM risks. [15]

Instant messaging security challenges stem from the fact that the majority of corporate use takes place across public networks, which lack built-in safeguards against Trojan horses, worms, viruses, and other destructive and malicious intruders.

Unlike corporate e-mail systems, which typically use networks and servers controlled by the organization, consumer-grade IM moves outside the organization’s firewall, across public networks, and through servers controlled by AOL, Yahoo!, and Microsoft. This makes sensitive business information vulnerable to malicious hackers, cyberthieves, and eavesdroppers. It also opens the door to viruses and spam, or ‘‘spim.’’

start sidebar
Real-Life E-Disaster Story:
Instant Messaging Viruses on the Rise

According to a Symantec ‘‘Internet Security Threat Report,’’ IM and peer-to-peer technology played a role in nineteen of the top fifty virus threats during the first half of 2003. That’s a 400 percent increase over 2002.

Symantec notes that viruses increasingly use IM as a supplement to e-mail and other channels of infection. A virus enters the system through e-mail and then spreads via IM clients that typically maintain contact lists, which can then be infected by a worm. [16]

The increase in IM-related security vulnerabilities should alert business users of the need to invest in reliable IM management and security solutions that include up-to-date antivirus software.

end sidebar

Employers who allow IM use must be sure they have in place a secure IM solution. The consumer-grade IM products that most employees have adopted on an ad hoc basis are not appropriate for business use without an investment in technology. To integrate public IM networks into private systems and manage IMas a business asset, install tools such as software that guards against security breaches, monitors internal and external communications, purges content that violates policy, blocks attachments, and retains and archives business record messages.

See Chapter 3 for details on selecting the right IM approach and technology for your business.

start sidebar
Real-Life E-Disaster Story:
Deception by Unscrupulous Outsiders

As reported in E-Mail Rules, by Nancy Flynn and Randolph Kahn, Esq., IM users have occasionally been fooled into downloading files by intruders posing as system administrators or Internet Service Provider billing agents. One downloaded virus, for example, took control of a user’s computer, exposed confidential data, installed malicious software, and altered and deleted files. [17]

end sidebar

Software Compatibility Issues: Instant Messagers Can’t Chat Universally

Software compatibility is not a concern for e-mail users. One e-mail user can communicate with any other e-mail user anywhere in the world, regardless of the software used by either party.

Instant messaging, on the other hand, poses significant compatibility, or interoperability, challenges. Because each IM product uses its own proprietary technology, instant messagers can communicate only with those who are using the same IM client or system. In other words, if you use AOL Instant Messenger (AIM), the only people you can chat with are other AIM users.

Instant messaging also doesn’t allow for the encryption of confidential messages unless the sender and receiver both use the same IM tool.

Software incompatibility creates headaches for business users who seek to instant message a broad range of clients, colleagues, and friends—all of whom use different IM tools. To overcome interoperability challenges, some employees simply download multiple IM tools—with or without management’s knowledge.

The widespread use of multiple IM clients creates challenges for employers eager to manage all aspects of IM use, including the prevention of security breaches, the monitoring of internal and external chat, the retention of business record messages, and the archiving of IM for quick and easy retrieval. As detailed in Chapter 3, employers who allow IM use must make a strategic decision about the type of IM system they adopt and then make an investment in technology products that are designed to help manage that system as a business asset.

Retention and Archiving Challenges: Instant Messaging Must Be Retained as a Business Record

The consumer-grade IM clients most workers use don’t provide built-in tools for central administration and control.

Like e-mail and other e-communications tools, IMcreates written-documents that must be managed as business records according to clear business rules. Without proper management of IMbusiness records for legal and regulatory purposes, the organization faces enormous risks.

Most Organizations Still Struggle to Manage E-Mail Business Records.

According to the ‘‘2003 E-Mail Rules, Policies, and Practices Survey’’ from American Management Association, The ePolicy Institute, and Clearswift, only 34 percent of organizations have e-mail retention and deletion policies in place. Merely 27 percent of employers invest in formal training programs designed to educate their employees about e-mail retention rules, policies, and procedures. [18]

It’s safe to assume that employers who are still struggling to manage e-mail business records don’t have the policies, procedures, programs, and products to manage IM retention.

Without an electronic retention and deletion policy and a comprehensive training program, many organizations are likely to delete necessary IM and e-mail business records, while retaining potentially embarrassing nonbusiness messages that probably should be deleted.

Smoking Gun Instant Messages Create a Huge Liability Risk.

E-mail has become the electronic equivalent of DNA evidence— and instant messaging, which is a faster form of e-mail, is certain to make a messy situation messier. One in twenty organizations has already battled a workplace lawsuit triggered by employee e-mail. Fourteen percent of employers report that they have had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation. [19] That’s a 5 percent increase over 2001.[20]

Employers who want to ensure that they can produce business record instant messages (and e-mail) when required while reducing the presence of nonessential, potentially damaging messages must train employees to recognize, retain, and classify electronic exchanges that have business, legal, or regulatory significance, and to discard those that do not.

Because tools for automatically capturing and storing IM communications are not provided with the consumer-grade IM clients most workers use, employers are advised to make an investment in technology that automates message retention and archiving.

Ensuring that IM business records are properly saved and stored should be a top priority in any organization’s strategic IM management plan.

For IM retention and deletion guidelines, see Part Five.

Content Challenges: Instant Messagers Tend to Play It Fast and Loose

Because of its instantaneous nature, many users think instant messaging—more so than e-mail—is a throwaway medium that permits casual off-the-cuff content. On the contrary, IM creates information that must be retained as a business record, and that may be subpoenaed in the course of litigation or regulatory investigations. Unsupervised use of IM, coupled with a lack of language rules and training, can lead to the type of inappropriate content that triggers lawsuits, embarrasses employees, and returns to haunt employers as evidence of possible wrongdoing.

