IM too critical a business app to ban

By Linda Tucci, Senior News Writer 20 Apr 2006 | SearchCIO.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The fast-growing New York public relations firm found that miscommunications were practically a given through IM, as employees carried on multiple conversations at the same time. Not a good thing for a public relations firm where the message is the message. Then there was 5W's company directive that all the members of an account team be copied on every correspondence -- not possible when using IM, which frustrated account managers.

But the IM experience is much different at IntelliCare Inc., a medical services company that considers instant messaging mission-critical. The Portland, Maine-based company's staff of nurses field medical questions and monitor patients through a nationwide network of call centers.

If a nurse is monitoring weight for a patient with congestive heart failure through a scale hooked up to the telephone and has a nagging question, she can IM an expert colleague and get advice. If she is fielding a call from an anxious parent about a child's illness, she can bring a pediatric specialist in on the conversation in real time.

More on IM security IM threat grows, response lags How VPNs interact with instant messaging applications

"The big thing we're focused on is service," IntelliCare CIO Jeff Forbes said. "We never want to put anybody on hold."

IM is, in fact, the tool of choice for IntelliCare's 250 nurses, 97% of whom work remotely.

IntelliCare, with 350 employees and about $20 million in revenue, implemented IBM's Lotus Sametime instant messaging platform two years ago to keep everybody on the same page. "It went through the organization like wildfire. Nurses will use things that are useful, and they will scream bloody murder if they're not," Forbes said.

Like it or not, experts say, you're smarter to embrace IM than restrict it. Despite the reported security risks, for many companies the benefits will outweigh the drawbacks of using the messaging tool.

And it's not like you can really stop it anyway.

Overhyped security threat?

Clearly, the dangers can't be overlooked, says Gartner Inc. analyst Tom Eid. But the more fundamental issue for CIOs is that IM can't be overlooked. Consumer driven at first, the convenient real-time communications system is becoming a staple at businesses, and the research suggests it's here to stay.

Indeed, IM may get a bad rap when it comes to security. Threats abound, that's for sure. To hear it from the security vendors, instant messaging is the Trojan horse, the worm and the biggest worry of corporate communications. A recent report from IM enterprise software provider IMlogic Inc. in Waltham, Mass., says 2006 is shaping up to be a record year for IM attacks. Data collated from partnerships with Internet security companies including Symantec Corp., Sybari Software Inc. and McAfee Inc., and IM leaders like America Online and Yahoo Inc., shows that IM threats were up more than 200% in January compared with the year before. Worms accounted for most of the attacks.

"IM isn't really so much of a worm/virus/security risk as is e-mail," argued Jonathan Eunice, an analyst at Nashua, N.H.-based Illuminata Inc. "There are some 'send a file' mechanisms in IM, but they are not the first line of attack, especially given how successful webpage and e-mail attacks have been."

IM isn't really so much of a worm/virus/security risk as is e-mail. Jonathan Eunice analyst, Illuminata Inc.

IM is the most widely distributed and frequently used IP-based, real-time collaboration technology after the telephone, according to Gartner. The Stamford, Conn.-based research firm is predicting that the enterprise IM market will have a compound annual growth rate of 20% for the next three years, and CIOs will most definitely be on the hook as IM use makes its inexorable march from free services to IM services sanctioned by the company.

"There's no question that, over time, instant messaging will merge with enterprise e-mail services. We're seeing it already with the smaller vendors, such as a small [software messaging] company in the UK called Gordano," Eid said.

Microsoft and IBM currently have more than 90% of the worldwide revenue for enterprise e-mail and 86% of the user base. Eid said once the two companies take IM on, the tool's place in the IT enterprise infrastructure will be official. By 2010, 90% of users with business e-mail accounts will have IT-controlled IM accounts.

IM use within a business context will continue to grow because it provides business value, Eid said, including faster communication, direct contact, improved collaboration and costs savings.

The bigger risks with IM have to do with privacy, experts say. Information can easily be intercepted because it's not encrypted -- a very clear exposure risk.

It is possible to encrypt IM, such as you might find at large conferences or Wi-Fi hot spots, "but it takes special care to accomplish," Eunice said.

Eid said the first thing CIOs need to do is take stock. "You have to do the assessment to determine how much IM is really occurring and then does it make sense to make it an enterprise-level application," he said.

In an ideal world, a governance body composed of senior-level business and IT-level people would be making that decision, but often it simply falls on the shoulders of IT to make the call, he said, adding, "it then falls to the actions of the end users to work around IT."

At IntelliCare, IM is used not only for medical matters but also for meetings, quick roll calls, in-depth training and -- yes -- chatting, says CIO Forbes.

"The one thing I kept hearing over and over again from corporate employees was, 'Oh the nurses are going to be talking with each other all the time. I pushed right back," he said, first pointing out that building community is essential for a remote workforce and, second, reminding corporate colleagues that their days allowed plenty of room for casual conversations. These interactions helped them be more effective with their co-workers. Why not for remote employees?

"People talk and they get back to business. And we have all kinds of ways to measure that. I defended against the critics, and they shut up now," Forbes said.

This article originally appeared on SearchCIO.

Tags: IM Security Issues, Risks and Tools,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IM Security Issues, Risks and Tools What are effective ways to stop instant messaging (IM) spam? Secure messaging complications result in limited protection Is it possible to ban chat programs on an enterprise LAN? How to lock down instant messaging in the enterprise AOL closes AIM attack vector, but risks remain Researcher says AIM still vulnerable, AOL insists it's fixed Serious security flaw in AOL Instant Messenger Security flaws found in AOL, Yahoo IM programs Flaw found in MSN Messenger AOL, Yahoo, Trillian IM applications under threat Enterprise Risk Management: Metrics and Assessments How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greynet  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary