Instant Messaging (IM) use in the enterprise has exploded and is now seen as a valuable business communications tool. Across companies of all sizes, the benefits of real-time communications and presence awareness are changing the way people communicate with colleagues, customers and partners. The Radicati Group estimates that 85% of all enterprises in North America are reporting IM use, with over 387 million IM users worldwide sending 13.8 billion IM messages per day.
The majority of these IM messages are sent over public networks — under the radar of the enterprise IT organization — and without the security and compliance tools required to mitigate the risks of this new communications tool. In fact, studies estimate that while 60% of organizations monitor and secure email, 90% of organizations lack any form of IT sanction or control for IM. With both the Gartner Group and IDC predicting continued increases in business IM usage, including increasing levels of IM growth at the expense of email usage, the risks of unmanaged IM are only increasing.
Managing Instant Messagingfor Business Advantage:Phase Four: AStrategic Plan for BroadAdoption of Real-Time CollaborationIM makes it possibleIMlogic makes it workUntitled DocumentManaging Instant Messagingfor Business Advantage:Phase Four: AStrategic Plan for Broad Adoption ofReal-Time CollaborationIM makes it possibleIMlogic makes it workPage 2of 10IntroductionThe ubiquity of consumer-grade instant messaging clients and the emergence ofenterprise instant messaging servers has challenged ITorganizations to developmanagement policies that deal with the corporate IM landscape as it exists today,while planning for the deployment of emerging presence-based technologiestomorrow. For organizations seeking prescriptive guidance for driving businessadvantage from instant messaging applications, this white paper provides a bestpractices overview for effectively managing the risks and costs associated withthe corporate use of IM. Instant Messaging Has Invaded the EnterpriseInstant Messaging (IM) use in the enterprise has exploded and is now seen asa valuable business communications tool. Across companies of all sizes, thebenefits of real-time communications and presence awareness are changing theway people communicate with colleagues, customers and partners. The RadicatiGroup estimates that 85% of all enterprises in North America are reporting IMuse, with over 387 million IM users worldwide sending 13.8 billion IM messagesper day. The majority of these IM messages are sent over public networks under the radar of the enterprise ITorganization and without the security andcompliance tools required to mitigate the risks of this new communications tool.In fact, studies estimate that while 60% of organizations monitor and secureemail, 90% of organizations lack any form of ITsanction or control for IM. Withboth the Gartner Group and IDC predicting continued increases in business IMusage, including increasing levels of IM growth at the expense of email usage,the risks of unmanaged IM are only increasing. 85% of all enterprises in NorthAmerica are reporting IM use,with over 387 million IM usersworldwide sending 13.8 billionIM messages per day. The Radicati GroupInstant Messaging for the EnterpriseJuly 2005Untitled DocumentIM makes it possibleIMlogic makes it workPage 3 of 10Unmanaged Instant Messaging Exposes YourCompany to Security and Legal RisksMost organizations today spend a significant amount of time and money manag-ing, securing and archiving email communications. However, few realize that IMnot only carries with it much of the same security and legal risks as email, but thatthe nature of IM creates its own unique management and security challenges.The Real-Time Security Threats of IM Are UniqueIM worms and viruses are growing exponentially, spreading rapidly due to thereal-time nature of IM, and mutating frequently to evade reactive security mod-els. When combined with effective social engineering techniques, the rates ofinfection and propagation from IM threats are continuing to rise.Electronic messaging including IM Is Subject to Regulatory RequirementsFrom industry-specific regulatory requirements, such as the strict requirements of the NASD and SEC within the financial services industry, to broad, sweepinglegislation such as HIPAA and Sarbanes-Oxley, electronic messaging, includingIM, is subject to increasing levels of governance and control. The risks of inactionor non-compliance can be costly, with large financial penalties and often largerindirect costs that include potential damage to the organization s reputation,brand and stakeholder trust.Significant HR and Legal Risk Can Arise from Employee Misuse of IMEmployee conduct in the workplace is often subject to established HR policiesgoverning accepted behavior and use of company resources. Establishing IMusage policies and a corresponding policy enforcement mechanism is now criticalto ensuring that offensive or disruptive messages are not exchanged. In additionto preventing misconduct and monitoring adherence to HR policies, centralized IMarchives provide IT administrators with a storage system of record to conduct dis-covery and provide protection in cases of dispute. Unmanaged IM Can Be a Source of Lost Intellectual Property and Sensitive InformationWith the explosive growth of IM inside organizations and the increasing acceptance ofIM as a critical business communications tool, IM contains information that