Problem
Long considered a rogue application, company executives are finding that instant messaging is a potential liability.
Since its May 1997 debut as a free feature on AOL, instant messaging has caught on like wildfire. And if it began as a killer app for chatty teens, professionals were soon downloading it, too, not only for office gossip but also for use in legitimate business communications. The Yankee Group estimates that 65 million people worldwide now use IM for business; it expects that number to reach 330 million worldwide by the end of 2005.
Despite its popularity, however, instant messaging has only recently received the official nod from IT departments. For most of the last seven years, CIOs looked the other way as staff added one or more of the three most popular public IM programs—AOL Instant Messenger, Yahoo! Messenger and MSN Messenger—to their desktops. Besides being instantaneous, the great advantage of IM was that its messages were untraceable. Close the chat window and all evidence of your digital conversation disappeared. As such, managing IM wasnt exactly on ITs priority list. In fact, IM often wasnt supported at all. As Jim Murphy, an analyst at AMR Research, explains, “IT executives felt if they didnt sanction it, they werent responsible for it.”
Not anymore. IM is now viewed as a viable communications tool, as actionable as e-mail or the handwritten word. Last year, the SEC and NASD concluded that instant messages are a form of electronic communication, which means they must be archived. Under Sarbanes-Oxley, HIPAA, Basel II and other laws, companies must log and archive all written communications. Although none of the new regulations mention IM specifically, SEC spokesperson John Heine says they definitely apply to IM if the chat sessions contain business-related information.
“The basic principle is not the medium,” Heine says, “but rather the content of the message and the audience to which it is addressed.” And the cost of noncompliance is high, too; even in civil actions brought by the SEC, the fines can reach seven figures.
Even without the threat of legal action, company executives have begun coming to terms with the risks they take by allowing IM networks to flourish—namely, the fact that sensitive or proprietary information can end up going to the wrong people, and leave your computer networks exposed to worms and viruses.
Paul Ritter, an analyst at the Yankee Group, says that intellectual property loss, or “data spills,” often occurs over IM. He tells of a company that was secretly developing a new version of its software that “would have some unique capabilities in the marketplace.” One of the companys engineering employees was using IM to chat with a former colleague who worked at a competing firm. The code name of the project was used in the IMs, and some details of the new features were sent as a file attachment. The competitor learned of the new product and immediately began working on a similar offering, as well as marketing literature explaining why their own product was superior to the one theyd ripped off. “IM management software could have been used in this case to block IMs from being sent,” says Ritter.
In addition, IM worms and viruses often sent through “spim” (IMs equivalent of spam) pose a growing threat. The Yankee Group estimates that about 5 to 8 percent of corporate IM use is spim, and the Radicati Group estimates that spim will triple from roughly 400 million messages in 2003 to around 1.2 billion messages in 2004. “Weve seen a rise in the reports of IM viruses,” says Yankees Ritter. “It causes not only productivity loss but also potential damage to the corporate network and higher costs for bandwidth.”
To prevent data spills, to comply with Sarbanes-Oxley and other regulatory initiatives, and to avoid intrusion and network damage, many executives say its high time to take instant messaging under the corporate wing. Furthermore, they add, its worth supporting. Instant messaging not only allows employees and their customers to chat in real time, but will also allow companies to make use of “presence awareness,” a nascent technology that will enable employees to know exactly where their coworkers are and how best to reach them.
Be sure to add our eWEEK.com messaging and collaboration news feed to your RSS newsreader or My Yahoo page:
Thats what CIO Brian Trudeau decided last year, when his company, Amerex Energy, a Houston-based global power supplier, realized that instant messaging was a mission-critical application. “We have brokers here who have up to 20 different IM sessions open to all their customers. It is essential that they have these IM clients just like their phone system.” Figuring it was just a matter of time before people started using IM to send spam and viruses, Trudeau decided to investigate his options. Says Trudeau: “You dont want to get into the position where youre reacting to a problem after the fact.”
Tell Your Executive Team:
- Our communications policy needs to address instant messaging.
Tell Your IT Department:
- Find out whos using IM, and to what end.
Ask Your Legal Department:
- What messages do we need to track and archive, and for how long?
Next Page: Make IM work to your companys advantage.
Strategy
Strategy
Make IM work to your companys advantage.
At Thomas Weisel Partners LLC, a San Francisco-based investment firm, CTO Beth Cannon says the companys first reaction to IM was to shut it down completely. But after the Sept. 11 terrorist attacks, when some of the companys customers didnt have access to phones or e-mail, but did have IM, she urged the company to retain instant messaging.
“It was really our customers who drove IM in here,” Cannon says. The company stopped blocking IM and installed security software from FaceTime Communications that allows traders to continue using the public IM clients their customers use, but, in addition, adds the ability to archive all chat sessions and use keywords to monitor conversations and check for illegal activity.
At Rochester Public Utilities in Rochester, Minn., IT Analyst Matt Bushman saw the need for IM as a means for internal communications as well as for external ones. So, in addition to deploying software from Akonix Systems Inc., which offers many of the same features as FaceTime, his company also installed Microsoft Corp.s Live Communications Server. “We believe IM will become the preferred method of communication within business,” he says, “and so we decided to take a proactive approach for internal and external communications.” LCS allows employees not only to chat in real time, but also to share documents and screen shots, and to send alerts.
Click here for a recent story on ICQ opening its IM client to developers.
At about $10,000, the cost of IM monitoring software wont break the bank for most large companies. Even so, choose the system that best suits your company; and, to determine the best approach for your company, start by assessing what your staff uses IM for.
“The first step is to do an audit,” says Nate Root, an analyst at Forrester Research Inc. “Get out into the trenches and find out whats being used, by whom, and for what.”
