Smart staff are saving time at work by using SMS, instant messaging and blogs to communicate and share information – but they could be putting company data at risk
British Airways CitiExpress crews now get new flight duties and maintenance updates via one of the simplest communications methods: text messages to their mobile phones. They use a device they know well and that is always with them, and a network that covers the world.
Such business use of consumer communications and team working technologies that have become second nature is growing quickly as users spot opportunities for using mobile phones, instant messaging and personal blogs to save time at work.
The trouble is that sharp users are often introducing these technologies on their own initiative, without reference to anyone else - and this is building up big problems for IT directors and their security managers, say industry observers.
First the good news. Texting using the Short Message Service (SMS) has the widest potential use because most people carry a mobile phone and SMS is available pretty much worldwide, says Michael Kowalzik, chief executive of TynTec, a UK company providing private services to organisations including British Airways, Unilever and consultancy Accenture.
"SMS is well established, so it works and is reliable and people know how to use it," Kowalzik says. "This means the total cost of ownership, in terms of training and maintenance, is very low.
"SMS beats voice if detailed information is involved, such as addresses, phone numbers, dates and times. With voice, the person has to be able to write down the message accurately, which might not be easy for a salesman on the road or a manager travelling between meetings or picking up a voicemail. With SMS, the details are listed on the phone display. Information can be received and looked at discreetly without interrupting a meeting. And text messages are typically much shorter than voice messages passing on the same information, so there is a cost saving too.
"Unilever, for example, is using our service to tell sales people about latest promotions, and to let executives know of changes to their travel arrangements.
"SMS also has advantages over e-mail: with e-mail you need access, and you might miss an important message amid all the hundreds of others."
Instant messaging is another technology that beats e-mail, in terms of instant response: in effect, it provides all the facilities of e-mail but as a real-time chat between people who are online at the same time.
Like SMS, instant messaging has evolved into a business communications method from a consumer activity, in this case introduced by internet services. But it now looks set to make huge impact in business.
"Instant messaging has the potential to create a new order in electronic collaborative working," says Graham Titterington, principal analyst at industry research group Ovum. He has produced a report on this area with the e-business trade association, EEMA.
"Our study of the business view of instant messaging shows that it helps organisations make decisions faster, fosters better communication, reduces voicemail, is widely used to improve communications with home teleworkers, and has potential for managing crises that has not yet been recognised."
The real-time nature of instant messaging was highlighted by a European survey by security software supplier Sybari Software which found 81% of respondents putting this benefit top of the list.
"Real-time text discussions harness our ability to multitask and break through typical organisational barriers to increased productivity," says Julian Bogajski, commercial director, Sybari Software UK. "For example, users can be on the phone to a client while using instant messaging to gather information from colleagues to solve the problem or close the sale.
"Users can share ideas and get feedback immediately. Work groups can meet for focused conversations without long-distance phone charges."
Long-distance calls can be cut by 30%, e-mail use by 40% and voicemail use by 15%, says research group Gartner - which also believes instant messaging will overtake e-mail as the preferred communications method next year.
While e-mail is now firmly at the heart of the enterprise, the emergence of blogging in business once seemed unlikely. It, too, started as a consumer phenomenon, in the mid-1990s, with people using simple software to put on the web their diaries, political views, comments about the news and anything else under the sun. Companies are now catching on and using blogging in different ways, ranging from top executives putting up their diaries and daily thoughts - sometimes less than subtly marketing their organisations - to experts passing on tips or useful websites.
"Blogs are time stamped by their very nature, and this can give them greater value than many standard web pages, where it is not always obvious how old the information is," says Ian Charlesworth, senior analyst at research firm Butler Group.
"Organisations are discovering that simple blogs can help drastically improve information flows between people with a vested interest in sharing information. They might be in customer support or product development, or in virtual project teams, which might include people outside the organisation. There are many levels of user who would benefit from the ability to put information on a web page for access by peers," he says.
Charlesworth believes blogging can encourage experts in an organisation to share their often jealously guarded knowledge, "Experts are often hard to track down and can resist demands to share their knowledge. But when like-minded experts collaborate, they typically engage in free-flowing dialogue, eagerly sharing new ideas.
"Blogs can be a way of facilitating or capturing these highly valuable thoughts and information exchanges," he said.
Charlesworth thinks this could be the start of something big. "The casual and relaxed nature of blogs seems to resonate with all levels of people. Most blogs are updated several times a week, if not daily - at the owner's free will.
