When the tamale seller sets up his cart on the sidewalk in front of Pacific International Marketing Inc., MIS Director Bryan Searcy—and most employees at the Salinas, Calif., produce broker—usually gets an instant message about it from somebody in the office. And thats OK. Yes, it would be nice if employees used all company-supplied technology for business purposes only. But, at Pacific International, where there is no policy pertaining to instant messaging use for nonbusiness purposes, moderate frivolity is tolerated. Besides, who doesnt like a good tamale?
Compare that with the attitude toward IM at Thomas Weisel Partners LLC, in San Francisco: Until the merchant bank completes tests on its deployment of FaceTime Communications Inc.s IM Auditor software server to determine if it will meet the Securities and Exchange Commission guidelines for the handling of communications, there will be no instant messages about anything, whether the content pertains to tamales or U.S. Treasury notes. “Planned implementation is Dec. 1. In the meantime, all IM communications are suspended or blocked,” CIO Robert Hahn said.
While enterprise attitudes toward IM vary, most IT managers are being forced to face up to a simple fact: IM, a technology that started as a consumer toy, has not only worked its way into common use in most companies but is also increasingly being used for serious business communications. As a result, like it or not, IT managers need to get serious about taming IM. That means creating and enforcing rules about how IM is to be used and for what purposes. It also means making IM more secure and trackable than current, consumer-oriented services such as AOL Time Warner Inc.s Instant Messenger or Microsoft Corp.s MSN Messenger. For an increasing number of companies, that will involve deploying a new class of IM products specifically targeting enterprise users.
One things for sure, though: IM has has gotten out of the bottle, its moved into the enterprise and it shows no sign of leaving. Gartner Inc. predicts that the casual downloading by corporate users of free IM clients from the likes of AOL, MSN and Yahoo Inc. is set to saturate 70 percent of enterprises with the technology by 2003—in most cases without the blessing or support of enterprise IT. At the same time, the amount of time employees spend sending instant messages is growing like crabgrass. New York-based Jupiter Media Metrix Inc. recently found that the total minutes U.S. workers spent using IM applications from AOL, MSN and Yahoo increased 110 percent over the past year, from 2.3 billion minutes in September last year to 4.9 billion in September this year.
How much harm is there in IM usage in the enterprise? Potentially, theres plenty, and it goes way beyond employees frittering away time IMing for nonbusiness purposes. No, the biggest concerns revolve around consumer IMs lack of the kind of security usually demanded by enterprise users and its inability to provide archives and indexes of messages. Thats particularly important in industries where business is done electronically. In fact, in industries such as financial services, telecommunications, health care and energy, agencies such as the SEC have already begun to alert companies that they need to retain, archive and index instant message transcripts in much the same manner that they manage electronic communications such as e-mail.
That kind of scrutiny is causing enterprises such as Thomas Weisel to ban IM use, at least for now. And IT managers in other industries, too, are taking a harder look at the limitations of consumer IM, demanding features such as audit trails.
Thats also why some companies are turning to IM products tailored for enterprise users from vendors such as Ikimbo Inc., WiredRed Software Corp., NetLert Communications Inc., FaceTime and Lotus Development Corp. Such products solve some of consumer IMs security problems by moving the IM server inside the enterprise firewall and keeping IM messages off the public Internet. Most add encryption. Some also add administrative features such as the archiving and indexing of messages.
Instantly Insecure
Instantly Insecure
What makes consumer IM services inherently insecure? A few things, according to Gartner analyst Rob Batchelder. First, consumer IM products, once activated on a users desktop, open a channel through the enterprise firewall that can easily be exploited by hackers. Thats particularly true because IM services, rather than consistently using the same server port, tend to scan firewalls for available ports. That makes it difficult to use virus-scanning tools to clean IM traffic or attachments.
“The likelihood [of security incidents] is similar to that of e-mail being intercepted: little to none,” said Batchelder, in Stamford, Conn. “But it is not secure, and some applications require secured messaging—specifically financial-services-type communications.”
Recent incidents prove that if IM falls into the wrong hands—either through hacking or carelessness—the results can be disastrous. In July, a hedge fund manager at San Francisco company Azure Capital Partners LP reportedly IMed his AOL buddy list with information about PeopleSoft Inc. and was later accused of undermining PeopleSofts stock price. According to widely reported news accounts, the manager either said to buddy list members that regulators were looking into accounting irregularities at a PeopleSoft subsidiary or asked if that were so and also raised the possibility that PeopleSoft was being sued by a customer for $50 million. The IM turned into a rumor. PeopleSoft got its hands on the message and concluded that it was the cause of what turned out, over the course of a few days, to be a $1.7 billion drop in the companys market value.
