Instant messaging security. What are key factors?

Business IT message board users generally trust that the key factors around IM security is policy, enforcement and training. Apparently, individual business structures should solve how far they want to go with each of these, depending on the nature of the risk and its potential impact on the business processes, write Kate Danbury, head of information security, and Ollie Ross, head of research, at The Corporate IT Forum.

Everywhere, there is rising pressure from within corporates for IT to provide communication and collaboration technologies that users are familiar with and use extensively in home and social environments: most notably instant messaging. Instant Messaging supports productivity; it's fast, it's easy to use and it's the tool of choice for the new generation of office workers.

But from security sign, its risks are comparable with e-mail. It might also impact workforce productivity - at least until the novelty of 'chat' wears off - it can shortcut processes and undermine reporting and approval mechanisms, it's causal quality can be inappropriate for business conversations, and it can have an adverse impact on your network traffic. So deploying or switching on IM requires very careful consideration.

Firstly, decide where you would use instant messaging. Don't assume it's an all-or-nothing choice. Many of our members use IM internally across the enterprise without opening up the capability externally. Others use it as an effective tool between trusted partners (e.g. in an outsourced or support relationship). External IM is rarely used by businesses in the broader, public arena, thus minimising the risks associated with opening up the network.

Then decide what tool might best suit your requirements. Typically Forum members use proprietary solutions in-house rather than relying on consumer social networking tools.

Next, determine how IM may be used. Ensure your acceptable use policy offers clear guidelines around appropriate and inappropriate use, and that these really are understood and accepted by your users.

And finally, put a process in place that enables you to understand how instant messaging is being used, by whom and for what purpose. It's is widely recommended that usage is recorded and monitored. It is therefore auditable. Make sure your employees know this and understand the implications.

As drivers and business cases for collaboration increase so, too, does the risk that IT security becomes a business disabler. IM might offer true opportunities for your organisation. Or it could lead to real problems. It's a fine balance between having a 'safe and secure' network and helping the business to be as agile and reactive as it wants to be. And it's also very much about trust.