Consumer Instant Messaging in Business

Earlier this year, in its Internet Trends report, Morgan Stanley wrote about two fast emerging commerce platforms, social networking and mobile, calling them “game-changing IM communications.” Game-changing is an excellent descriptor, as the coming together of a number of factors have paved the way for a phenomenon happening throughout businesses, regardless of industry or size, that have had a profound impact on messaging technologies, employees and IT. Even though these products and tools were originally designed for consumers, they are finding their way into the corporate world at a staggering pace.

One of the key reasons is the adoption of these messaging communications for personal use. “We have seen such an adoption of technology in the home,” observes Ian Moyse, channel director for Webroot Software, Inc. “If you think about it, the home has become much more IT literate. It wasn’t so long ago that we didn’t have a PC at home, or if you did it was a really big box and quite expensive. Now people have laptops.” Moyse points to how in the U.K. ISPs have been known to give away cheap laptops with broadband connections. “On the home PC, you have the freedom of choice for anything you install. If you have an iPad or iPhone, of course you need iTunes, so that is installed. Then there is social media: Facebook, Twitter, etc. People are used to using all these things at home and then they come to work and want to use a particular device or application.” Because people are more IT literate than ever before, Moyse believes employees are much more likely to make technology choices without the approval of IT.

Pete Schlampp, vice president of marketing for Solera Networks characterizes this shift as the perfect storm. “First, Apple starts making these really cool products that everyone wants to have” iPhone, Mac laptop, iPads. Then you have this other trend where people are used to Facebook or Gmail, and there is this consumerization of IT, where people are very comfortable with IT. Then you have this massive recession, where companies aren’t spending money on the IT that they want to—whether it’s new computers, new servers, or better security. Finally, you have employees saying: ‘Why can’t I use my Mac or my iPhone?’ And so what has happened, is IT has let their guard down, and don’t have a good answer as to why not.”

This IT literacy is a driving force in the shift, as more and more employees are taking it upon themselves to choose the messaging technologies and tools they want in the workplace. “Almost every customer that I have talked to in the last month or two is dealing with this in some form or fashion,” acknowledges Fred Kost, director of marketing for security and borderless networks at Cisco Systems, Inc. “Users are procuring their own devices. It used to be BlackBerrys, but now we are seeing this huge influx of the popularity of a full-featured hybrid in the consumer’s hand and it is driving this desire to say: ‘Why can’t I get on the network and use this device?’ There are consumers that are pushing it into the IT environment just by numbers, price point and functionality.”
Personal vs. Company Issued

A recent study, The Cisco Connected World Report, which surveyed 2,600 workers and IT professionals in 13 countries, revealed that two of every three employees surveyed (66 percent) expect IT to allow them to use any device—personal or company-issued—to access corporate networks, applications, and information anywhere, at any time, and they expect the types of devices to continue diversifying.

“When a person gets a device, they are going to take it to work,” believes Dr. Nathaniel Borenstein, the co-creator of the Multipurpose Internet Mail Extensions (MIME) email standard (the standard that still holds today) and chief scientist for Mimecast. “I think there is no getting around it. How openly they do it and how soon they do it is a function of the corporate culture. If you value a device enough to spend your own money for it, you probably are going to find it valuable at work, unless they give you something very similar.”

This trend seems to be taking hold. According to a recent Forrester Research report, almost half of U.S. and European businesses surveyed are embracing the notion of allowing personally owned devices access to a secure corporate network.

“Most of the companies we talk to have a majority of their employees on personally liable or individually liable phones vs. corporate,” confirms Dan Nemo, chief operating officer of TextGuard Inc. “This means they are bringing the phone into the workplace, but it is owned by the employee.” Nemo estimates that it is 60 to 70 percent of the companies he deals with. “Employees are bringing their personal devices to work and saying I want to get this connected and the employer has a choice. They can get better productivity, figuring the employee will work at home, at the doctor’s office, etc, plus the company doesn’t have to buy a big package, instead it can reimburse the employee for a piece. We hear many companies don’t want to take on the administrative hassle and the expense of phone plans. We expect this phenomenon will continue to happen, driven by employees that want the newest devices out there.”

The challenge to IT, as a result, is a host of mobile phone types to deal with. “We have two dynamics going on, one is the consumer wanting to do it, and the other is the IT organization trying to figure out how to support it,” says Kost. “Maybe it is more economical if employees do buy their own devices. So clearly, the device itself is having an impact.”