Another security problem intrinsic to consumer-grade IM applications is that content is typically unencrypted, experts say. While in transit, messages are stored as open text in server buffers at services such as AOL or Yahoo. Not only can packet sniffers read IM contents, but also unencrypted logs of conversations can easily be stolen.
At Colonial Trust Company Inc., a $4 million bank trust company in Phoenix, network administrator David Brown said thats not a risk hes willing to take. Colonials 40 employees regularly exchange sensitive customer information such as Social Security numbers and investment information that Brown said hes unwilling to trust to IM servers residing outside the corporate firewall. “We deal a lot with customers personal information and didnt like the idea of sending it over a public wire,” he said.
Colonial installed NetLerts NetLert IM software on a server running Windows NT 4.0 last July. This not only keeps private information in-house, it also improves security since IM servers run behind Colonials firewall and messages travel the companys private network only. NetLert also encrypts inbound and outbound messages.
At First Community Credit Union, in Houston, network administrator Rito Garzas concerns over IM security are similar. Garzas implementation of WiredReds e/pop IM product two years ago coincided with an overall tightening of security that included the installation of a proxy server, an intrusion detection system and a Cisco Systems Inc. firewall. The security lockdown also brought an end to employees ability to download consumer IM clients—a decision that just made sense, given that the credit unions 160 employees had regularly begun to use IM to exchange data about customers.
“When [use of consumer IM] was here, I noticed it was more of an open type of network,” Garza said. “I didnt feel very comfortable with that, given the industry were in. So we decided to restrict that altogether.”
Garza cited bandwidth concerns as another reason he moved employees off the Internet and public IM. As the bank grows, it will be moving more and more services to the Internet. It already offers Web-based home banking to customers and plans on moving some day-to-day operations to the Internet. All that requires bandwidth—a commodity Garzas now less inclined to share with IM addicts than ever.
Although behind-the-firewall, enterprise IM products offer enhanced security and the ability to allow instant messages to be audited, many come with a drawback: Since they require proprietary clients and run over private networks, theyre not easily open and available to all users.
Some enterprise IM vendors have engineered a way around that limitation, however. Omniprise, for example, an enterprise IM product from Ikimbo, includes a client that can be downloaded onto invited parties computers. An administrator keeps control of who gets invited to participate. This allows the IM network of users to expand while keeping sensitive information out of the wrong hands. That should help keep enterprises away from a fate similar to that which befell Azure in the PeopleSoft fiasco.
Adam Schecter, a principal at William Blaire New World Ventures, in Evanston, Ill., said he used the client download feature in Omniprise to quickly build an impressive list of contacts on his list—including top-level executives at the portfolio companies he manages.
Schecter, whose company invests in Ikimbo, also saves time using a file-sharing feature in Omniprise that allows him to share the same document that his client company updates. All users get updates at the same time, and all questions about the report can be answered via IM practically instantaneously.
The experience, Schecter said, has convinced the company to forbid the use of consumer IM and standardize on the Ikimbo product.
Seriously Chat Happy
Seriously Chat Happy
So how should IT managers decide whether to standardize on an enterprise IM product, ban consumer IM altogether or take a wait-and-see approach to IM? A first step, experts say, is to determine just how much IM is being used already in your enterprise and what percentage of it is on consumer IM platforms. “Very few enterprises know how much IM is being used,” Gartners Batchelder said. But if users in your business are IMing, theres a good chance theyre using a consumer-grade service, he said.
Even if you determine your enterprise has a ton of business communication going out over consumer IM platforms, it doesnt necessarily mean your only option is to permanently tear users beloved AIM (AOL Instant Messenger) out of their hands. One alternative is to audit your enterprise IM messages using a tool such as FaceTimes IM Auditor to record and log IM threads that traverse via consumer IM. Thats what Thomas Weisel Partners Hahn is testing now.
Finally, experts say, IT managers should set IM usage policies. For example, a consistent IM user-naming convention similar to that which most enterprises have put in place for e-mail should be created to ensure that corporate IM doesnt degenerate into arcane and subjective naming schemes.
At most enterprises, however, IM policies need not rule out some nonbusiness use. Pacific International Marketings Searcy recently standardized on WiredReds e/pop enterprise IM product. Fifteen produce salespeople who used to sit in one big room yelling out the fast-moving prices of lettuce now are saving time IMing news about inventory and prices. But, on days when the tamale vendor sets up shop, the usual tamale-alert messages still go out.