In-Depth

Simple Steps to IM Management

IT needs to adopt a multi-step approach—moving from denial to active management—and address enterprise IM use.

The recent scandal surrounding a former congressman has once again highlighted the vulnerabilities instant messaging can pose to the enterprise. If users can browse the Internet, they can use IM. What IT doesn’t know can hurt the company—IM can be used for anything from harassment to sending messages that damage the company (revealing company or customer information, for example).

So what does IT do? Does it forbid IM use, allow it without restriction, or try to find some middle ground—perhaps a “secure” IM product? None of these, it turns out. According to Francis deSouza, vice president of enterprise messaging management at Symantec, an enterprise is more likely to take a fourth option—pretending that IM is not a big issue.

Why this head-in-the-sand response? “These enterprises understand e-mail—they’ve installed it themselves and they understand how to prevent spam, how to stop viruses, and those common problems,” deSouza explains. “IM, however, wasn’t rolled out by IT. IM came in through grass-roots adoption. People downloaded MSN, Yahoo, and all the others, and started using it and IT isn’t even really sure how much IM goes on in their company. So you’ll hear a lot of things like: ‘We don’t have it,’ ‘We don’t have it a lot,’ and ‘People don’t use it for work.’ IT will even say there’s not a lot of risk associated with IM.”

IM is rife with vulnerabilities that can harm an enterprise. Besides receiving infected attachments, IMs can be sent with links to sites or files that can infect a user’s system. That’s no different from e-mail, of course. IM is particularly open to problems because its design relies on the social engineering aspects of the buddy list—people you expect to hear from. In fact, deSouza says, users are ten times more likely to click on a link in IM than in an e-mail, in part because of the speed with which people typically respond to IMs (much more quickly than composing an e-mail response), and because the message appears to come from a trusted sender.

Worse, artificial intelligence is being used by hackers to increase the likelihood that you’ll let your guard down. While some cautious users have responded to messages asking for the sender to verify themselves, hacked messages now employ automated bots with the smarts to reply to such verification requests convincingly enough to doubly fool the recipient.

Another big difference: the real-time nature of IM helps threats do their damage more quickly. “We estimate that it takes about 8 hours for an e-mail threat to hit 500,000 users. With IM it can take 10-12 minutes. The “presence” element of IM knows you’re there and knows it has delivered the message, and it doesn’t use store-and-forward technology, plus the social engineering factors I mentioned, causes larger impacts faster because it’s so much more effective.”

Because IM clients can also do more, hackers can trigger audio streams or even take over your desktop, which goes beyond current e-mail client capabilities, where hackers typically harvest address books or interfere with your calendar.

Moving Past Denial

In their multi-step program to IM management, the next step is usually anger, deSouza explains. They realize IM exists, and they survey the environment to see how much IM usage they have (and sometimes find that up to three-quarters of company employees are using it). The Radicati Group estimates that IM is used in 85 percent of all enterprises in North America, with over 387 million IM users worldwide sending 13.8 billion IM messages per day. Gartner predicts that by the end of the decade nearly 90 percent of corporate e-mail users will also have IT-controlled IM accounts. In fact, deSouza notes, industry analysts say that the number of IM messages may, for the first time, exceed e-mail messages next year. That’s a lot of IM.

The first reaction to this anger is to try to block IM. That’s exceedingly hard, deSouza admits; even a common approach—trying to block ports—is hard. Another reaction is to send policy memos against IM use, but those result in pushback from users who say it has become an integral part of their doing business, either supporting customers or keeping in touch with a distributed workforce. Even CEOs will respond, acknowledging that IM is a productivity tool and that IT shouldn’t hamper productivity.

Enterprises next move from anger to acceptance and support. The good news is that because of their experience with e-mail use, they have experience. They know how to protect e-mail, look out for spam, and have developed acceptable-usage policies, so it’s not a great leap to doing the same with instant messages. Products (such as Symantec’s own IM Manager) can help IT spot such vulnerabilities; for example, standard and customized dictionaries that include project names or discriminatory words that may indicate a security policy has been breached.

Support also means understanding regulatory compliance. IT is already doing this for e-mail. Now they must expand the definition of “communication” to include IM. IT has policies and procedures for e-mail, so in many cases it’s a simple extension of that knowledge to IM.

After the support stage, IT turns to harvesting and maximizing the productivity benefits of IM, deSouza says. A corporate directory can be enhanced to show if users are online in IM, so you can take advantage of the “presence” mechanism, as well as real-time notification IM allows.

How do IT departments install and use IM management tools? According to deSouza, “Most IT departments will roll out security to the entire enterprise at once and turn on all the protection—antivirus, content filtering, spam control—from the start. They communicate to employees about the move to a managed IM environment. Included in that communication is what expectations employees should have—for example, that privacy will be the same as the company’s privacy policy regarding e-mail (unacceptable behavior in e-mail won’t be tolerated in instant messages, for example). Companies also set up disclaimers for IM, just as they do with e-mail, which is a strong visual clue to people that this is a corporate resource and they should use it responsibly.”

IT will also activate archiving (especially to comply with regulations such as HIPAA and Sarbanes-Oxley), and typically IT gives users access to those archives. Further, with so many ways to communicate with the customer, some (including Symantec’s IM Manager) help users tie everything together by including the ability to scan both e-mail and IM archives to find all customer communication (results can be exported to a CRM application). With the growing popularity of IM, it’s no surprise that IM threads will likely be as important as e-mail threads are today.

Active IM management is a win-win for users and the enterprise as a whole. Users have, in most cases, been using IM without IT’s support or knowledge. Once IT starts to manage IM, users can stop hiding their use (IT will hear a huge, collective sigh of relief), and appreciate support. With IM addresses now published in a directory or stored as another field in an existing corporate directory, IM becomes a more useful corporate resource.

Must Read Articles