is pertinentto or property of the firm. Without any safeguards or protections, these IM messagescan lead to direct or indirect loss of intellectual property and sensitive corporate data. Managing Instant Messagingfor Business Advantage:Phase Four: A Strategic Plan for Broad Adoption ofReal-Time Collaboration Studies estimate that while60% of organizations monitorand secure email, 90% oforganizations lack any form ofIT sanction or control for IM. Untitled DocumentIM makes it possibleIMlogic makes it workPage 4 of 10A Four-Phased Approach to Secure Instant Messaging Fortunately, the risks of unmanaged, unsecured instant messaging can beaddressed quickly and cost effectively so that organizations can leverage IM asa secure business messaging tool. IMlogic, through its work with more than 600 enterprise customers including morethan 25% of the Fortune 100, has developed a four-phased approach for bringingIM under corporate control. Designed to serve as a basic framework for understandinghow IM is being used across the organization, this process enables businesses toimplement the appropriate risk management controls necessary for securing andcontrolling IM while establishing a longer-term enterprise IM strategy." Phase 1: Assess Current IM Usage With a large percentage of corporate IMgrowth occurring without ITsanction, few companies have a clear picture of howIM is being used inside their organization. Adetailed picture of IM usage is requiredin order to develop a company-risk profile and a deeper understanding of thevalue that IM is bringing to the end-user community. An IM Usage Audit will uncov-er who is using IM, what they are using it for and which IM clients are being uti-lized. The IM Usage Audit and corresponding risk profile can then be mapped toa company s specific key risk areas to drive a comprehensive risk managementstrategy for instant messaging. IMlogic provides a complimentary trial copy ofIMlogic IM Manager to assist companies in the initial IM Audit process." Phase 2: Protect the Organization from IM Threats Once the IM risk profile isdeveloped, organizations should move quickly to mitigate the most pressingthreats based on the established profile. IM threats generally affect an organi-zation in the form of viruses and worms that attack and compromise user desk-tops and corporate networks as a whole. Once current threats are neutralized,the company can focus its attention on the medium-term challenge of enforc-ing use policies that mitigate the broad spectrum of risk, including regulatorycompliance, corporate governance and IPloss. Of course, some organizationsmay see these risks as equal to virus-based threats, and will elect to tackle theseproblems as part of Phase 2. It is at this stage that a vendor selection will bemade. IMlogic IM Manager offers a best-of-breed solution for managing thebreadth of risk associated with instant messaging. Managing Instant Messagingfor Business Advantage:Phase Four: AStrategic Plan for Broad Adoption ofReal-Time CollaborationUntitled DocumentIM makes it possibleIMlogic makes it workPage 5 of 10" Phase 3: Establish an Effective IM Usage Policy An effective usage policyfocuses on changing a company s risk profile all together. Through a compre-hensive program of policy development, end-user education, enforcement andongoing monitoring, companies can dramatically reduce the risks associatedwith IM. This effort will necessarily move beyond ITto include HR, generalcounsel and at-risk business units or departments. " Phase 4: Determine the Longer-Term IM Strategy As IM usage is brought undercontrol, secured and managed, organizations should establish a longer-term IMstrategy. This longer-term strategy should include a broader direction for reduc-ing the costs to support real-time communications, identifying areas for buildingeconomies of collaboration through standardization and consolidation, and inte-grating real-time communications into the organization s business processes.While this document focuses on Phase 4: AStrategic Plan for Broad Adoption ofReal-time Collaboration, more detailed information is available for Phases 1, 2and 3 at: http://www.imlogic.com/resources/literature.aspManaging Instant Messagingfor Business Advantage:Phase Four: AStrategic Plan for Broad Adoption ofReal-Time CollaborationUntitled DocumentIM makes it possibleIMlogic makes it workPage 6 of 10An Introduction to Phase 4: AStrategic Plan forBroad Adoption of Real-Time CollaborationFor most organizations, instant messaging is the first foray into the realm of pres-ence-enabled, real-time communication and collaboration services delivered overan IPnetwork. But, it will not be the last to be deployed and managed by IT.Tuning the notion of convergence or the delivery of all real-time collaborationservices, including phone services, through a single technology platform willbe the single biggest task facing ITorganizations over the coming decade. Both enterprise IM servers and consumer-grade IM networks are delivering uni-fied clients that give users access to services such as IM, VoIP, group video andapplication sharing all integrated with contact and calendaring managementapplications. The promise of convergence is the promise of ubiquitous, easy-to-use, real-time collaboration at dramatically reduced costs. These cost savings aredriven by the reliance on a unified platform that obviates traditional telephony net-works and generates economies of scale for platform services like