Instant messaging is booming. Almost everywhere you look, people are typing messages to friends and work colleagues at a frantic pace. These are not e-mails but rather short messages that often travel directly from one computer to another. By the end of this year, total revenues for instant messaging markets worldwide are expected to reach US$131 million and, by 2008, that number is expected to be $413 million, according to one estimate. This article describes instant messaging, examines some accompanying risks, namely issues involving security, confidentiality and the archiving of instant messages, and offers some strategies to minimize these risks.
Instant Messaging Described
Instant messaging is the technology that allows a user to send electronic messages to one or more persons with minimal delay between the sending and receipt of a message. Like conversation, instant messaging is a simultaneous give-and-take, but it occurs in written form. In contrast to e-mail, which remains unread in a recipient's in-box until opened, instant messaging notifies users when other users are online and able to accept messages.
Instant messaging systems may use one of several methods to deliver messages:
1. a centralized network, which connects users to a series of servers. The servers route a message through the network until it is sent to a recipient. These instant messaging systems centrally store user information including user names, passwords and "buddy lists"
2. a peer-to-peer network, which uses a single server that tracks who is online. After the system identifies who is logged on, messages are sent directly to the recipient with no server involvement. This enables speedy exchanges of messages with graphics and large files
3. a hybrid of the above-mentioned two methods.
In each case, the instant messaging system saves the online user's connection information and list of contacts. The system then seeks other users who have logged onto the system and informs the user if they are online.
Some Issues with Instant Messaging
Instant messaging is, for the most part, a less secure way to communicate than through corporate e-mail, especially if one is using a public instant messaging system offered by a commercial provider. The security risk arises with servers outside the control of the company using the system and presents the risk of hacker intrusion into instant messaging systems. This in theory could take the form of outsiders posing as users or otherwise attempting to confound the normal operation of an instant messaging system.
Furthermore, because instant messaging systems may detect an individual's computer address (IP address), administrators worry that outsiders might obtain an entire corporation's network addressing scheme.
Viruses present a similar risk. The use of a public instant messaging system by a company requires it to open a hole or "port" in the equipment that protects its computer systems from the outside world, better known as a "firewall." The more ports that are open on a firewall, the more potential there is for hackers or viruses to penetrate and damage corporate computers. Some companies have prohibited instant messaging altogether, fearing that viruses can circumvent the anti-virus software on their firewalls, servers and desktops.
Advances in security technology will doubtless occur. Nevertheless, a company should satisfy itself that it has obtained contractual protections from its instant messaging vendor with respect to potential security lapses.
How can a company feel secure that instant messaging vendors do not offer confidential information of the company, its customers or its employees to third parties for such purposes as marketing research or advertising? That risk may exist if the instant messaging vendor itself has access to such information. This may occur, for example, if an instant messaging system routes customer files through equipment controlled by the vendor. To satisfy concerns about the transfer of company data, the company should at a minimum require its vendor to agree to contractual provisions regarding the confidentiality of such information.
Because of the informal nature of instant messaging, users sometimes write spontaneous, even personal, messages to colleagues. They may not realize that these communications can be recorded and fall into outsiders' hands. As with e-mails, instant messages can be retained long after they were created by simply cutting and pasting message text into a separate document for later retrieval, printing out the communication or creating electronic logs of communications. Most instant messaging services do not yet use encryption to protect against outsiders reading messages.
Some Strategies to Minimize Risk
Businesses should make informed decisions about using instant messaging, seek favorable contractual protections from vendors, and adopt internal procedures and safeguards to minimize risk. For example:
- Carefully consider whether to permit instant messaging. If instant messaging is allowed, consider using an inhouse instant messaging system and advising employees to use that system at work rather than their personal systems.
- Require the vendor to spell out in a contract what it will do to keep company data secure and confidential. For instance, obtain a strong warranty concerning virus protection.
- Educate employees on risks associated with instant messaging. For example, advise employees not to share passwords with others and not to open unfamiliar attachments.
- Block instant messaging spam addresses and place anti-virus software on users' desktops.