“Before IM, we had too many salespeople who had to get up and go meet face to face because someone couldn’t be reached. And with e-mail, you have a latency issue, so employees would get up and go talk to each other,” says Josh Stallings, vice president of strategic initiatives at No Red Tape Mortgage in Sherman Oaks, Calif.

“Now our people are on the phone all day because they can [simultaneously] IM our processing team to get the information they need for our clients,” he says.

IM is a real-time text communications technology with which messages can be sent, received and viewed immediately. And it’s nearly everywhere, says Paul Ritter, research director for messaging and collaboration at Wainhouse Research, a communications market research firm in Duxbury, Mass. “Our research shows that more than 80% of large companies in the U.S. have some form of IM,” he says.

But IM is risky and could cause as much damage as rogue e-mail, says S.V. Purushothaman, program leader of the conferencing and collaboration group at Frost & Sullivan Ltd., a high-tech consultancy in New York. “Today, 10% of global IM messages are spim,” or IM spam, says Purushothaman. “It has the same potential as e-mail spam.”

Moreover, hackers are finding it easier to break in through IM buddy lists than by other means, he says.

While some companies have outlawed IM because of security concerns [QuickLink 56025 http://www.computerworld.com/q?56025], many are looking for ways to mitigate risks while enjoying the business benefits. Here are steps you can take to secure IM in your organization.

Manage unauthorized IM clients. This applies to anything that’s added to IT assets and infrastructure, says David MacLeod, director of information protection and assurance at The Regence Group, a health insurance carrier in Portland, Ore. “We have a very well-defined, -controlled and -monitored electronic perimeter,” he says. “We know what can leave our organization and what can come in. That is clearly the first and most important step when you want to introduce anything new onto the network.”

Address risks that arise from change. Simply adding IM to the network, like adding any software, introduces risk. “It’s not because it happens to be IM. Anytime we add something new to our environment, there are security and privacy considerations,” says MacLeod. “You need to determine whether it has altered the security posture of the organization.”

Identify and verify users to curtail unauthorized access. This is what’s referred to as authenticating the user. CIO Tim Hudson at Man Financial, the brokerage arm of London-based Man Group PLC, accomplishes this by tying the party’s identity and permissions for various types of uses to existing technologies that identify people who have access rights on the network. “If someone has logged onto IM, we know that she or he is that person,” says Hudson.

Establish appropriate-use policies. “If you have an IM product you want to use, you need to do due diligence and have proper policies in place,” says Frost & Sullivan’s Purushothaman. Policies may include rules such as not allowing users to send files via IM, because sending and receiving attachments makes it easy to spread viruses, he says.
Or you may not want different workgroups to IM one another. “We have separate user groups and don’t necessarily allow them to IM each other. This ensures that research, sales, and institutional and product client groups are appropriately connected or disconnected,” says Hudson. The same technologies that identify users can identify the workgroups they belong to with their individual IM privileges, he says.

Educate employees about IM use and policies. Employees play an important role in IM security. “Educate your users that they shouldn’t be sharing passwords and that if they are, they’re handing over their identity to their colleague,” says Hudson.

At The Regence Group, people management is key to securing IM. “We have clearly articulated our policies around what kinds of information should be shared, what kinds should be protected and what are appropriate mechanisms for sharing information,” says MacLeod.

Enforce policies. “We have tools that automatically apprise us when it appears that something against policy has occurred,”says MacLeod. “We work with human resources and our leadership team to make sure that the employees involved understand why that’s not appropriate and to coach them on how to do that kind of information exchange in a more secure and appropriate manner.”

Purushothaman takes a harder line against IM misuse. He suggests issuing one or two warnings and then probation for offending employees.

Monitor risks related to security and privacy legislation. Many companies using IM are subject to multiple privacy and security regulations, such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act.

The compliance concern is that information that should be secured can be passed on quickly and easily to numerous parties in the public domain, CIOs say.

Therefore, in industries such as financial services, pharmaceuticals and health care, IM conversations must be archived and logged. There also need to be policies to prevent any damaging information from getting out, says Purushothaman.

Manage IM patches. Take the same care with IM patches that you do with any other software. “We evaluate all IM patches to determine if they address something that is at risk for our organization, and if they do, they are prioritized and applied as quickly as appropriate,” says MacLeod.

If you send instant messages outside the company, recognize the unique risks associated with that. “If a CIO believes she or he needs to IM outside the company, that introduces an entirely different set of concerns,” MacLeod says. “You require a different set of controls, and it should be segregated from the internal messaging capabilities.”

Additional authentication measures might be necessary to adequately identify who is sending instant messages from outside the company, Hudson adds.