managementand security.Organizations will look for a consistent set of management and security policiesas they move from secure IM deployments to the management of a broader setof real-time technologies. ITgroups will likely invest in projects that deliver acombination of time to value and overall return on investment. As these invest-ments are made, it is important to make sure that the management foundationis in place prior to broad deployment of new services. Broadening the Deployment of Real-Time TechnologiesBased in part on the rapid adoption of IM and in part on the possibility of realcost savings associated with converged communications, ITorganizations areseeking to broaden their investment in real-time technologies. Most organiza-tions will face similar basic questions as this process unfolds.Managing Instant Messagingfor Business Advantage:Phase Four: AStrategic Plan for Broad Adoption ofReal-Time CollaborationUntitled DocumentIM makes it possibleIMlogic makes it workPage 7 of 10" What new services do users want? Are they valuable? As end users push fornew and better collaboration services, IT organizations will have to respond withtechnology and with sound business analysis. Collaboration improvements aretypically measured in terms of difficult-to-monetize productivity gains. Platformcompanies recognize this difficulty, and are pricing their platforms to encouragethe deployment of the breadth of services they offer. There is a tremendousamount of value to be had in deploying these technologies, but each requestfor additional services will compete for resources and with efforts at cost reduc-tion. Additionally, each new service will have incremental network costs, and ITwill be tasked with managing internal access to each new service to keep costsin line with value. For example, many IT organizations were caught off guardby the huge fees generated by hosted Web meeting services. These costs maybe obscured by an internal Web meeting server, but the variable costs of Webmeetings will not disappear. " What cost savings are available? At what investment? Even though end-userdemonstrations are compelling, the primary driver for convergence will be costsavings. The temptation here will be to boil the ocean, precisely because thepay-off for one project will depend on the completion of another. Companiesshould look to identify discrete projects that can be managed to completionwithin a reasonable time horizon. " What platform decisions need to be made? The popularity of enterprise real-timecollaboration systems, most notably Microsoft Office Live CommunicationsServer, provides a compelling case for standardizing on a single technology forall real-time collaboration. However, these systems do not deliver the infra-structure totality required for all IP-based communications. The IP network itself,the separate telephony network and even the traditional telephone handsetsform part of this picture. " What will happen to the consumer networks? Organizations that have relied onconsumer-grade IM networks for IM, or that have simply allowed them out of expe-diency, will face the same issues when it comes to new real-time services.Consumer networks are offering competing services, often for free, directly to endusers. As companies take their time to sort out their communications infrastruc-ture, consumer services will likely fill the gap. For example, the VoIP, video andWeb meeting services from consumer IM companies are improving rapidly, andManaging Instant Messagingfor Business Advantage:Phase Four: A Strategic Plan for Broad Adoption ofReal-Time CollaborationUntitled DocumentIM makes it possibleIMlogic makes it workPage 8 of 10companies like newly rich Skype will be targeting enterprise users. Given the foot-print that these companies already have in the enterprise, it is likely that thesenew services will be just as popular with corporate users as IM has proven to be. " To what extent will these systems be available to external stakeholders?Evencompanies that have standardized on enterprise IM systems have yet to decideexactly how they want users of these systems to connect to the outside worldand more importantly how they want the outside world to connect into them. Asnew, more bandwidth-intensive services are made available to corporate users,the issue of internal user rights and external user access will become critical toa managed, secure environment. Enterprise servers have attempted to leveragethe ubiquity and zero-fee business model of public networks, most notablyMicrosoft s LCS Public IM Connectivity (PIC) offering which allows LCS users toadd AOL, MSN and Yahoo! users to their buddy lists and vice versa. Other fed-eration options are available as well, but in order for these models to work, enter-prises will need to make sure they can control access to their employees. Thescourge of unwanted email Spam has been followed by spIM and now spITas the use of IM and IPtelephony has gained traction in the enterprise. Managing and Securing Real-TimeCommunicationsOnce the base technology decisions have been made, the need for a manage-ment and security framework will come into focus. In evaluating these decisions,it is important to ensure that vendor solutions are well positioned to meet yourneeds as your real-time investments accelerate. In looking at future manage-ment and security needs, IMlogic is guided by several strategic guidelines. Management and security technologies shouldn t dictate