The Great Debate
Instant Messaging is a little like a controversial political figure: you either love it or you hate it. Teenagers love it; they can spend hours "chatting" with friends. It allows home users keep in touch with faraway family members and friends without long distance charges and with more immediacy than e-mail. But corporate managers and network administrators are divided over its utility in the business world.
IM presents some of the same benefits to business users as to home users: it allows you to communicate with colleagues, customers and partners at a distance in real time, like the telephone, while avoiding the hefty long distance rates that apply during normal business hours. The growing popularity of Voice over IP (VoIP) services is taking some of this advantage away, as companies can now utilize the Internet to place telephone calls at a substantial savings over the traditional phone system.
Nonetheless, IM continues to be the communications method of choice for many because it provides more of a "personal" link than e-mail, while being a bit less intrusive than the telephone. IM is handy for dual communications. For example, you can get information from a colleague via IM while you're on the phone with a customer, without having to disrupt the telephone conversation. IM can also be useful for quick communications in emergencies, as the Internet may remain functional during an outage of regular telephone services.
Corporate employees who are used to using IM on their computers at home want the same convenience at work. Most of them are unaware of the security and productivity implications.
IM Software on Business Computers: To Be or Not to Be?
What are the concerns of businesses about IM communications taking place on their networks, and are they valid, or just a case of employers wanting to exert control over their employees? Let's take a look at some of the disadvantages of IM in the business environment.
The first is lost productivity. Popular IM programs were designed for recreational "chatting" and anyone who's looked up from an online chat session to find that several hours have gone by knows how easy it is to get involved in conversation and spend much longer than you intended. Because people don't type as fast as they talk (normal conversation ranges from 100-250 words per minute), it takes longer to exchange the same information via text chat as compared with over the telephone.
Employees may also be more prone to abuse IM for personal use on the job than the telephone, since it's easier to "look as if you're working" while typing IM messages than to disguise the personal nature of a phone call if you're in an open office. In fact, a recent study by research company Radicati Group indicated that most IM users in enterprise environments used the technology more for casual intra-company communication and personal use than for communicating with customers or business partners (http://www.instantmessagingplanet.com/enterprise/article.php/3423321).
Busy employees complain that those with less to do distract them from their work with non-urgent or personal messages. Many people seem to abandon the rules of polite communications when they use IM or chat programs. For example, few people would dream of picking up a phone book and randomly dialing people whose names sound interesting, but many think nothing of contacting a stranger online just to strike up a conversation.
Another problem with heavy IM traffic is bandwidth usage. If you have many employees engaging in chat, it can impact your network's bandwidth and performance.
IM communications are also subject to unwanted advertising (IM spam is referred to as spim). Spim often consists of pornographic images that pop up during IM use. Like other display of pornography in the workplace, this can lead to sexual harassment charges and lawsuits.
But the biggest concern in today's business environment is security. Different IM applications use different, proprietary protocols and standard firewall configurations may not block or detect them. The IM programs also often circumvent authentication systems. Some IM clients can use ports other than those associated with IM (see the table for a list of commonly used IM ports), even commonly open ports such as 80.
Instant Messaging Client Software
Commonly Used Port
AOL Instant Messenger (AIM)
Yahoo Instant Messenger
The free consumer IM client programs in widest use, such as AIM, Yahoo and MSN Messenger, pose many security concerns. Consumer IM programs often support more than just simple text-based chat. They may also include peer to peer file transfer capabilities, which can pose security risks in two ways. Internal users can send documents that may be confidential out of your network, circumventing your network's perimeter defenses against file sharing programs or e-mail attachments. On the other hand, external users can send files that might contain viruses or malicious code to users on the internal network. In addition, a liability risk arises if employees use the file transfer feature to share copyrighted music, movie or software files in violation of the law.
If you're in an industry that falls under government regulations (such as HIPAA for health care and the GLB Act for financial institutions), use of public IM systems may violate mandates regarding electronic communications and record keeping.
IM Technology: How Does it Work?
There are two basic types of IM technologies: peer to peer (P2P) and client-server. With a peer to peer system, IM clients communicate with each other directly. With a client-server system, communications go through a central IM server from which it is passed on to the recipient.
