• PC World
• »Software
• »Browsers & Add-Ons

From customer service to sales, or simply for exchanges among far-flung business associates, companies are finding that instant messaging isn't just for consumer chat.

Business users are expected to make up nearly half--43.2 percent--of the estimated 530.4 million IM users forecast to be online by 2006, according to researchers at IDC. That's up from 2001, when business accounted for only 10 percent of the 182.3 million IM users.

The trend is echoed in a survey by Osterman Resarch. In a March poll of 164 companies, 29 percent of the respondents said they use instant messaging, and 42 percent will or may do so.

But with this surge in business use comes a cascade of concerns about controls, especially security, authenticity, and encryption measures.

Unfriendly Greetings

Public IM applications such as America Online's AOL Instant Messenger and ICQ, Microsoft's MSN Messenger, and Yahoo Messenger operate using the IM provider's servers and are not protected by a corporate or personal firewall. Unencrypted messages traverse the Internet among users whose identities and intentions cannot be verified. Also, you can't tell who else might be eavesdropping on plain text sent through cyberspace.

Is that IM conversation about next month's sales projections really with a colleague--or a competitor? Is the file you're receiving through AIM transfer a picture of a customer's product, or is it a cover for a virus?

Computer viruses and worms can be sent via IM, which is not subject to the virus scanning, content filtering, and other security measures often employed by corporate e-mail programs. Stealth programs sent by crooked IMers can give outsiders access to everything on an individual PC or network.

The threats are real, although incidents are not yet widespread.

"By and large, we don't see many attacks based on IM, but the potential is certainly there," says Shawn Hernan, a security expert at the Computer Emergency Response Team Coordination Center (CERT/CC), a government-funded Internet security center at Carnegie Mellon University.

That's why some businesses ban instant messaging, Hernan notes. "One of the first tenets of computer security is 'Don't run things that you don't need,'" he says. "You need to concentrate your effort on securing the systems you do need."

Secure Options

Terry Olkin, chief technical officer for security firm Sigaba, says many companies are becoming concerned about intellectual property dribbling out the IM window.

Corporate information officers spend "a lot of money in basically protecting themselves from all the things that can go wrong with e-mail, and now messaging creates a big gaping hole that they have no coverage for whatsoever," Olkin says. "At the moment, many of them have no idea what is going on through this system."

Where some see a threat, others see real opportunity.

"We don't have to take a defensive posture. We can use [IM] as a strategic tool to talk to customers, suppliers, and have applications talk to them, too," said Francis DeSouza, chief executive officer of IMlogic, which markets monitoring software for instant messaging. Its tools are intended to give IT departments security and accountability for IM, without squashing it entirely.

"It is a powerful medium, highly scalable to hundreds of millions of users. It's a really powerful concept that gets you directly to the desktops of customers, suppliers, and employees in a real-time interactive way." IMlogic's products allow companies track transactions, search and retrieve these records, and generate reports on IM traffic.

Many tightly regulated industries--including medical, pharmaceutical, and financial institutions--must closely monitor all communications. Some converted to closed IM systems in order to legally use instant messaging as a communications tool.

Balancing Privacy

Monitoring IM protects employees as well, because it can show that they're not communicating inappropriate information, IMlogic's DeSouza says.

"I think it is much better to be able to pull up a record and say this is what happened," DeSouza says. "It's not like they are looking for dirty jokes or someone talking to their wife over IM." And, after all, the communications are taking place on company property and, usually, on company time.

A number of private messaging applications are available from enterprise software developers. IBM's Lotus Notes users can have IM capability through its Sametime add-on. Microsoft provides an instant messaging function through its Exchange Server. Also emerging with private IM products are a number of smaller players, including Jabber, Facetime, NetLert Communications, and Bantu.

"If you want to do IM right, you need to not make use of the public services--like AOL, Yahoo--but use collaboration [applications] from someone like Lotus, Microsoft, or Bantu," says David Thompson, a security analyst at the Meta Group.

However, those enterprise IM services don't interact with the more common public IM applications, such as those from AOL and Yahoo, Thompson notes.

Wanted: Interoperability

Interoperability is likely to remain a challenge, especially for corporations trying to balance control with communications.

Trillian, from Cerulean Studios, is among the services that allows instant messaging among the branded applications. But its capabilities remain trapped in a tug-of-war, because the big players don't like their turf being invaded. AOL, Microsoft, and Yahoo routinely tweak their IM programs so Trillian can't run a composite of them; Trillian then updates its software to overcome the tweaks.

In fact, one regulatory condition of the AOL-Time Warner merger in January 2001 was that it open its AIM technology for interoperability with other instant messaging services. AOL has satisfied the Federal Communications Commission demand in part by seeking interoperability with Lotus Sametime.

Interoperability wouldn't necessarily mean a security breach for nervous companies, Meta Group's Thompson says. The trick then is controlling the interaction, not preventing it, he adds.

"You want them to be able to interact with Yahoo or AOL users," Thompson said. "You just want to be sure you can control, monitor, and encrypt what they're doing."

• See more like this:
• IM,
• instant messaging,
• messaging,
• communications,
• security,
• Imlogic,
• aim,
• aol instant messenger,
• msn messenger,
• yahoo messenger,
• trillian,
• Cerulean Studios