Page 2By CIOinsight | Posted 04-01-2004
Instant Messaging: IM Here to Stay
Long considered a rogue application, company executives are finding that instant messaging is a potential liability.
Since its May 1997 debut as a free feature on AOL, instant messaging has caught on like wildfire. And if it began as a killer app for chatty teens, professionals were soon downloading it, too, not only for office gossip but also for use in legitimate business communications. The Yankee Group estimates that 65 million people worldwide now use IM for business; it expects that number to reach 330 million worldwide by the end of 2005.
Despite its popularity, however, instant messaging has only recently received the official nod from IT departments. For most of the last seven years, CIOs looked the other way as staff added one or more of the three most popular public IM programsAOL Instant Messenger, Yahoo! Messenger and MSN Messengerto their desktops. Besides being instantaneous, the great advantage of IM was that its messages were untraceable. Close the chat window and all evidence of your digital conversation disappeared. As such, managing IM wasn't exactly on IT's priority list. In fact, IM often wasn't supported at all. As Jim Murphy, an analyst at AMR Research, explains, "IT executives felt if they didn't sanction it, they weren't responsible for it."
Not anymore. IM is now viewed as a viable communications tool, as actionable as e-mail or the handwritten word. Last year, the SEC and NASD concluded that instant messages are a form of electronic communication, which means they must be archived. Under Sarbanes-Oxley, HIPAA, Basel II and other laws, companies must log and archive all written communications. Although none of the new regulations mention IM specifically, SEC spokesperson John Heine says they definitely apply to IM if the chat sessions contain business-related information.
"The basic principle is not the medium," Heine says, "but rather the content of the message and the audience to which it is addressed." And the cost of noncompliance is high, too; even in civil actions brought by the SEC, the fines can reach seven figures.
Even without the threat of legal action, company executives have begun coming to terms with the risks they take by allowing IM networks to flourishnamely, the fact that sensitive or proprietary information can end up going to the wrong people, and leave your computer networks exposed to worms and viruses.
Paul Ritter, an analyst at the Yankee Group, says that intellectual property loss, or "data spills," often occurs over IM. He tells of a company that was secretly developing a new version of its software that "would have some unique capabilities in the marketplace." One of the company's engineering employees was using IM to chat with a former colleague who worked at a competing firm. The code name of the project was used in the IMs, and some details of the new features were sent as a file attachment. The competitor learned of the new product and immediately began working on a similar offering, as well as marketing literature explaining why their own product was superior to the one they'd ripped off. "IM management software could have been used in this case to block IMs from being sent," says Ritter.
In addition, IM worms and viruses often sent through "spim" (IM's equivalent of spam) pose a growing threat. The Yankee Group estimates that about 5 to 8 percent of corporate IM use is spim, and the Radicati Group estimates that spim will triple from roughly 400 million messages in 2003 to around 1.2 billion messages in 2004. "We've seen a rise in the reports of IM viruses," says Yankee's Ritter. "It causes not only productivity loss but also potential damage to the corporate network and higher costs for bandwidth."
To prevent data spills, to comply with Sarbanes-Oxley and other regulatory initiatives, and to avoid intrusion and network damage, many executives say it's high time to take instant messaging under the corporate wing. Furthermore, they add, it's worth supporting. Instant messaging not only allows employees and their customers to chat in real time, but will also allow companies to make use of "presence awareness," a nascent technology that will enable employees to know exactly where their coworkers are and how best to reach them.
That's what CIO Brian Trudeau decided last year, when his company, Amerex Energy, a Houston-based global power supplier, realized that instant messaging was a mission-critical application. "We have brokers here who have up to 20 different IM sessions open to all their customers. It is essential that they have these IM clients just like their phone system." Figuring it was just a matter of time before people started using IM to send spam and viruses, Trudeau decided to investigate his options. Says Trudeau: "You don't want to get into the position where you're reacting to a problem after the fact."
Tell Your Executive Team:
Tell Your IT Department:
Ask Your Legal Department:
Make IM work to your company's advantage.
At Thomas Weisel Partners LLC, a San Francisco-based investment firm, CTO Beth Cannon says the company's first reaction to IM was to shut it down completely. But after the Sept. 11 terrorist attacks, when some of the company's customers didn't have access to phones or e-mail, but did have IM, she urged the company to retain instant messaging.
"It was really our customers who drove IM in here," Cannon says. The company stopped blocking IM and installed security software from FaceTime Communications that allows traders to continue using the public IM clients their customers use, but, in addition, adds the ability to archive all chat sessions and use keywords to monitor conversations and check for illegal activity.
At Rochester Public Utilities in Rochester, Minn., IT Analyst Matt Bushman saw the need for IM as a means for internal communications as well as for external ones. So, in addition to deploying software from Akonix Systems Inc., which offers many of the same features as FaceTime, his company also installed Microsoft Corp.'s Live Communications Server. "We believe IM will become the preferred method of communication within business," he says, "and so we decided to take a proactive approach for internal and external communications." LCS allows employees not only to chat in real time, but also to share documents and screen shots, and to send alerts.
At about $10,000, the cost of IM monitoring software won't break the bank for most large companies. Even so, choose the system that best suits your company; and, to determine the best approach for your company, start by assessing what your staff uses IM for.
