How to Secure and Manage Enterprise IM

Can IM be a threat? 

The informal nature of IM leads people to say things that, in retrospect, they should not have said. While e-mail has similar risks, e-mail generally is reviewed by the user before the message is sent. IM by its nature usually is not. Companies must log all IM transmissions in case of possible litigation and to have a complete record of all information sent.

Meeting compliance regulations (audit/logging) 

Nearly all company data is discoverable through legal actions and for specific compliance requirements (for the Health Insurance Portability and Accountability Act, for example). Therefore, all communications, whether via e-mail or IM, must be logged and recorded, and archived for a specified period of time. Enterprise-class IM systems designed for such compliance must be utilized if companies are to meet the many general governing regulations or regulations specific to their market niche.

Should file transfers be allowed?

It is generally not a good idea to enable file transfers for an IM session, and even more problematic for a mobile IM user. Sensitive data may easily be lost or compromised in this fashion. Setting a policy, and being able to enforce that policy, is a key requirement for any enterprise-class IM system.

Managing malware 

Malware is increasingly becoming a staple of public IM systems. Control of IM access to public systems is desirable and enterprise-class IM systems offer tools to help with limiting access and blocking messages, and may incorporate an ability to add filtering and blocking technology or both from third party providers.

Controlling IM? 

Policy driven enforcement is a prerequisite for nearly all company systems, and IM should be no exception. Further, user education as to the proper use of IM and the consequences of disregarding company policy should be implemented as a way to improve and accelerate security and data protection mechanisms.

Meeting user wants versus corporate needs 

It is quite common for users to demand capabilities, sometimes without regard for how it might affect the enterprise. Any such requests, particularly from the executive ranks, must be carefully evaluated based on need and level of risk. Companies may allow, but must exert control over such use, by deploying enterprise-class clients and services that offer connectivity to public IM systems, but in a controlled fashion.

Jack Gold is President and founder of J. Gold Associates. He has over 35 years in the computer and electronics industries, and he is a leading authority on mobile, wireless, computing infrastructure and enterprise application strategies. He is a highly regarded expert on computer hardware, software and architecture. He can be reached at jack.gold@jgoldassociates.com.