A secure and healthy network that helps an organization function and grow doesn’t have to be just a dream for the CIO. A critical factor in realizing that vision is protecting your network by putting the right tools in place to control application integration.

One very user-centric technology spreading through corporate networks like a virus is instant messaging (IM). While IM can be a great productivity and knowledge-sharing tool, it has the potential of turning a dream network into a CIO’s worst nightmare.

To curb the threat that IM poses to the network, CIOs should undertake the following two initiatives immediately:

  • Establish an IM policy that makes end users aware of their responsibilities to the organization.
  • Eliminate use of public IM services by establishing in-house IM servers.

In this article, I’ll discuss the importance of establishing an IM use policy and provide an example policy that you can tailor to your company’s needs. I’ll also pass along some tips to help you determine the most appropriate in-house IM solution for your organization.

Looking for an IM solution?

To help members investigate the different IM services offerings, TechRepublic has compiled a list with links to the appropriate sites. You can download it here.

Allay IM fears through policies
Perhaps even more than e-mail, IM is a technology that spans and blurs the boundaries between work and personal lives.

IM is beginning to challenge e-mail as the most common communication method because of IM’s instant, real-time response capabilities. Analysts predict there will be more than 181 million corporate IM users by 2004 and that companies will be spending $1.1 billion on IM products and services by 2005.

With more people than ever “talking” via IM these days, there are several enterprise issues that demand attention. CIOs and tech leaders need to answer the following questions:

  • Are users wasting time chatting with friends via IM during the workday?
  • Are users exchanging files that potentially contain viruses?
  • Are users conducting conversations in a professional way—i.e., so as not to expose the enterprise to potential legal action?
  • Are users allowing sensitive company information to transit public networks in clear text?
  • Are users saving the texts of productive IM discussions that could be utilized by others in the organization?

A good way to protect the organization is to create and distribute a specific IM policy that addresses all of these issues. In the tip box below is one example of what an IM policy may look like. (Note: When and if an IM server is established within the organization’s network, the IM policy should be revamped to reflect the adjusted user requirements and security issues.)

Policy for use of instant messaging

[Company name] allows employee use of instant messaging (IM) with the understanding that employees will protect [the company’s] interests through responsible and acceptable use.

Employees will:

  • Use only the company’s internal IM client and service to communicate with fellow employees (if applicable).
  • Use IM for work-related communications only.
  • Abide by the company’s Standards of Conduct as outlined in the Employee Handbook when communicating via IM.
  • Not discuss company business or information through public IM services. Employees will restrict these discussions to the in-house IM system.
  • Not accept or open IM attachments transmitted through a public IM service.
  • Save transcripts of all internal IM project discussions on the network share associated with the project.
  • Be aware that all IM conversations on the company network should not be considered private. The company reserves the right to monitor IM transmissions.

Bringing IM into the network
Obviously, the easiest way to avoid the inherent security problems of public IM systems is to establish an IM system within the organization.

Many vendors offer corporate IM services—typically as part of a larger overall collaboration system. To determine the best IM services fit, CIOs must determine which features their organization truly needs and whether the new system will easily integrate into existing systems, such as data warehouse or KM initiatives.

CIOs must first identify what the IM system needs to do—does the organization need to talk to vendors or customers across the Internet? If so, an IM server and client that support encrypted messages may be a critical deciding factor in a product decision. Do you want to pull IM text into the organization’s knowledge management system? If so, you’ll likely want a server that captures text conversations automatically.

Now is the time to establish a policy
With such great numbers of users already employing IM as a main form of communication in the workplace, tech leaders must no longer ignore IM’s potential threat to enterprise security. Now is the time for CIOs to decide how IM will exist in the organization—before your users make the decision for you. Establishing an IM use policy will not only safeguard your network, but it will protect both users and the organization at large as well. To get started, check out TechRepublic’s list of IM services available today.

Have you standardized IM use?

If you have established rules concerning IM use at your organization or have written and distributed a formal IM use policy, share your insights with your peers in the discussion below.