Security focus needed for IM revolution

• 
  Shamus McGillicuddy

  Enterprise Management Associates
• Published: 26 Jul 2007 12:00

Research firm

IM at work: Who knew? Read what Shamus has to say in his blog entry about the IM revolution.

And if SMBs want to do business with those global organisations, they'll have to step up to the plate and adopt technologies to secure and manage IM use.

Peter Firstbrook, a research director at Gartner, said SMBs should treat IM the same way they would email. If a company has examined its risk with email and determined that it needs to have policies and technology in place for electronic discovery, records retention, content inspection and data leak protection, those polices and technologies should be extended to instant messaging as well.

Unfortunately, SMBs aren't taking IM seriously enough.

"I would argue that most SMBs are looking the other way or blocking it -- or they think they're blocking it," Firstbrook said.

It boils down to priorities.

"Their focus is on enabling the business and helping the business make money. They have to be working on projects that are making money. This is pretty low on their radar."

Some companies just try to block IM. The problem with doing that is IM clients tend to be port crawlers. They find a way in. Michael Osterman principalOsterman Research Inc.

"Some companies just try to block IM," said Michael Osterman, principal of Black Diamond, Wash.-based Osterman Research Inc. "The problem with doing that is IM clients tend to be port crawlers. They find a way in."

An alternative to just blocking IM is to implement something from Akonix Systems Inc., FaceTime Communications Inc. or Symantec Corp. These products generally allow IT to control the clients used and to map IM handles to email addresses. You can really manage it without affecting users too much. "A third approach is to rip all that out and just deploy an enterprise IM solution," Osterman said.

IM is where email was about 12 years ago, Osterman added, when companies were trying to figure out whether there was a business case for the technology. Back then, he said, companies were debating whether they needed to take control of email.

"Today you'd be hard-pressed to find anyone to say that," Osterman said.

Firstbrook said SMBs need to take a realistic look at what their risks are by not taking control of IM use.

"Using instant messaging has a couple of risks," he said. "One is disclosure of sensitive information -- intellectual property losses or salacious material. It's also a new channel for malware. That's a risk for everybody."

Vendors are banking on the belief that SMBs will recognise a need to invest in technology. For example, Akonix, a San Diego-based IM management technology vendor, recently released the A1000 IM Essentials appliance, an IM risk management product that starts with licensing for up to 100 users at a price tag of just less than $7,000.

"There are a lot of SMBs and enterprises to this day who have no IM management," said Don Montgomery, vice president of marketing at Akonix. "But smaller firms are starting to apply the same rigor to email and IM retention, mainly because they're trying to do business with larger firms. And larger firms are compelling them."

Montgomery said SMBs will also be more inclined to manage their IM use because of the new federal rules of civil procedure adopted last December, which set rules for the legal discovery of electronic records.

More on instant messaging IM security best practices for SMBs IM too critical a business tool to ban

"Akonix and FaceTime and other vendors -- as a whole they're not in the email stream," Firstbrook said. "They're in the IM stream."

Firstbrook said SMBs that get separate vendors for email and IM management are just duplicating their work. They need a product that can do both.

"That's the best approach, IM and email integration," he said. "But the number of products you can choose to do that are still pretty slim."