Collaboration

Do the Math: Instant messaging in the enterprise is not worth the security risk

Arguments against the use of instant messaging applications in the enterprise are laid out

By Howard Millman

Why does anyone need instant messaging? If you want to send someone a quick message, you can dash off an e-mail message. If you need to speak with someone right away, you can pick up the phone. Do you need to communicate with several people at once? If controlling cost is paramount, consider a cheaper-than-dirt voice-over IP (VoIP) conference call hosted by an online collaboration site.

At the moment, instant-messaging (IM) applications seem to benefit consumers and IM application vendors rather than enterprise-level users.

"IM's a waste and a risk for large companies," said Joseph Fuccillo, senior vice president at the Hawthorne, NY-based infrastructure and outsourcing provider XAnd. "Even if the software is free, every application a company runs costs them money to implement and maintain. Besides, if a company uses Exchange or Notes, I can send them a secure e-mail, and it pops up on the recipient's machine in seconds."

Instant messages compound the security problems that plague e-mail. For example, instant messages can import viruses or export marketing intelligence, trade secrets, or harassing remarks. However, while e-mail has numerous tools and filters to help administrators centrally monitor security and even occasionally eavesdrop, IM applications have comparatively few of these features.

In fact, its "ready, shoot, aim" nature thwarts administrators' attempts to impede the unregulated spontaneity of instant messages. And that's not a risk any company can afford to take in this litigious age—at least not for the convenience of saving a couple of seconds now and then. In the face of this legal threat, it's small comfort that an instant message typically has a short life. You can be sure that some will live on long enough, in the form of a saved copy, to cause problems later.

There may be one exception to the no-IM-in-the-enterprise rule. If you want to collaborate over an intranet or the Internet with a group of colleagues in real time and exchange files with them, IM might make sense. Then again, you could use any of a dozen other solutions, including online collaboration sites, such as Intranets.com, WebEx, or ScheduleOnline. Costs range from free to $20 per user. These sites and others offer encrypted and password-controlled document exchange, data storage, collaboration, and embryonic project management. Microsoft SharePoint Team Services, a new Web or intranet-based collaboration service available with Office XP, offers a suite of similar secure services tightly integrated with Word. IM-only companies who target the enterprise include Ezenia!, Bantu, Lotus, and Jabber. Lotus Sametime can integrate with Notes and thereby benefit from Notes' extensive security features.

A more traditional and secure method for exchanging messages is groupware, although IM enjoys a performance edge. IM technology is not as well suited for intense collaboration as is LotusNotes, Microsoft Exchange, or Novell GroupWise, but IM applications are cheaper and easier to learn. Another, although left-handed, advantage to officially adopting IM applications is that a company can exert some control over employees' use of it. The hope is that through monitoring and logging, an administrator could discourage employees from idle chatter that masquerades as work.

Check out CNET Enterprise Business
This article has been published as a courtesy of CNET’s Enterprise Business section, where you can explore IT business solutions on various topics including ASPs, Linux, groupware, information systems infrastructure, and supply chain management.

Centralize the data stream
If, however, staffers successfully lobby for real-time, pop-up messaging, administrators should consider limiting potential liabilities by creating a dedicated Internet Relay Chat (IRC)/IM server. Centralizing the message and data stream will simplify the task of keeping tabs on who says what to whom, depending on the IM application's feature set. For example, Jabber and Lotus Sametime offer centralized management; many other applications do not.

Another way to have some control over incoming and outgoing data is to use a nonproprietary IM application, such as Jabber. Built with the help of open source development group Jabber.org, the IM app uses port 80, the standard port for Web traffic, making it easier for network administrators to log and track messages. Jabber's newest release, Server 2.0, begins to address security with message encryption, multiple levels of authentication, and support for SSL. Hmm, that's starting to sound a lot like what e-mail already does.

While the benefits of IM are minor, its potential to undermine your security policies is major. If you're still curious whether IM can improve communications, and no existing application can meet the same need, I suggest trying a pilot program on an intranet using Jabber, which is free. "IM is not likely to be a critical application," Fuccillo said. "Try it experimentally, as you would with any new technology."

Howard Millman, a writer and computer technology consultant based in Croton, NY, contributes to CNET Enterprise and helps make computers behave.


What do you think about corporate instant messaging?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.

 
0 comments

Editor's Picks