Consider the Pros and Cons of Each Approach

IM Rule # 9: Don’t rush to ban instant messaging.

Once executives and IT managers discover that unauthorized IM use is taking place, a common reaction is to ban it entirely.

According to a survey on security and related issues by Osterman Research in April 2003, 27 percent of IT departments oppose IM use in their organizations—a sharp increase over the 19 percent who opposed workplace IM just six months earlier. ^[1]

Although banning IM may appear to be a simple and effective solution to IM risk, it may not be so easy to enforce. In spite of IT’s objections, employees want IM, and have demonstrated that they won’t hesitate to sneak it in through the back door.

You can impose rules that forbid employees from using personal IM software for external communications, but that won’t necessarily stop tech-savvy workers from doing so anyway.

Take the case of the IT consultant who was assigned to the brokerage firm Morgan Stanley for several months. Undeterred by the brokerage’s ban on external IM, the consultant simply programmed his way around the firewall in order to chat with his outside buddies on company time. ^[2]

Don’t assume a ban on IM will result in a workplace that is 100 percent clean. Some IM fans will continue to download free software, in spite of your policy and the potential for disciplinary action or termination.

Many IM users (particularly those who work in competitive sales environments where seconds can make the difference between making the sale or losing the lead) may be reluctant to part with IM. Try banning IM across the board, and you may just trigger a revolt among your employees and the clients they are instant messaging regularly.

Impose a strict no-exception ban on IM use, and you’re likely to find yourself in an uphill battle against computer-savvy scofflaw employees who continue downloading free IM products, regardless of how many times your scanning software detects and removes them. You may even lose valuable employees to competitors who are more tolerant of workplace IM use.

When a global investment bank tried to shut off IM, the IT department was flooded by support calls from staff. With over 50,000 employees, management’s attempt to manage IM risk was a nightmare.

That said, if you opt to join the 20 percent of companies that, according to Gartner research, are reconsidering their once open minded policies toward employee IM use, ^[3] take steps to prevent rogue use once your ban goes into effect.

Tips for Enforcing an Instant Messaging Ban^[4]

1. Use your written IM policy to clearly forbid all employee use.

2. Configure desktop computers, so employees cannot download free IM software.

3. Simply do not install IM technology on your employees’ computers.

4. Configure firewalls and networks to block instant messages.

5. Use IM management software to automate your IM policies (including policies to ban IM use).

6. Limit the workplace use of personal mobile phones and other devices that offer IM capabilities.

7. Conduct periodic scans of your system to detect the presence of personal IM software.

In the ongoing battle against computer viruses and spam, Mobile Automation cut employee e-mail use by 20 percent in 2003. The software manufacturer opted instead to rely more heavily on cell phones and IM, which has yet to develop as a major spam, or spim, target.

Similarly, Merrill Lynch in 2003 banned employee use of AOL, Yahoo!, and other outside e-mail services. ^[5]

While restricting or banning employee e-mail and IM use may help organizations get a grip on security concerns, employers need to consider the impact a ban on e-communications may have on employees and clients.

For employers who are not yet prepared to impose a ban on technology, the solution may be to educate employees about electronic risks, and enforce stricter rules and policies governing employee IM and e-mail use and content.

Considering an Instant Messaging Ban for Productivity Reasons? You May Want to Reconsider

IM Rule # 10: Instant messaging productivity concerns may be overblown.

There’s some debate among users as to whether IM heightens or hinders productivity.

Inside enterprise vendor IBM, 77 percent of employees say IM has changed the way they communicate—for the better. Employees report that IM lessens the time they spend with e-mail and voice mail, on the phone, and in face-to-face meetings. More than 80 percent of IBM employees say that IM makes their jobs easier. Among IBM’s clients who are equipped with IM, 75 percent report that the technology makes them more productive. ^[6]

Weigh those findings against the ePolicy Institute’s ‘‘2003 E-Mail Rules, Policies, and Practices Survey,’’ in which 90 percent of respondents report receiving personal e-mail at work, with 4 percent saying personal e-mail accounts for 25 percent of their workplace e-mail. ^[7]

Given the chatty nature of IM, some would argue that it is bound to have a negative impact on productivity, as employees chat about personal matters throughout the workday.