"If this behaviour can be translated to an organisational level, we might take a significant step in cracking the knowledge management conundrum," he says.
The quick impact of these collaboration methods and their business benefits is largely due to their origins as easy-to-use consumer technologies - but this raises some big issues for IT managers: issues of security, control and government regulation.
With all these electronic collaboration tools, users can start using them at work with no reference to the IT department or anyone else. Everyone has a mobile, and software and services for instant messaging and blogging are freely available on the web and simple to install and use. This, in effect, means consumer technologies - and consumer attitudes - are being taken into work by staff.
"Virus writers are now shifting the focus of their attack to instant messaging, which is seen as a largely unprotected route into an organisation," says Jon Sakoda, chief technology officer at business instant messaging software supplier IMlogic. "Most IT organisations have e-mail or web infrastructure to protect their networks against attacks from the internet, but few have adequate protection against complex threats via instant messaging."
Last year, IMlogic set up the IMlogic Threat Centre with support from companies such as Microsoft, Symantec and Yahoo as a centre of information on weaknesses and to provide advice. In the first quarter of this year, the centre found the number of reported attacks via instant messaging grew by 50% a month, and 30 new virus and worm threats appeared. Inevitably, spam, known as spim in this area, is growing. It represents 10% of traffic and is bringing in spyware and other nasties associated with normal e-mail - except that companies usually have protection and policies on e-mail.
Use of consumer products outside the IT department's control or knowledge raises other security issues. Sakoda says, "Most consumer instant messaging systems allow people to create anonymous identities. How would you respond to a message apparently from firstname.lastname@example.org? Such IDs could be used maliciously, and in phishing attacks on staff to get company information such as user names and passwords."
Company vulnerability here is underlined by a UK survey by market research firm YouGov for business instant messaging supplier Akonix. More than 15% of people said they had used instant messaging at work to send or receive sensitive company information, including sending it outside the organisation. More than half used it to chat to friends while at work - this figure rose to 80% among those aged 18-29. And 25% of this younger group used it to download music at work - probably often illegally, putting the organisation at legal risk.
"It is frightening what people will send and discuss over instant messaging," says Mike Maddison, director of enterprise risk services at consultancy Deloitte. "There is a lack of control and auditing of information being sent and received. The absence of encryption makes eavesdropping fairly simple. Financial organisations face particular challenges, because of requirements to log and store communications, for example between traders."
With instant messaging using public internet services, messages are usually lost once the user logs off.
Maddison points out that many of these issues also apply to SMS, which has the added risk of the theft of a mobile phone with all its messages and numbers.
Blogging has all the risks of unprotected websites - and more, says Maddison. "As with a website there are risks of being hacked and having false information posted. The nature of blogs means it may be harder to detect and prove that an employee was or was not responsible for information posted.
"Staff disclosing confidential or proprietary information can negatively impact a business and may mean regulatory violations for the organisation. Incorrect or misleading information can cause severe reputational and financial damage."
Most of these issues - virus and hacking prevention, information security, audit trails, regulatory compliance - apply equally to business e-mail, websites and other IT. The difference is that the established applications are firmly controlled by the organisation, typically through the IT department with network and information security, sometimes e-mail monitoring and written policies on online behaviour. This difference is highlighted by the YouGov survey for Akonix: only 19% of companies had any technology to manage or block instant messaging.
Suppliers are responding to the growing use of consumer technologies with products to help IT departments take control. Instant messaging systems, for example, typically check for viruses, put controls on who can use the system, scan messages for inappropriate text and provide audit trails.
SMS services such as TynTec's for British Airways use the worldwide network but have their own communications centres to guarantee delivery in specified times and again provide audit trails.
IT departments will certainly have to work hard to get the use of consumer technologies under control, according to the IMlogic Threat Centre research: most employees questioned said they used instant messaging for the very reason that it circumvented IT security policy.
Much of this checklist on instant messaging also applies to other technologies introduced by users:
- Find out who is using instant messaging and which products, and evaluate their use
- Assess the risk of current use to the organisation
- Educate users on the benefits and especially the risks
- Establish consistent company policies
- Decide whether public consumer systems are allowed
- Integrate file and content-filtering policies with instant messaging
- Protect against virus attacks
- Centralise control - not least for legal protection
- Clearly document usage guidelines and communicate them to all staff
- Track staff understanding of the guidelines
- Educate and train staff on the advantages so that the full potential can be exploited.
Source: Sybari Software: www.sybari.com