But can IT manage all the devices equally well? “I don’t think you can, yet,” says Borenstein. “I remember when people wanted to write user interfaces, applications that worked on the PC, Mac and UNIX. What they really wanted was a tool kit that would make them work on all of them with minimal modifications by the programmer, at one point that was an impossible dream. But now we have tool kits that do exactly that. It is likely to happen in the smartphone market, but not when it is evolving as quickly as it is. It can’t happen when it is evolving as quickly as it is! But once a few vendors shake out, and Android stabilizes and it becomes clear what Apple is and isn’t going to change about multi-tasking, and stuff like that, then you can imagine a software layer that produces an interface for the BlackBerry, the iPhone, etc. But I think we have a really difficult period for several years before that.”

With the days of a company supplying an employee with a phone dwindling these past three or four years, companies have benefited financially by avoiding expensive plans and employees get to use the phone of their choosing. “Employees definitely think it is great,” says Schlampp. “But it opens up a lot of security challenges. Certainly one of them is when someone brings in a device onto the network. How do you know where that device has been? How do you know if the person who is using it is the right person? Frankly, the technology to ensure that is not at the same level as if I was to bring my Dell laptop, which can be authenticated. So you have that trend going on, with companies unable to stem the tide and they do not have the resources to be able to say anything about it.”

Perhaps feeding this trend toward personal mobile phone use is the pace of adoption of these impressive mobile devices. In the same Morgan Stanley report, the authors noted that mobile is ramping faster than desktop Internet did and will be bigger than most people expect. The report predicts that more users will likely connect to the Internet via mobile devices than desktop PCs within five years. With mobile growth such as this, it might have been impossible to tell employees that they could not use their personal mobile devices at work anyway. But what of other consumer oriented messaging, like social media?

“Unless the user at work is locked down totally, there comes the dilemma in the particular world we are in, of security,” says Moyse. “The further you lock down a machine you impede the user to a point that they can’t work. So there has to be a balance. What we see in a lot of organizations is an element of lock down, but they can’t lock down as much as they’d like, because the help desk calls go up incredibly as users can’t do this or that. If you lock everyone down and take the big brother approach in the work environment, users are dissatisfied.”

Moyse also notes, because employees are so IT literate, that if users are impeded, they start to look for work arounds. “You often see a department that has one expert user that is really IT literate, install something. And someone else says: ‘Where did you get that?’ And the expert says: ‘I’ll install that for you’ and word gets around how to do it. It’s that viral thing, where someone downloads it and then emails it to three colleagues. That is the nature of the Web and email that has opened up the world to anyone with a PC. The implications for the IT department and the security of the business can be huge. This is the particular challenge with email or the Web; you can’t turn those applications off. You have to have the Internet open for your business.”

Kost agrees that locking employees down is not really an option. “Twenty-odd years ago, when employees came to work, they used the telephone on their desk to make some personal calls during the day, check in on the kids, make a dentist appointment, make a reservation. The modern workforce now are doing those same things with Facebook or Twitter, or other social media and communication tools and keeping up with all those people that in another age they might have called. Users coming to the office expect to use these tools, just like the phone used to be.”

But complete openness is surely not an option either. The 2nd Annual Network Forensics Survey published in October by Solera Networks found that visits to malicious Web sites and instant messaging (IM) use was particularly worrisome, with 96 percent feeling threatened by employee Web activity, and 71 percent fearing that IM poses security threats.
IT Cannot Say No

Employees today have high expectations when it comes to messaging technologies. “People are used to running their own networks at home,” observes Kost. “So, when IT says ‘no’ employees don’t understand why. ‘I can do this at home, why can’t I do it at work?’ IT is finding that ‘no’ doesn’t work. There is an employee moral, cultural thing, which some companies might say, big deal but to attract and retain talent that is a factor. Some of the research we did showed people are willing to make a trade off in compensation for some of this work flexibility, use of tools and applications.”

The Cisco Connected World Report, points to the expectation that employees demand to be able to access information from anywhere, revealing three of every five employees (60 percent) believe it is unnecessary to be in the office to be productive.

This cross of personal and business information and tools can quickly get sticky. As Schlampp points out, “If I bring my iPhone into the office, and I pick up the corporate Wi-Fi, I am sending email, etc. All that email is now going through the corporate network. It could be my Gmail account or it could be my Exchange account. All that data is flowing through the corporate network and I have an identity there. Then I hop onto my laptop, and I have the same identity. All of a sudden, you have a single person using multiple identities on multiple IP addresses and that can become a big problem for security. That is where having the ability to see everything and replay everything and correlate that data is essential.”