Before drawing a conclusion one way or the other, review the findings of your own internal survey of employee IM use. How are your employees using IM? Are they using it primarily for business purposes or mainly for personal chat? How do your employees view IM’s impact on productivity? How upset would employees be if management were to ban its use?

Productivity Tips for Employers Who Allow Instant Messaging Use

Keep productivity concerns in check by using your written IM policy to establish clear and consistent rules for personal IM use. Don’t allow employees any flexibility when it comes to productivity and personal use of IM. Let them know in writing with whom they may communicate, under what circumstances, when, and for how long.

Consider establishing guidelines for the internal and external distribution of user names. If you limit the number of people who have employees’ screen names, you gain control over the number of real-time interruptions to which your employees are subjected. Think twice before allowing employees to add their IMuser names to business cards and letterhead.

Standardization Offers Risk Management Benefits—Plus Some Big Disadvantages

IM Rule # 11: Don’t rush to standardize instant messaging.

According to the Radicati Group, although 70 percent of organizations are using some form of IM, only 26 percent have standardized a common corporate IM solution. ^[8] Instant messaging standardization occurs when an organization authorizes the adoption and support of one enterprise-grade IM tool that is designed for business, versus the more widely used consumer-oriented IM products.

An authorized enterprise IM system is designed for employees’ internal use. The system is closed to external communication. No other IM clients, including free downloads, are allowed. Messages written on unauthorized, unrecognized IM tools are prevented from leaving the network.

IBM’s Sametime software is the enterprise IM leader, with 50 percent of the market and $80 million in sales in 2002. The three consumer giants, AOL, Yahoo!, and MSN, have all announced plans to introduce corporate versions of their popular software, complete with built-in security features including archiving. ^[9]

Enterprise IM tools also come equipped with antivirus software, encryption capabilities, and other security features that personal products don’t offer. Another benefit to rolling out your own IM solution is control. Employees’ IM connections, passwords, and conversations are not transmitted over the public Internet. They all stay in-house. Enterprise IM also can enable IT to control user names, monitor content based on policy, and save and store messages. If you opt to install one business-grade IM tool, be sure it offers those capabilities.

Those are some of the positives of standardization. Topping off the list of negatives is the fact that standardization restricts IM communication to internal chat only. Your employees can use your enterprise IM solution to chat only with other employees using the same IM software.

Because the use of public IM networks is banned, employees are blocked from instant messaging clients and other outsiders. In the minds of some users, standardization may help manage risks, but it defeats the primary purpose of IM—efficient and effective communication. Expect defiant employees to disregard policy, and attempt to circumvent your system by downloading personal IM clients from the Internet—even after your enterprise-grade software is installed.

That said, if you opt for standardization, be sure to use written IM rules to prevent renegade behavior. Use your IM policy to notify employees that the use of any other IM product is prohibited. Put some teeth in your policy by informing staff that the unauthorized downloading and use of personal IM clients is a violation of company policy, which will result in disciplinary action, up to and including termination.

Flexibility Is One Way to Control Use and Manage Risks

IM Rule # 12: Meet your employees in the middle with corporate technology that supports personal instant messaging tools.

Another option is to meet employees halfway by permitting the use of free IM downloads, and installing server-based gateway technology through which all messages must pass. FaceTime, IMlogic, Akonix, and Websense, for example, offer gateway products that manage public IM traffic at the discretion of corporate IT, enabling management to test the network to find out what consumer IM clients are being used, control user IDs, monitor use, in some cases block content in compliance with company policy, retain and store messages, and detect viruses among other features. ^[10]

Another feature available with gateway/IM management products is the ability to enforce user name policy to ensure the use of business-appropriate names and block the use of buddy names that have a sexual, a suggestive, or an otherwise offensive tone. With IM, it’s not just the message, it’s also an employee’s user name that could embarrass or create risk for the organization.

Gateway/IM management software also can be used to block the use of instant messaging attachments. As part of your IM risk management, rules, and policy program, be sure to weigh the risks inherent in attachments sent and received via IM.

Unlike e-mail attachments, IM attachments are not checked by the typical anti-virus search engine. Consequently, IM attachments create additional legal, compliance, and security threats. Reduce your risks by combining a gateway/IM management software solution with written policy that prohibits employee use of instant messaging to transmit attachments. ^[11]

Gateway/IM management technology creates a win-win scenario. Employees maintain the ability to chat with clients and other outside parties. The organization gains the ability to manage IM use through the automated enforcement of rules and policy.

