How 2 Luv IM!

Seven steps to keeping your employees' instant messaging secure.

Employees should be especially vigilant given the stepped-up regulatory environment. "A lot of the stuff imposed by the SEC and Sarbanes-Oxley [for example] doesn't make a distinction between e-mail and IM traffic. A lot of companies only find that out when they get into trouble," says Rittinghouse.

He says that awareness and training programs don't necessarily cost a lot in money, but they do in effort. And some companies haven't been willing to make that effort. "Companies seem to find time not to do it," says Rittinghouse. He says security leaders must become evangelists about issues such as IM security and should be held accountable if they fail to educate their users.

7. Consider implementing an IM security product.

A passel of companies (among them Akonix, Blue Coat, Check Point Software, Facetime, IMlogic and ZoneLabs) offer products that allow companies to control and secure their use of IM. E-mail filtering companies such as Postini are starting to offer IM protection services too. At Amerex, Trudeau says security was actually a side benefitthe primary reason he installed a middleman product (IMlogic) was to log IM conversations. The same was true for Rubinow at Archipelago. "From a regulatory standpoint, we had to have that software in place or prohibit the use of IM," he says.

Thomas Pottanat, CISO at Banco Santander, says his bank doesn't currently allow IM, but that's going to change. "That's one of the mediums people are going to use. People are doing trades from New York in Latin American countries. I'm thinking about it, looking for a solution for how best to handle it," he says, knowing that when the bank allows it, regulations will require him to capture his IM data.

"You cannot tell people, 'Don't use e-mail or other telecommunications,' because that's a means of doing business now," says Pottanat. "The world has changed, and everything needs to be done immediately."