There’s a debate ensuing in the industry around the use of instant messaging (IM) in the corporate environment, where one side proclaims the business value the application brings to the table, while the other is sounding the alarm on the security risks associated with it.
Some enterprise adopters have seen IM’s value in facilitating real-time communications, resulting in improved efficiency and productivity. A member of a sales team in the field, for instance, can use IM to get immediate answer to a business question that can make or break a sale.
Other companies, on the other hand, are choosing the path of self-protection by enforcing a no-IM policy across the organization, focusing on IM’s potential security implications rather than the business benefits. IM can also be used as a vehicle for worms and viruses to get into the corporate network.
“We have always advocated that if you cannot control an application…you must clamp it down,” said Ross Armstrong, research analyst at Info-Tech Research in London, Ont.
Toronto-based hotel chain Fairmont Hotels and Resorts did just that. As part of a Sarbanes-Oxley (SOX) compliance initiative that began a year-and-a-half ago, Fairmont enforced a desktop lockdown policy across its 12,000 users, preventing employees from downloading anything to their desktop hard drive, including IM applications, said Vineet Gupta, Fairmont’s vice-president for technology.
Fairmont previously allowed IM usage within the company, but after an evaluation of the application, the firm “didn’t really see a huge value from it,” Gupta said. The company then decided to forego its adoption; a move Gupta believes improved the company’s security posture.
Amidst the security risks, statistics indicate corporate IM usage is increasing. Market research firm IDC forecasts that IM business will grow from US$319 million in 2005 to US$736 million worldwide in 2010.
The threat landscape associated with IM, however, changes with the type of IM application used, said Armstrong. Publicly downloadable IM programs such as MSN and Yahoo have a higher likelihood of becoming a tool for malware infection because they can bypass the corporate firewall.
Enterprise IM tools, however, have built-in security features that can be centrally managed and monitored by IT, lessening the risk, Armstrong said.
Telecom vendor Telus Corp. pilot-tested Microsoft’s Live Communication Server in the beginning of 2005, and part of that implementation is an IM feature, said Nathan Pitka, director of product marketing for Telus.
The product was eventually rolled out to 17,000 Telus employees across Canada and users are citing “increased agility and increased productivity” by getting immediate answers to business questions as the major benefits of using the IM tool, said Pitka.
Telus employees also found IM to be a shorter and faster substitute for e-mail, which can be lengthy and time-consuming.
While still a concern, security is more manageable now that Telus is able to put in place IT controls and monitor IM communications and log them for compliance purposes, said Pitka.
Armstrong suggested that companies considering IM should first undertake an assessment of the expected IM benefits and weigh them against the risks involved. IT managers should understand the needs of the users and determine whether these dovetail to the business objectives, then make a decision whether IM would be a good fit for the company, he said.
“If you’re in a very highly regulated environment like banks, where the consequences of a security breach are higher, then I would probably advise a client in that situation to block [IM usage],” Armstrong said. He added, however, “Not every organization is as highly regulated as a bank.”