The advantage of instant messaging is that it is, well, instant. Office workers use it to exchange quick opinions about something work-related, or even to make jokes during a boring conference call that drags on for hours (I know, I've done it). However, when they need to send that all important document to the boss or to a client, they use that older sibling, e-mail, writes Ionut Ionescu, member of the (ISC)² European Advisory Board.
IM can be a great collaboration tool, or a time-consuming distraction. I have seen good collaboration between employees when they were on a well led conference call with a defined agenda, using just good old voice and no IM. I have witnessed even better collaboration when staff actually met in one room (or used a good quality video link) and discussed ideas using a white board. I like the instant voting opportunities you get with IM and with some VoIP clients, but I would not classify them as essential business tools.
Of course, I have seen irate users, especially in marketing and sales departments, claiming that their world would end without IM. I guess every business has to weigh the advantages against the inherent risks.
I have not yet encountered a work situation where employees could not accomplish their objectives or daily workload because they could not use IM.
My advice to companies would be to allow it internally, but to block any IM activity with the outside world. That way, the chances of connecting inadvertently with a stranger and disclosing company information, or of clicking on a malicious link, would be reduced.
I don't think that the risk of clicking on a 'bad' IM link is so big, given that most organisations should have by now made their users aware of the dangers of indiscriminate clicking on links and attachments in e-mail.
I see another, perhaps more subtle, risk: given how easy it is to ping IMs (watch teenagers hold multiple IM conversations simultaneously), it can also lead to one dropping their guard and either becoming too familiar in their dialogue or disclosing something that could be later used to embarrass or harass a employee.
In summary: do internal awareness training of the risks, then allow it internally, block it externally and use DLP software to monitor what's going on.