Love it or hate it, users want IM. However, Instant Messaging sites and technologies may pose a communications risk to the sensitivity of company information. Here is a perspective on why to block public services and replace them with internal offerings.
Love it, hate it, use it -- Instant Messaging sites and technologies may pose a communications risk to the sensitivity of company information. Here is a perspective on why to block public services and replace with internal offerings.
Many organizations use instant messaging (IM) for departmental and organizational informal communication. This communication can become a hodgepodge mix of personal and company-related interaction. IM technologies are in a sense a gray area in communications management. For example, most organizations audit and archive e-mail to a certain standard, but IM traffic is not subject to that requirement. IM traffic can go to any number of different Internet sources such as Yahoo!, AOL, MSN, and others, as well as to individuals hosting their own IM servers at home. This makes the task of specifically identifying the traffic a challenge -- beyond the big players -- from a network perspective. IM communication is not as official as e-mail, and it is unclear if it would apply to the same archival requirements from a compliance perspective. What makes this issue worse is that public-service IM communication is not secured over the Internet, can be adware-ridden, and can allow file transfers. Identifying the risks can go on for hours, but allowing unmanaged IM services to the public sites brings up topics of trade secret information, internal communications and announcements being sent to competitors, and basic archival issues and tracking of communication. So what options are available?One approach is to block all traffic at the firewall to the relevant pubic services. This, however, underscores the true benefits of IM technologies for internal company use. I do think IM is a good tool for internal communication, but using it over a public service seems ironic. So, we can focus on managed IM services or internally hosted systems. There are a large number of IM systems that can be hosted internally, and some can even work from groupware products like Microsoft Exchange, which may already be in place within an IT environment and may not require additional purchases. Further, there are plenty of open source mechanisms that can set up internal messaging servers for no cost.
The utopia of IM communication is a mechanism that is internally hosted with traffic archived to the same standards of e-mail and includes interoperability with Internet IM services. One such service is the Sun Java System Instant Messaging offering, which has all the management as well as public gateway communication. The key to reducing this data loss risk is to provide a solution administered by the network team that protects the company's interests yet allows people to do their jobs and use the positive benefits of IM technologies.
How do you approach managing IM traffic in regards to protecting unaudited information leaving your network? Share your comments below.