Installing the monitoring software is a fairly simple task; Bushman says that, after a two-day set up, it took about 20 days to get Akonixs software up and running. Its the prep work thats the challenge, say analysts, because youve got to formulate policies around how you intend to track conversations. Will you archive all messages, or only certain ones? Should employees IM use be restricted to certain parties, and if so, which groups should be blocked? Which keywords should be used to monitor illegal activity? “This is not something the CIO can dream up on his or her own,” says Forresters Root. “The legal department has to weigh in on this as well.”
How, exactly, do you make IM secure? There are three common approaches: (1) invest in a security-and-management solution that layers over the public IM clients your employees are already using, providing archiving features as well as monitoring and blocking functions (META Group refers to these as “hygiene services,” but they are probably best known as gateway vendors); (2) install an internal IM client; or (3) combine these two options in a custom solution.
Generally, an enterprise IM application is best if your companys IM use is mainly in-house. A “hygiene” solution is best for companies that use IM to deal with customers who use a variety of IM clients. Analysts agree that companies will eventually opt for both, but will focus for now on the hygiene services. “Most companies,” says AMRs Murphy, “are still in the wake-up stage.”
Ask Your CFO:
- How much do we spend annually on e-mail, and how much could we save with better IM technology?
Tell Your IT Department:
- We need to assess whether an in-house IM product would work for us.
Ask Your Chief Strategist:
- Do we need to better manage our intellectual property?
Next Page: Take time to help employees understand the importance of securing instant messages.
Help Employees
People
Take time to help employees understand the importance of securing instant messages.
Nobody likes to feel theyre being spied on, and analysts agree that getting employees to accept that communications that were once unmanaged are now being monitored may not be an easy task. “How you get people to do this is the $90,000 question,” says Forresters Root. The answer? Give your employees a better tool than the one theyre using now.
Bushman of Rochester Public Utilities agrees, but adds that generation gaps also require tact. “The biggest cultural roadblock we faced was diversity,” he says. “Our boomers outnumber the Xers, and the younger employees and customers are becoming hooked on collaborative technologies.” While RPUs customers became more and more dependent on IM, some employees werent using it at all. “It really comes down to training,” Bushman says. “Our older employees had some difficulty, but were doing a good job of getting people educated.” RPU staffers now have the ability to push screens back and forth between employees through the internal IM program, or take remote control over a coworkers desktop if they need help with, say, an accounting application. And employees increasingly use IM to talk to vendors and key customers.
Allowing employees to continue using the IM of their choice reduces friction. Cannon of Thomas Weisel Partners says that since employees didnt have to switch IM clients there was little backlash. The company now provides employees with individual IM screen names. Trudeau of Amerex adds that employees dont mind that their conversations are logged because “it covers their rear ends a little bit” if customers call back with complaints.
While it may be best to let staff continue to use their IM software (so they can continue to converse easily with their customers), this presents an IT roadblock—at least until IM has more universal standards. Analysts generally agree that standards will be in place by 2007, which will allow IMers the ability to chat across various networks (right now, IM clients dont interoperate, so AOL users can only speak to other AOL users). Until then, though, the Tower of Babel problem will continue. Although a gateway vendor will help you archive and manage your instant messages, it still wont allow you to send an IM from a Yahoo! account to someone who uses, say, MSNs messaging client.
Ask Your Business Managers:
- What IM features will help our employees work smarter?
Ask Your IT Department:
- Do we know what we want from an IM vendor?
Tell Your HR Department:
- We need to make employees appreciate the need for greater security.
Remain Flexible
Future
Instant messaging software is still evolving, so its important to remain flexible and informed.
The jury is still out on how IM will evolve. Some say it will remain a stand-alone application, while others expect it to merge with other communications tools. This is already happening with products such as WiredRed Softwares e/pop suite and IBM Lotus Instant Messaging and Web Conferencing, both of which combine IM and Web conferencing. Several analysts predict that by the end of the decade, e-mail and VoIP will also be bundled together to create a complete set of electronic communication applications on a single platform.
“The communications platform of the future will be a seamlessly integrated system that all employees can use that incorporates IM, Web conferencing, telephony, e-mail and collaboration software,” says Yankees Ritter. “Thats the endgame.” Basically, imagine an application that allows you to archive, and file, all of your voice-mail messages, e-mails, IM conversations, and even your telephone conversations, all in one place, while also providing the ability to do live Web conferencing and scheduling.
At the same time, companies such as Reuters Group plc and the Kellogg Co. have begun using bots to provide automated customer service and human resources information. Bots—automated computer programs—can reply over IM and act as a virtual help desk, providing information on request, in real time. Comcast Cable Communi-cation Inc.s “Ask Comcast” feature, for example, allows high-speed Internet subscribers visiting their online support page to ask a question and receive an automated response. If a question is asked for which there is no automated response, the customer is immediately transferred to a live customer-service rep, who can answer the question. Think of it as an IM FAQ.
Analysts also say that IM will be the catalyst for “presence awareness,” which will allow employees to see on their computer screens where their coworkers are located and how best to contact them there. This, say analysts, is one of the largest benefits of improving your IM capabilities, because it can ease collaboration, which speeds up workflow. IM and presence awareness will also be incorporated into the companys largest functions, such as CRM and the supply chain, to give employees the ability to solve problems and bottlenecks in real time. Bushman of Rochester Public Utilities says his company is testing how presence awareness can help operations. IM, he expects, will “continue to roll itself into everything we do.”
Ask Potential Vendors:
- How do you plan to build out your services in the next 18 months?
Ask Your Business Managers:
- Can presence awareness help our business?
Ask Your Customer Service Department:
- Could automated alerts improve customer relationships?