IM security: the triangle of trust

Corporate IT Forum members collectively believe that the triangle of trust around security is policy, enforcement and education. Obviously, individual organisations must decide how far they want to go with each of these, depending on the nature of the risk and its potential impact on the business

Corporate IT Forum members collectively believe that the triangle of trust around security is policy, enforcement and education. Obviously, individual organisations must decide how far they want to go with each of these, depending on the nature of the risk and its potential impact on the business, write Kate Danbury, head of information security, and Ollie Ross, head of research, at The Corporate IT Forum.

Universally, there is growing pressure from within enterprises for IT to provide communication and collaboration technologies that users are familiar with and use extensively in home and social environments: most notably instant messaging. IM supports productivity; it's immediate, it's easy to use and it's the tool of choice for the new generation workforce.

But in security terms, its risks are comparable with e-mail. It might also impact workforce productivity - at least until the novelty of 'chat' wears off - it can shortcut processes and undermine reporting and approval mechanisms, it's causal quality can be inappropriate for business conversations, and it can have an adverse impact on your network traffic. So deploying or switching on IM requires very careful consideration.

Firstly, decide where you would use messaging. Don't assume it's an all-or-nothing choice. Many of our members use IM internally across the enterprise without opening up the capability externally. Others use it as an effective tool between trusted partners (e.g. in an outsourced or support relationship). External IM is rarely used by businesses in the broader, public arena, thus minimising the risks associated with opening up the network.

Then decide what tool might best suit your requirements. Typically Forum members use proprietary solutions in-house rather than relying on consumer social networking tools.

Next, determine how IM may be used. Ensure your acceptable use policy offers clear guidelines around appropriate and inappropriate use, and that these really are understood and accepted by your users.

And finally, put a process in place that enables you to understand how instant messaging is being used, by whom and for what purpose. It's is widely recommended that usage is recorded and monitored. It is therefore auditable. Make sure your employees know this and understand the implications.

As drivers and business cases for collaboration increase so, too, does the risk that IT security becomes a business disabler. IM might offer true opportunities for your organisation. Or it could lead to real problems. It's a fine balance between having a 'safe and secure' network and helping the business to be as agile and reactive as it wants to be. And it's also very much about trust.

Read more expert advice from the Computer Weekly Security Think Tank >>

Read more on IT risk management

SearchCIO
SearchSecurity
SearchNetworking
SearchDataCenter
SearchDataManagement
Close