How 2 Luv IM!

Seven steps to keeping your employees' instant messaging secure.

Firewall purveyors might hold the solution with deeper inspection of network traffic. And you can also by various means attempt to block end users from installing IM clients on their systems in the first place. Regardless of technical measures, though, the social issues are even harder to surmount. An IM ban could bring a revolt from users. "Trying to shut down the use of public IM has proven to be futile because typically in large companies, you have a user base using it for business purposes, and they scream bloody murder if you try to shut it down," says Montgomery.

So before taking drastic and potentially futile steps, talk to your users and find out whether there's a business need for keeping IM on the premisesodds are, there is.

3. Decide which type of IM network works best for your company.

There are multiple network types. Public networks are the most commonAOL, Yahoo and the like. Enterprise networks, offered by companies such as IBM, Jabber and Microsoft, allow companies to purchase client/server solutions in which users typically can talk only to others on their own corporate network. (Though deSouza says that enterprise vendors are starting to offer connectivity to public networks.) Industry-specific networks are tailored to meet the needs of particular industries. Bloomberg and Reuters, for example, offer networks for the financial services industry. There are also geography-specific networks.

In choosing the type or types of networks to allow, assess your business needs and the risk factors. For example, Pete Lindstrom, research director at Spire Security, advises using more easily protected enterprise networks, not public networks, if employees are passing along sensitive data over the IM pipes.

4. Create an IM policy.

Most companies already have a policy that covers electronic communicationthat is, "We own the machines you're communicating on. Therefore, any information being transmitted on the machines can be monitored." IM should be part of that policy. Rubinow says that Archipelago had an e-mail policy first, then added Web and IM sections to that policy. "There are various pieces of IM software [our employees] can use, provided they understand our usage policy. We are able to control it and monitor it; no information can come in or out of the company without us being able to log it. It will always be at our fingertips because that's good business practice and a regulatory requirement," he says.

It's also part of the overall policy at Amerex, says Trudeau. "In the employee handbook, we have privacy policies that there isn't any privacy on a company-owned machine. Any electronic data can be monitored. The employees sign off on that knowingly," he says. Trudeau notes that it's interesting what people say on IM, even though they may know in the back of their minds that their messages are being logged. "They may either forget about it or think no one cares. It does come around to bite people sometimes," he says.