Kost says that in most organizations the number one concern is the fine line between company data and user data and how it is stored on that one device. “A policy must be in place that says the company retains the right, if it must, to wipe the device. You need some policy in place that says if you bring your own device in with music that is yours, contacts, etc, that the company can take some security actions, such as monitoring and that some of your personal activity might be captured. It is important that people know that their expectation of privacy might be changed because you are getting onto the network at work. The employee needs to know that backing up personal data is their responsibility and that wiping the device is a possibility. So there is an employee, employer understanding that needs to happen, or a code of ethics or device policy needs to exist independent of the technologies and that can be different in different parts of the world that have different privacy expectations.”

Moyse agrees, noting, “What about the content that is on these machines? At home, I may download iTunes. If I copy that, I have paid for the license, I am legitimately able to use that music on this machine. If I email one of those tracks to someone at work, or put it on a USB key or download off an illegal site at work or if there is an unlicensed music track on a work PC, the Directors of that business are liable for the license. Under UK law, even if the user installed it, you can’t delegate responsibility or liability to the user. A company acceptable use policy says you are not allow to have contents like that, you can fire the employee, you can take action, should the music publisher find out about the download, but it is still the company they are coming after.”

“The challenge we are getting into now is a lot of these sites, for example Twitter or Facebook, you can find a good business reason for using them,” adds Moyse. “Where do you draw the line? If you use it this way, it is beneficial to the company, if you use it that way, it can be dangerous.”

So what is IT to do? “It is easy to think of users as children—they want something, they take it. If they have a problem, they cry and they can’t always explain the problem,” says Borenstein. “It sounds kind of patronizing, but the truth is, if you conceptualize your users this way it can be a useful guide in how to deal with them. In this case, a child has a new toy, he loves his toy, do you tell him, ‘don’t use your toy’ or do you tell him how to change the batteries safely?”

With messaging technology and devices being driven into IT, instead of the former state of out from IT, how does IT get a handle on security? “From our perspective, on the security side, there is a new concept called ‘zero trust’ from Forrester,” says Schlampp. “This is their new framework for thinking about security. The title of it is great: No More Chewy Centers: The Zero Trust Model and they say we should think of the network security world as an M&M. You have this crunchy outer shell, where you kept out all the bad stuff, and inside it was tasty and you knew what it was and you could trust it. Well, no more chewy centers, because inside that M&M you now have all sorts of devices and people that you did not know about or were able to keep out before. But the reality is: We never really had the security that we perceived we did, turns out the chocolate was never that great anyway.”

Schlampp goes on to explain that we can’t treat network security like an M&M anymore. “Basically, you can’t trust anybody on your network, so you have to raise the level of the game of your network security team. Their job is not to just keep people out, their job is to actively monitor what is happening. So that if something bad starts to unfold, you have the tools and capabilities to understand what is happening and shut it down quickly.”

Today, IT is between a rock and a hard place. “IT administrators, the people who run IT departments are people who like to bring order out of chaos, they like control,” believes Borenstein. “Bless those people, I do not know what we would do without them, but I think they are going to have to let go of some of this. The question to ask is not, can they keep these devices out, because there is an easy answer, which is no, instead it is how can we manage the flow of information into and around these devices, how can they make them more secure? There are ways to do that.” Borenstein goes on to say that Mimecast is integrating corporate email with BlackBerry devices so both can be archived and support secure communications. “We are hoping to have that before long for other devices too. The message we would like to give employees is sure, use an iPhone, use a BlackBerry, but run this software so that mail is handled more securely.”

Kost warns that a whole new class of device is imminently expected, as he notes that according to Gartner just under 20 million tablets will ship this year and next year 55 million will ship. “These may or may not replace the laptop, but millions and millions of these devices are going to be out there,” he says.

IT organizations are going to need to rely on the technology more than ever before believes Moyse. “We are going to need to put protection into place that does not hinder the user. A lot of the products now consistently use pop-ups asking the user, do you really want to do this? Is this secure? We are imposing too much on the user. Customers want the best protection they can get, as simply as you can get it, and as cost-effectively as you can get it. There is a great opportunity for the industry if we get this right.”


By Stephanie Jordan