Corporate IM: The Plusses and Minuses

By Courtney Macavinta

It used to be that Instant Messaging (IM) was for kids. Not anymore. The business benefits of IMing in the office are legion. IM helps connect collaborative teams around the globe. It's more cost-effective than long-distance phone calls and more direct than email. And despite getting a bad rap, it can actually increase productivity -- in a crunch, employees can get quick answers from co-workers or provide customers with updates even if they are trapped in meetings. New video and voice chat components of IM also make live conferencing cheap and easy.

But as most CIOs already know, free consumer IM programs, such as Yahoo Messenger, MSN Messenger, Google Talk, and AOL Instant Messenger, were not designed with the corporate network in mind. As a result, they can expose businesses to serious security risks. IM programs can let viruses and/or worms into the corporate network. They can divulge company secrets without a trace. And they can circumvent requirements to log important communications that need to be archived by law -- or could protect or harm a company in a lawsuit.

Some CIOs -- and their fellow executives -- worry that employees will spend all day chatting with their friends on IM. They could be right: In the United States, 11 million people used IM while on the job, according to a 2004 Pew Internet & American Life. Many enterprises have banned employees from downloading and using free IM programs altogether. But that approach won't stop IM usage.

The bottom line, according to Gartner analyst Dave Mario Smith: "You can't ignore IM. Employees are using it whether the company knows about it or not."

If CIOs want employees to reap the benefits of IM, but at the same time proactively safeguard their organizations from security risks and other liabilities, analysts recommend the following approach:

• Know the benefits  Younger workers use IM almost more than they use email, according to the Pew Internet & American Life Project. And for good reason. "IM is a good tool for rapid information dissemination and problem-solving," Smith says.

Adds Matt Brown, a senior analyst for Forrester Research: "I've seen a lot of tight-looped collaborative environments, like R&D, where people are disparate, but work as a single virtual team and find IM -- and the ability to tell if someone is at their desk via IM -- very useful."

• Know the downsides  From being snagged by malware or phishing to employees sending sexually harassing messages to colleagues or trade secrets to competitors -- every harmful threat that can be passed on via email can be spread by IM, too. "There are very real concerns around security," Brown says. Once CIOs open their network to the public Internet, there are security risks if the appropriate safeguards aren't put in place.
• Include IM in communications policies  In general, CIOs should include IM in any acceptable use policies already on the books for email, Smith advises. "Not having a policy is a policy -- there is no control, and it's like the Wild West," he says. "It should be aligned with your overall communication policy and determining what the employee's responsibilities are and what the company is responsible for when it comes to IM."

An IM policy might include which programs employees can use; definitions of appropriate and inappropriate content; and what kind of communication should never be conducted over IM due to regulations, such as R&D development data that needs to be logged and archived. The IM policy should also contain guidelines for how employees can use IM to perform their jobs and whether personal use is allowed under any circumstance.

The policy then needs to be explained to employees, and CIOs must make sure everyone has read it and signed it.  "From the business view," Brown says, "having that appropriate use policy in place is important because at the end of the day it comes down to personal responsibility."

• Mind compliance  CIOs need to ensure that IT-related compliance policies are uniform throughout the organization. The other issue is what role IM conversations might play in any lawsuit brought against the company, especially when it comes to harassment, discrimination, code of conduct, or wrongful termination cases. "Content is content -- including IM -- if you're under any regulatory guidelines or mandates about retention," Smith says.

This could mean enterprises will make the decision to capture and save all IM exchanges, although most regulations aren't that specific. But in financial services, for example, Brown says some of the major regulatory bodies have recommended that, when it comes to laws such as Sarbanes-Oxley, companies are best off including IM in their compliance strategies.

• Set security protocols  There are security measures that can be taken to defang IM threats. CIOs can make it a practice to disable the ability for employees to transfer files via IM. Smith says if a corporate network is going to allow IM, CIOs must "bring in a hygiene service to block viruses." 
• Consider enterprise IM instead  The best bet for enterprises is to use one of the many enterprise IM clients that are already on the market, analysts say. This way, a company can get the benefits of IM but keep the communication behind the corporate firewall. Organizations can also allow certain outside parties to IM their employees. But if CIOs make this choice, Smith says, "They can still work with business partners and customers, but they need that extra layer of hygiene for that connection. They also need a defense mechanism to determine who's going to get access."

The key for CIOs grappling with IM in the workplace: Deal with it sooner rather than later. But being proactive will pay off as IM increasingly becomes second nature to employees, just like email or conference calls -- once considered "new technologies" themselves.

"From an industry perspective, there is a lot going on as far as the capabilities they are starting to enable, like rolling IM into a broader concept of synchronized communications," Brown says. "So you can turn an email conversation into an IM session or transfer an IM session into a phone call or meeting."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News.com, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  The Online Family (TheOnlineFamily.net).