P2P systems pose a security problem because there is no centralized control. With client-server systems, on the other hand, IM communications can be monitored and logged at a central location. However, if the IM server is under external control, then you have to worry about interception by the external administrators.
What Are the Top Security Concerns?
IM software, especially the use of popular consumer level IM programs, raises the following security concerns:
- Like other software, IM clients can be vulnerable to buffer overflows and other flaws that can be exploited by hackers to launch DoS attacks.
- Many IM clients allow users to create anonymous user names that cannot be easily tracked or the true identity of the IM user identified. If the IM name is not associated with a legitimate e-mail address, a user can send communications pretending to be someone he's not (electronic identity theft).
- IM file transfer features, as discussed earlier, pose a big risk both in terms of outgoing and incoming files.
Establishing Policies for IM Usage
If your company decides to allow IM, the first step in keeping it under control is to establish usage policies. Some best practices that can keep IM from becoming a bane to your business include:
- IM should not be used as a substitute for e-mail. IM should be used only for questions or announcements that are short and need to be communicated immediately.
- Users should take advantage of IM software features that allow you to present yourself as "busy" or "offline" so they will not be compelled to respond to numerous queries.
- Users should never register with public directories that allow any and everyone to IM you; instead, users should maintain contact or "buddy" lists of people who can see their online status, and the list should be restricted to legitimate business contacts.
- Users should not be allowed to install their own IM software on company computers. If IM is to be part of your company's communications cadre, the software and its configuration should be standardized and controlled by the IT department as with other business software.
- IM should never be used for confidential communications of any kind unless the IM client supports message encryption.
- If your industry is regulated, you may need to implement an enterprise level IM system that allows you to record all IM communications.
Creating a policy is only the first step. The policy must be disseminated to employees and there must be mechanisms in place to enforce them. One enforcement mechanism is stated penalties for violation. Another is to technologically enforce policies.
Controlling IM Communications through Technology
Because IM does have benefits for businesses, you might wish to allow it in your organization - but that doesn't mean you have to allow it for everyone, or allow employees to use it with no oversight. There are a number of products that allow administrators to manage IM usage. Some of these products include:
- Akonix L7 Enterprise (http://www.akonix.com/)
- IMlogic IM Manager (http://www.imlogic.com/)
- FaceTime's IM Auditor (http://www.facetime.com/)
With IM management software, you can restrict IM usage to specific users and groups who have a need to communicate via IM. You can control whether users can transfer files (and with some products, what types of files can be transferred). You can specify whether users are allowed to use audio/video features of the IM client, or play the games that are built into some IM clients. You can even restrict IM usage to specific days of the week or times of day.
IM management software can also do content filtering. You can set up lists of words or phrases that will cause a message to be blocked, or that will send an alert to the administrator.
Finally, these programs allow administrators to log and review IM conversations. Some of them will create reports summarizing information about IM sessions, and you may be able to search the logs for key words or phrases.
The biggest drawback to these programs is cost. They are targeted for the enterprise market, and only large companies are likely to be able to afford them. Costs are generally based on number of users and start at about $2500 per 100 users.
Blocking IM Communications Altogether
You may find that it's easier and less expensive to block IM communications altogether. This might be easier said than done. You can configure your firewall to close the ports commonly used for IM communications, but clients may be able to use alternate ports. According to Akheron, the process to fully block IM can be complex and expensive, costing up to $30-50,000 per location (http://www.akheron.com/prodinfo/blocking_costanalysis_01.html).
There are a number of products designed to detect and block IM traffic (and many of these also block P2P file sharing programs as a bonus). IM Detector Pro from IMlogic is free (http://www.imlogic.com/resources_downloads.htm?WT.mc_n=IMDetector%20Download&wt.mc_t=Banner%20Ads&WT.cg_n=Side%20Panel).
Instant Messaging can be a benefit to business when used properly, but IM is often abused by employees and poses significant liability and security risks. There are ways to allow IM and yet control its usage, or you can attempt to block IM altogether, although doing so effectively may prove to be expensive. In this article, we've discussed some of the benefits and the drawbacks of IM in the business environment. Each organization is different, so there is no "one size fits all" solution - but every business should have written policies regarding IM use on their network, whether the policy is to prohibit IM completely or to set controls that make it less likely to lead to problems.