It’s no secret that instant messaging (IM) is wildly popular. It’s faster than e-mail, and so discreet that two people in the same business meeting can use it to communicate across the room virtually undetected. To top it off, it’s easy to get: many public IM software packages, such as Google Talk and MSN Messenger, are offered as free downloads.

But IM carries the same security risks as e-mail — it can fall prey to worms, viruses, Trojans, and “spim” — unwanted spam sent via IM instead of e-mail. It can be intercepted by competitors, allowing trade secrets or confidential client information to fall into the wrong hands. And all of these risks can create the same types of security problems for your business — including regulatory and e-discovery non-compliance risks — that e-mail can.

Chances are, you already know what type of e-mail system your office uses, have established guidelines for its use, and are vigorously protecting it with firewalls, anti-viral software, and the like. But are you aware if public IM systems are being used in your office?

“It’s one of those stealth technologies, where people just install it, and it’s not blocked by an organization’s gateway,” notes Richi Jennings, an analyst with San Francisco-based Ferris Research ^[1]. “You could ask many companies, ‘do you use IM?’ and they would say no, but they actually do.”

Here are some tips from the experts on ways to minimize your risk:

• Develop an office-wide IM policy. Put together a written policy for your employees, and take the time to educate them about it. While it’s best to shut down any public IM systems in use in your workplace, companies need to decide such things as whether to allow employees to use public systems for personal use only, such as to family members. “You have to make a decision and stick with it,” says Rob Koplowitz, principal analyst for information and knowledge management for Cambridge, Mass.-based Forrester Research ^[2].
• Choose an office-wide internal IM tool. Invest in a secure product, such as IBM’s Lotus Sametime ^[3], that features encryption, limited access, and top-class antiviral software for internal business use. Don’t use consumer-based products, such as Google Talk or Yahoo, experts warn.
• Limit access.Joel Dubin ^[4], an independent security consultant and author, recommends configuring buddy lists to only known parties, and limiting internal access to those employees who must communicate real-time.
• Oversee screen names. Because IM is a very casual form of communication, some employees use offbeat, irreverent, or even racy, screen names that might not fit the corporate image, notes Jennings. “It’s important to not only control who uses it, but to control the screen names employees choose,” he says.
• Monitor use. As with e-mail, experts recommend monitoring use to detect any internal improper use or external efforts to sabotage the system. Some solutions, such as FaceTime’s ^[5], will warn employees in real-time that they are violating acceptable use policies.

For businesses wanting to bundle their corporate IM service with other technologies, experts note, there are “a number of anchor points,” notes Koplowitz. “If you have an on-premise e-mail system, you may look to [link IM in with] e-mail,” he says. “But you can also link IM with telephony, or with some other business vendor.”

Companies that offer full-service packages that include IM include FaceTime, whose Unified Security Gateway solution provides URL filtering, public IM, VoIP and P2P, and can work with unified communications suites offered by IBM Lotus Sametime and Microsoft’s Office Communications Server, according to Frank Cabri, FaceTime’s vice president of product management.

These types of integrated solutions are likely to become more common at the enterprise level, and to trickle down to small and mid-size business-scale products as well, says Koplowitz.

Whatever option you choose, experts advise that you take IM security as seriously as email security. The risks are real.