"The first step is to do an audit," says Nate Root, an analyst at Forrester Research Inc. "Get out into the trenches and find out what's being used, by whom, and for what."
Installing the monitoring software is a fairly simple task; Bushman says that, after a two-day set up, it took about 20 days to get Akonix's software up and running. It's the prep work that's the challenge, say analysts, because you've got to formulate policies around how you intend to track conversations. Will you archive all messages, or only certain ones? Should employees' IM use be restricted to certain parties, and if so, which groups should be blocked? Which keywords should be used to monitor illegal activity? "This is not something the CIO can dream up on his or her own," says Forrester's Root. "The legal department has to weigh in on this as well."
How, exactly, do you make IM secure? There are three common approaches: (1) invest in a security-and-management solution that layers over the public IM clients your employees are already using, providing archiving features as well as monitoring and blocking functions (META Group refers to these as "hygiene services," but they are probably best known as gateway vendors); (2) install an internal IM client; or (3) combine these two options in a custom solution.
Generally, an enterprise IM application is best if your company's IM use is mainly in-house. A "hygiene" solution is best for companies that use IM to deal with customers who use a variety of IM clients. Analysts agree that companies will eventually opt for both, but will focus for now on the hygiene services. "Most companies," says AMR's Murphy, "are still in the wake-up stage."
Ask Your CFO:
Tell Your IT Department:
Ask Your Chief Strategist:
Take time to help employees understand the importance of securing instant messages.
Nobody likes to feel they're being spied on, and analysts agree that getting employees to accept that communications that were once unmanaged are now being monitored may not be an easy task. "How you get people to do this is the $90,000 question," says Forrester's Root. The answer? Give your employees a better tool than the one they're using now.
Bushman of Rochester Public Utilities agrees, but adds that generation gaps also require tact. "The biggest cultural roadblock we faced was diversity," he says. "Our boomers outnumber the Xers, and the younger employees and customers are becoming hooked on collaborative technologies." While RPU's customers became more and more dependent on IM, some employees weren't using it at all. "It really comes down to training," Bushman says. "Our older employees had some difficulty, but we're doing a good job of getting people educated." RPU staffers now have the ability to push screens back and forth between employees through the internal IM program, or take remote control over a coworker's desktop if they need help with, say, an accounting application. And employees increasingly use IM to talk to vendors and key customers.
Allowing employees to continue using the IM of their choice reduces friction. Cannon of Thomas Weisel Partners says that since employees didn't have to switch IM clients there was little backlash. The company now provides employees with individual IM screen names. Trudeau of Amerex adds that employees don't mind that their conversations are logged because "it covers their rear ends a little bit" if customers call back with complaints.
While it may be best to let staff continue to use their IM software (so they can continue to converse easily with their customers), this presents an IT roadblockat least until IM has more universal standards. Analysts generally agree that standards will be in place by 2007, which will allow IMers the ability to chat across various networks (right now, IM clients don't interoperate, so AOL users can only speak to other AOL users). Until then, though, the Tower of Babel problem will continue. Although a gateway vendor will help you archive and manage your instant messages, it still won't allow you to send an IM from a Yahoo! account to someone who uses, say, MSN's messaging client.
Ask Your Business Managers:
Ask Your IT Department:
Tell Your HR Department:
Instant messaging software is still evolving, so it's important to remain flexible and informed.
The jury is still out on how IM will evolve. Some say it will remain a stand-alone application, while others expect it to merge with other communications tools. This is already happening with products such as WiredRed Software's e/pop suite and IBM Lotus Instant Messaging and Web Conferencing, both of which combine IM and Web conferencing. Several analysts predict that by the end of the decade, e-mail and VoIP will also be bundled together to create a complete set of electronic communication applications on a single platform.
"The communications platform of the future will be a seamlessly integrated system that all employees can use that incorporates IM, Web conferencing, telephony, e-mail and collaboration software," says Yankee's Ritter. "That's the endgame." Basically, imagine an application that allows you to archive, and file, all of your voice-mail messages, e-mails, IM conversations, and even your telephone conversations, all in one place, while also providing the ability to do live Web conferencing and scheduling.
At the same time, companies such as Reuters Group plc and the Kellogg Co. have begun using bots to provide automated customer service and human resources information. Botsautomated computer programscan reply over IM and act as a virtual help desk, providing information on request, in real time. Comcast Cable Communi-cation Inc.'s "Ask Comcast" feature, for example, allows high-speed Internet subscribers visiting their online support page to ask a question and receive an automated response. If a question is asked for which there is no automated response, the customer is immediately transferred to a live customer-service rep, who can answer the question. Think of it as an IM FAQ.
Analysts also say that IM will be the catalyst for "presence awareness," which will allow employees to see on their computer screens where their coworkers are located and how best to contact them there. This, say analysts, is one of the largest benefits of improving your IM capabilities, because it can ease collaboration, which speeds up workflow. IM and presence awareness will also be incorporated into the company's largest functions, such as CRM and the supply chain, to give employees the ability to solve problems and bottlenecks in real time. Bushman of Rochester Public Utilities says his company is testing how presence awareness can help operations. IM, he expects, will "continue to roll itself into everything we do."
Ask Potential Vendors:
Ask Your Business Managers:
Ask Your Customer Service Department: