Corporate IT Forum members collectively believe that the
triangle of trust around security is policy, enforcement and
education. Obviously, individual organisations must decide how far
they want to go with each of these, depending on the nature of the
risk and its potential impact on the business,write Kate
Danbury, head of information security, and Ollie Ross, head of
research, atThe
Corporate IT Forum.
Universally, there is growing pressure from within enterprises
for IT to provide communication and collaboration technologies that
users are familiar with and use extensively in home and social
environments: most notably instant messaging. IM supports
productivity; it's immediate, it's easy to use and it's the tool of
choice for the new generation workforce.
But in security terms, its risks are comparable with e-mail. It
might also impact workforce productivity - at least until the
novelty of 'chat' wears off - it can shortcut processes and
undermine reporting and approval mechanisms, it's causal quality
can be inappropriate for business conversations, and it can have an
adverse impact on your network traffic. So deploying or switching
on IM requires very careful consideration.
Firstly, decide where you would use messaging. Don't assume it's
an all-or-nothing choice. Many of our members use IM internally
across the enterprise without opening up the capability externally.
Others use it as an effective tool between trusted partners (e.g.
in an outsourced or support relationship). External IM is rarely
used by businesses in the broader, public arena, thus minimising
the risks associated with opening up the network.
Then decide what tool might best suit your requirements.
Typically Forum members use proprietary solutions in-house rather
than relying on consumer social networking tools.
Next, determine how IM may be used. Ensure your acceptable use
policy offers clear guidelines around appropriate and inappropriate
use, and that these really are understood and accepted by your
users.
And finally, put a process in place that enables you to
understand how instant messaging is being used, by whom and for
what purpose. It's is widely recommended that usage is recorded and
monitored. It is therefore auditable. Make sure your employees know
this and understand the implications.
As drivers and business cases for collaboration increase so,
too, does the risk that IT security becomes a business disabler. IM
might offer true opportunities for your organisation. Or it could
lead to real problems. It's a fine balance between having a 'safe
and secure' network and helping the business to be as agile and
reactive as it wants to be. And it's also very much about
trust.
Read more expert advice from the Computer Weekly Security Think
Tank >>