Problem
Long considered a rogue application, company executives are finding that instant messaging is a potential liability.
Since its May 1997 debut as a free feature on AOL, instant messaging has caught on like wildfire. And if it began as a killer app for chatty teens, professionals were soon downloading it, too, not only for office gossip but also for use in legitimate business communications. The Yankee Group estimates that 65 million people worldwide now use IM for business; it expects that number to reach 330 million worldwide by the end of 2005.
Despite its popularity, however, instant messaging has only recently received the official nod from IT departments. For most of the last seven years, CIOs looked the other way as staff added one or more of the three most popular public IM programs—AOL Instant Messenger, Yahoo! Messenger and MSN Messenger—to their desktops. Besides being instantaneous, the great advantage of IM was that its messages were untraceable. Close the chat window and all evidence of your digital conversation disappeared. As such, managing IM wasn’t exactly on IT’s priority list. In fact, IM often wasn’t supported at all. As Jim Murphy, an analyst at AMR Research, explains, “IT executives felt if they didn’t sanction it, they weren’t responsible for it.”
Not anymore. IM is now viewed as a viable communications tool, as actionable as e-mail or the handwritten word. Last year, the SEC and NASD concluded that instant messages are a form of electronic communication, which means they must be archived. Under Sarbanes-Oxley, HIPAA, Basel II and other laws, companies must log and archive all written communications. Although none of the new regulations mention IM specifically, SEC spokesperson John Heine says they definitely apply to IM if the chat sessions contain business-related information.
“The basic principle is not the medium,” Heine says, “but rather the content of the message and the audience to which it is addressed.” And the cost of noncompliance is high, too; even in civil actions brought by the SEC, the fines can reach seven figures.
Even without the threat of legal action, company executives have begun coming to terms with the risks they take by allowing IM networks to flourish—namely, the fact that sensitive or proprietary information can end up going to the wrong people, and leave your computer networks exposed to worms and viruses.
Paul Ritter, an analyst at the Yankee Group, says that intellectual property loss, or “data spills,” often occurs over IM. He tells of a company that was secretly developing a new version of its software that “would have some unique capabilities in the marketplace.” One of the company’s engineering employees was using IM to chat with a former colleague who worked at a competing firm. The code name of the project was used in the IMs, and some details of the new features were sent as a file attachment. The competitor learned of the new product and immediately began working on a similar offering, as well as marketing literature explaining why their own product was superior to the one they’d ripped off. “IM management software could have been used in this case to block IMs from being sent,” says Ritter.
In addition, IM worms and viruses often sent through “spim” (IM’s equivalent of spam) pose a growing threat. The Yankee Group estimates that about 5 to 8 percent of corporate IM use is spim, and the Radicati Group estimates that spim will triple from roughly 400 million messages in 2003 to around 1.2 billion messages in 2004. “We’ve seen a rise in the reports of IM viruses,” says Yankee’s Ritter. “It causes not only productivity loss but also potential damage to the corporate network and higher costs for bandwidth.”
To prevent data spills, to comply with Sarbanes-Oxley and other regulatory initiatives, and to avoid intrusion and network damage, many executives say it’s high time to take instant messaging under the corporate wing. Furthermore, they add, it’s worth supporting. Instant messaging not only allows employees and their customers to chat in real time, but will also allow companies to make use of “presence awareness,” a nascent technology that will enable employees to know exactly where their coworkers are and how best to reach them.
That’s what CIO Brian Trudeau decided last year, when his company, Amerex Energy, a Houston-based global power supplier, realized that instant messaging was a mission-critical application. “We have brokers here who have up to 20 different IM sessions open to all their customers. It is essential that they have these IM clients just like their phone system.” Figuring it was just a matter of time before people started using IM to send spam and viruses, Trudeau decided to investigate his options. Says Trudeau: “You don’t want to get into the position where you’re reacting to a problem after the fact.”
Tell Your Executive Team:
- Our communications policy needs to address instant messaging.
Tell Your IT Department:
- Find out who’s using IM, and to what end.
Ask Your Legal Department:
- What messages do we need to track and archive, and for how long?