Using Instant Messaging in the Office

We have received a question about using Instant Messaging services (such as AIM, Yahoo, MSN Messenger & Skype Chat) in the office: “Is it safe to allow our employees to do this, what are the benefits and what are the dangers?”

This is a pretty complex subject for a single blog entry – and as with anything to do with security and technology, things are changing all the time – but here are some pointers for you to consider when making your decision.

IM can be handy as a means to communicate very quickly when situations require. The ‘real time’ aspect of messaging is appealing to many as it can save huge amounts of time if you require advice or an opinion in a hurry - without the cost of a telephone call. You can’t get faster than instant! Also, as most IM software is available as a free download so it’s unarguably a cost-effective communication tool.

But, it is also undeniably an easy way for people to chat about non-work related subjects, or even moan about work in general. It’s not really the done thing in offices these days for people to sit at their desk and chat on the phone to friends. However, chatting on IM is a means for people to do the same thing without getting caught. Co-workers and supervisors may assume the person was discussing serious work matters but in practice it could actually be plans for the weekend or the latest episode of EastEnders!

It may be quick and convenient but is it secure? Different IM applications use different protocols and standard firewalls may not block or detect them. Some IM clients can use ports other than those associated with IM even commonly open ports such as 80 (normally associated with web browsing).

IM programs such as AIM, Yahoo and MSN Messenger pose additional possible security issues. These programs often allow more than just chat: they allow file transfers as well. Not only could users send documents – a recent study revealed that around 32% of companies have found employees passing confidential information to a third party - but users can also receive files that may possibly contain viruses or malicious code. Not to mention the liability nightmare if employees use the file transfer feature to share copyrighted music, movie or software files in violation of the law.

Is there an answer without an all-out ban? It could be a simple case of allowing one type of IM to be used over another. There are two basic types of IM technologies: peer to peer (P2P) and client-server. With a P2P system, IM clients communicate with each other directly hence they are less secure as there is no centralised control. With a client-server system, communications go through a central IM server from which it is passed on to the recipient. With client-server systems, IM communications can be monitored and logged at a central location (which also conforms to current compliance regulations). Not only do you have an audit trail but employees will be deterred from engaging in non-work related chit-chat and file swapping if they know they could be found out and held accountable!

Many places already have employees using IM at work, and the automatic assumption - that it cannot be used safely or is hindering productivity and therefore should be blocked - is probably unfair. Used and monitored properly, IM can be a great tool – but, like most other modern tools, it does need to be controlled and monitored if you are to ensure that productivity doesn’t suffer and that your network and data is to be kept secure. Like most other things out there, you just need to know what you are dealing with and know how to control it.



Source: http://blog.charitysolutions.co.uk/2008/04/07/using-instant-messaging-in-the-office/