Confidentiality Breaches: You Can Lose Intellectual Property in an Instant

Instant messaging also compounds the risk of confidentiality breaches, which may be triggered when employees use it ( accidentally or intentionally) to chat about confidential, proprietary, or personal matters that would be more safely discussed on the phone or in person.

Allowing employees to access public IM networks opens the organization to a huge security risk. Confidential information and intellectual property can flow out in an instant, and there’s always a risk of interception.

If your organization allows IM, you must address confidentialityconcerns and rules in your IM policy. In the current heavily regulated environment, public companies in particular need to hold employees accountable for conversations via IM—and any other communications tool for that matter.

Don’t expect employees to understand what content the organization views as too confidential, proprietary, or personal to be transmitted via IM. Use your written policy and employee education program to clearly spell out what constitutes intellectual property, and how employees can best avoid breaches of confidentiality. For more on confidentiality, see Chapter 8.

User Identification Challenges: Who’s Really Behind Those Messages?

User identification is one of the biggest challenges facing the instant messaging industry. Unfortunately for early IM adopters, solutions are still evolving.

With consumer-grade IM, users establish their personality and are free to use any name they wish. Using AOL Instant Messenger, for example, a competitor could use your corporate domain to create a user name that reads JDoeYourCompany. Armed with that IM identification, your competitor could represent himself as an employee of your organization, communicate with your clients under false pretences, and create a potentially disastrous situation for your organization.

That scenario also raises concerns over authenticity. How can the recipient know that senders really are who they claim to be, or that a given message actually originated at your company?

An equally troublesome situation would arise if an employee using a personal IM client were to adopt an inappropriate or offensive name that you don’t want associated with your business. For example, an employee might opt for a user name like BigStud or HotBabe. Not the type of handle you want associated with your firm.

IM Rule # 5: Apply instant messaging policy, training, and technology solutions to user ID and domain name challenges.

The misuse of IM user identification and misappropriation of corporate names are critical concerns. While solutions are still evolving, employers are advised to take advantage of current technology and implement rules and policies to help integrate public networks and corporate identification.

Put a user identification policy into place to ban the use of inappropriate and unprofessional names. Select instant messaging management technology that gives your IT department some control over user identity and passwords, enables you to reserve your own company and domain name, and kicks imposters off your system.

Productivity Problems: Are Your Employees Chatting the Day Away?

The ‘‘2003 E-Mail Rules, Policies, and Practices Survey’’ reveals that the average employee spends two to four hours, or a quarter to half of an eight-hour workday, on e-mail. [21]

Critics argue that e-mail’s toll on workplace productivity will be dwarfed by instant messaging. IM users tend to chat—often— setting aside legitimate business tasks in the process. Unlike easily overheard phone calls, supervisors really can’t tell what’s going on with IM unless they’re standing over an employee’s computer screen.

Some employees may find it hard to concentrate when messages are continually popping up onscreen. Some managers may use IM to brainstorm ideas and make decisions while on the road at all hours. Employees who fear being left out of the loop may feel compelled to stay glued to their computer screens—at the office and at home.

Employers who allow workplace IM use should develop and enforce written rules and policies to battle productivity challenges. Use your policy, among other things, to drive home the point that the organization provides IM to augment business productivity, not as a diversion from work.

Remind managers to take advantage of IM’s presence detection capabilities to make sure all team members are online before using IM to make important business decisions. Otherwise, you’ll risk demoralizing employees who may feel left out of the decisionmaking process.

[14 ]Mary Brandel, ‘‘Plug IM’s Security Gaps: It May Not Be Sanctioned by IT, but with 25 Million Business Users, Instant Messaging Is a Security Problem You Can’t Ignore. Here Are Some Tips for Locking It Down,’’ Computerworld (July 14, 2003), 40.

[15]M2 Communications, Ltd. Press Release, ‘‘Instant Messaging & Peer 2 Peer Are the Next Big Business Headache, Claim UK IT Managers,’’ M2 Presswire (May 13, 2003).

[16]Christopher Saunders, ‘‘Report: IM Viruses on the Rise’’ ( October 1, 2003), www.esecurityplanet.com/trends/article.php/3086291 .

[17]Brian Sullivan, ‘‘Intruders Target Instant Messaging: CERT Security Service Cites Bogus Warnings That Actually Sabotage Messaging,’’ Computerworld (March 20, 2002). See also Nancy Flynn and Randolph Kahn, Esq., E-Mail Rules, New York, AMACOM, 2003.

[18]‘‘2003 E-Mail Rules, Policies, and Practices Survey,’’ conducted by American Management Association, The ePolicy Institute, and Clearswift. Survey findings available online at www.epolicyinstitute.com.

[19]Ibid.

[20]‘‘2001 AMA, US News, ePolicy Institute Survey: Electronic Policies and Practices,’’ conducted by the American Management Association, US News & World Report, and The ePolicy Institute. Survey findings available online at www.epolicyinstitute.com.

[21]‘‘2003 E-Mail Rules, Policies, and Practices Survey,’’ conducted by American Management Association, The ePolicy Institute, and Clearswift. Survey findings available online at www.epolicyinstitute.com.




Instant Messaging Rules. A Business Guide to Managing Policies, Security, and Legal Issues for Safe IM Communication
Instant Messaging Rules: A Business Guide to Managing Policies, Security, and Legal Issues for Safe IM Communication
ISBN: 0814472532
EAN: 2147483647
Year: 2003
Pages: 241
Authors: Nancy Flynn

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net