IT strategy. Management and security are foundational elements of any ITstrategy, but thesetechnologies must be flexible enough to meet the needs of the business. Whenevaluating technology solutions in these areas, make sure that vendor solutionsare designed to fit within a variety of environments.Managing Instant Messagingfor Business Advantage:Phase Four: AStrategic Plan for Broad Adoption ofReal-Time CollaborationUntitled DocumentIM makes it possibleIMlogic makes it workPage 9 of 10Access control for real-time services is critical. As the value and technology footprint of real-time services continues to grow, con-trolling access by internal and external stakeholders will be the key to controllingcosts and security risks. As real-time services request more and more networkbandwidth, IT will need to ensure quality of service, assign costs to individual depart-ments based on use, and control access to internal users from external entities.Management vendors should be able to keep unwanted users out of the networkand ensure that real-time services share time with other the other systems thataccess the network. Detailed systems and user monitoring should be part of every technology deployment. It is difficult to pre-define what reporting and use data will be needed, but monitor-ing of actual system use helps to evolve risk profiles and to build the business casefor broadening the deployment of individual services. As individual departmentsrequest to be brought online, many organizations implement an internal chargingsystem to assign these costs individual departments. Each real-time service has its own set of security issues. It is tempting to lump real-time services into a single category, but each servicehas a slightly different risk profile and provide different targets for malware devel-opers. Unwanted communications behave differently over email, IM and VoIP, andalthough a security solution should be integrated, it can t be homogeneous. Mostcontent-based threats blend across different systems. Viruses can originate inemail, propagate over IM and eventually migrate into a VoIP network. As real-timesystems converge, the threats unique to one system will bleed over into others. Inorder for a real-time security strategy to be complete, it must address the peculi-arities of each system while understanding their inter-dependence. The real-time network will be heterogeneous. With every new wave of technology, the temptation exists to simply start over, butfew companies are well served by a rip-and-replace strategy. More often, envi-ronments are heterogeneous. In seeking to manage and secure real-time systems,IMlogic is driven by the need to adapt to complex, heterogeneous environments. Managing Instant Messagingfor Business Advantage:Phase Four: A Strategic Plan for Broad Adoption ofReal-Time CollaborationUntitled DocumentIM makes it possibleIMlogic makes it workConclusionBy following IMlogic s four phases for managing IM to recognize business advan-tage organizations should be able to not only meet their immediate IM managementand security needs but also implement the appropriate controls to ensure the appro-priate long term IM strategy can be pursued. The nature of IM continues to evolve.Originally used for the simple exchange of text messages, IM now represents thenext innovation in real-time communications. With IM, individuals can increasinglypublish their presence, exchange files and establish contextual conversations. Andas IM continues to evolve, audio, video and telephony will increasingly be bundledinto the IM stream. With these innovations, IMlogic provides organizations with theindustry s must trusted solution for securing and managing all elements of a real-time communications infrastructure.Additional ResourcesThe following additional resources are available for more information on IM secu-rity, compliance and management:Best Practices for IM Archiving & Compliance: A Whitepaper by IMlogic and VERITASSpurred by regulatory compliance requirements, corporate governance mandatesand internal HR policies, businesses must now consider IM as an electronic recordsubject to the same retention requirements as email. This prescriptive white paperreviews the best practices for ensuring IM compliance within already establishedcorporate communication policies.Top 5 IM Security Risks 2005The continued growth of IM as a preferred tool for business communication hasintroduced a new class of ITsecurity challenges for businesses today. This whitepaper explains the top 5 emerging IM security risks in 2005 as identified by theIMlogic Threat Center.These resources, as well as many other valuable documents, can be foundingby visiting the IMlogic website under IM resources or by navigating to the fol-lowing hyperlink: http://www.imlogic.com/resources/literature.asp. Copyright 2006 IMlogic, Inc. IMlogic, IM Manager, IMlogic Threat Center and the IMlogic Real-Time Threat ProtectionSystem are trademarks or registered trademarks of IMlogic, Inc. All other trademarks are the property of their respectiveowners. 10536265For more information:IMlogic, Inc.firstname.lastname@example.orgWorld Headquarters265 Winter StreetWaltham, MA02451phone: 1.877.IMlogic (465.6442)fax: 781.902.2510European Headquarters9-14 Windmill StreetLondon, EnglandW1T2JGphone: +44 207 323 7791fax: +44 207 631 5252Page 10 of 10Managing Instant Messagingfor Business Advantage:Phase Four: AStrategic Plan for Broad Adoption ofReal-Time Collaboration