This flexible approach may appeal to organizations that are reluctant to invest in a standard enterprise product until IM vendors work out their compatibility issues. These organizations may prefer to wait until enterprise IM users are able to communicate with buddies on other IM systems.

When nineteen-year-old Matthew Kammersell logged onto his AOL Instant Messenger account and sent a bomb threat to his girlfriend’s office computer, he hoped to trigger a panic that would shut down the office for the day, freeing his girlfriend to spend time with him.

Every message sent via AOL automatically travels from the state of origin to AOL’s main server in Virginia before traveling to its final destination. Thus, the young man’s IM love note–bomb threat was automatically routed through interstate telephone lines from his computer in Utah to the AOL server in Virginia, and then back to his girlfriend’s computer in Utah.

Kammersell was charged with transmitting a threatening communication in interstate commerce, in violation of 18 U.S.C. 875 (c). He was sentenced to four months in jail and twenty-four months of supervised release. ^[12]

Your employees may not be using their personal IM accounts to send bomb threats, but unmanaged use of public IM networks creates a time bomb within your organization. Every message sent, including confidential data and intellectual property, goes on a journey through the public Internet, leaving your organization and employees vulnerable to the prying eyes of cyberthieves and malicious hackers. If you allow use of public IM networks, be sure to install gateway technology designed to maximize your IT department’s control and minimize the organization’s risks.

Does Everyone Really Need to Be Online?

IM Rule # 13: Limit instant messaging access to employees with a legitimate business need.

Regardless of whether you opt for standardization or take a more flexible approach to IM management by supporting employees’ use of personal IM tools, employers are advised to put some restrictions on employees’ IM (and e-mail) access.

Computer technology has become ubiquitous in offices around the globe. Regardless of job title or function, it seems as though just about everyone has access to e-mail, the Internet, and now instant messaging.

Before making IM available across the board, consider which employees truly need access to it. Remember, the greater the use, the higher the cost, and the larger the risk of IM-related disaster.

^[1]Michael Osterman, ‘‘More IT Departments Turning Against IM, Network World Messaging Newsletter (April 1, 2003), www.nwfusion.com/newsletters/gwm/2003/0331msg1.html.

^[2]Christine Y. Chen, ‘‘The IM Invasion; Instant-Messaging Providers Are Targeting Corporations in a Big Way. Does Using IM Make Sense?’’ Fortune (May 26, 2003), 135.

^[3]‘‘Fast and Furious: Instant Messaging Puts E-Mail into the Snail Mail Class,’’ The Guardian (May 19, 2003), 5.

^[4]Adapted from Nancy Flynn and Randolph Kahn, Esq., E-Mail Rules, New York, AMACOM, 2003.

^[5]Jon Swartz, ‘‘More Workers Get Shut Out of E-Mail,’’ USA Today (September 29, 2003), 1B.

^[6]Uday Shukla, ‘‘The Future of Enterprise Instant Messaging,’’ ExpressComputerOnline.com (May 5, 2003), www.expresscomputeronline.com/20030505/tech.shtml.

^[7]‘‘2003 E-Mail Rules, Policies, and Practices Survey,’’ conducted by American Management Association, The ePolicy Institute, and Clearswift. Survey findings available online at www.epolicyinstitute.com.

^[8]‘‘Employees Waste Time with Unregulated IM,’’ IMPlanet News Briefs (September 19, 2003), www.instantmessagingplanet.com/enterprise/article.php/3080441.

^[9]Jane Black, ‘‘Why Offices Are Now Open Secrets,’’ Business-Week Online (September 16, 2003), www.businessweek.com/print/technology/content/sep2003/tc20030916_1563_tc129 .

^[10]Dan Orzech, ‘‘Under IT’s Radar, Instant Messaging Invades Corporate Desktops,’’ InstantMessagingPlanet (July 14, 2003), www.instantmessagingplanet.com/enterprise/article.php/1120822348711 .

^[11]Kian Saneii, V.P. Marketing, Websense, Inc.,www.websense.com.

^[12]U.S. v. Kammersell, 196 F. 3d 1137 (10th Cir. 1999).