IMhas emerged as a key channel of business communication, and its use is widespread and growing. Research firm Gartner estimates that by 2010, 90 percent of people with business email accounts will also have IM accounts. It’s no wonder that employees have embraced IM. Compared to email, it offers users instant gratification: they can “see” who is online, send short messages, and get fast answers.

Initially, employees relied on IMprimarily for casual exchanges, pinging each other about lunch plans, or checking in with friends and family. But many found that IM also fitswellwith theway they like to do business.

Because IM eliminates the email latency problem—there’s noway to know when a recipientwill actually receive and read themessage, let alone respond to it—IM allows for faster problemsolving and decision making. The resulting boost in productivity has led to increasingly strategic use. At some Wall Street firms, for example, brokers are authorized to accept and issue stock trade orders via IM.

Despite potential efficiency gains, there is a serious downside to real-time communications use,which includes public IM, enterprise IM, conferencing, voice over IP (VoIP) and mobile messaging. It is exposing organizations to significant security risks. Left un-managed, IM use leaves the corporate network vulnerable to viruses and worms. It can result in the loss of intellectual property (such as trade secrets around R &D efforts) and leakage of confidential information (such as impending acquisition plans).

Other risks associated with unmanaged real-time communication use include: loss of sensitive data pertaining to customers and employees; legal exposure resulting fromIMmessages that contain inappropriate content; and fines for noncompliance with government regulations that mandate record retention, among other measures.

Organizations typically have some awareness of these risks around e-mail use. Many - particularly those in highly regulated industries such as financial services—have taken measures, such as message archiving, to mitigate the risks. But most organizations have not adequately applied those same measures to IM and other real-time communications platforms.

To effectively manage business risk, organizations must get their arms around multiple forms of communication: e-mail, public IM, enterprise IM,mobile messaging, conferencing and VoIP. Failure to do so can result in fines for non-compliance, loss of critical data and intellectual property, damaged reputations, and further liability.

According to the 2008 CSI Computer Crime and Security Survey, It’s difficult to assign real costs to risks, because organizations don’t explicitly incorporate the cost of the vast majority of computer security incidents into their accounting (as opposed to, say, accounting for the “shrinkage” of goods from retail stores).

But the survey estimates the cost of losses resulting from various types of security incidents at $288,618 per respondent, up from $167,713 two years ago. In fact, while many security assessments and audits uncover business risks associated with real-time communications, many other risks have simply flown under the radar— something that hardly any business can afford to miss.

Some key factors led to this situation, making business risks difficult to uncover. Separate silos hindered communication. One reason why real-time communications use grew quickly out of control is that most companies operate separate silos for e-mail, IM, mobile messaging, VoIP, and so forth. In other words, one team is responsible for e-mail; another handles mobile messaging; a third team deals with VoIP communications.

Managing technologies this way is commonplace and can be an efficient means of organizing work. But the silo approach makes it hard for organizations to get a handle on the big picture. That makes it difficult to ensure appropriate use,block virus sandworms,minimize legal exposure, archive messages for compliance, and apply usage policies acrosstheboard.

In short, silos make it nearly impossible for an organization to gain a unified view of its communications technologies. Without that unified view, businesses can’tmove forward to establish and enforce strong policies and maintain accountability across the organization.

Good tools were lacking. Until relatively recently, tools to centrally manage real time communications across the enterprise simply didn’t exist. To get a handle on real-time communications use, some organizations attempted to put technical controls in place. They blocked certain ports at the firewall. They set up sniffers to keep an eye on traffic flowing into and out computers attached to the network. 

They logged IM messages. But lacking an organization-wide mandate, controls were implemented locally.With everyone doing their own thing, there was no over all accountability, and no way to get a handle on the big picture and achieve centralized control of real time communications.

IM came in under the radar. Also contributing to the lack of governance around real-time communication is the way IM entered the workplace. The technology emerged through unofficial channels. Instead of being ushered in by IT or management, IM took off at a grass roots level, when employees signed up for free accounts on public IM networks such as AOL Instant Messenger, MSN Messenger, and Yahoo!

Messenger. Unlike corporate e-mail, which requires IT professionals to set up accounts and issue employee e-mail addresses and passwords, public IM is simple, free, and widely available. And because it was designed to use existing communications channels and thus evade firewalls and other perimeter security devices, IMwas initially challenging for IT to gain control of. That Meant use of public IM networks rapidly expanded, as employees encouraged colleagues, friends, and business partners to get in on it the new communications medium.

While IT organizations were not unaware that employees were using public IM networks, many underestimated the extent of use.As a result, they did not adequately protect against worms and viruses entering their networks through this new communications channel. IT also overlooked threats arising from peer-to-peer networks such as BitTorrent, OpenNapster, and Gnutella. Because P2P networks are designed to share files housed on the computers of individual users, they-make it difficult to verify whether the source of the files is trustworthy. 

The boss was in the dark.Worst of all, there was often a sense that top management simply wasn’t paying attention to real-time communication use and as a result did not recognize the significant business risks associated with it. Some high-ranking executives had limited, or no awareness of IM use at all. Others simply ignored the new communications medium. Overall, senior managers failed to grasp the risks it presented around information security and information retention.

Nor did they understand the negative impact IM could have on productivity, as employees wasted time exchanging frivolous messages. Many top managers falsely assumed all users could be trusted. And they did not recognize the need to archive IM messages for e-discovery and compliance. This lack of understanding meant they could not maintain accountability and ensure compliance and appropriate usage across their organizations.

Employees put their employers at risk. Employees made some miss steps too, and that exacerbated the problem. They failed to understand that employers could be held liable for inappropriate IM content, such as messages that contained statements that could be construed as sexual harassment.

Because no one had told them otherwise, many employees assumed they could do whatever they wanted. Others were warned by IT staff not to use public IM networks, but ignored the warnings because they believed that IT had no right to govern their behavior or ban public IM use.

What’s more, even in organizations where e-mail use was tightly governed, there was a widespread perception that e-mail rules don't apply to public IM networks.That led to a free for-all situation.Employees waste time chat ting with friends, family and co-workers, sending and receiving frivolous messages.

Even those who were using IM to conduct real business often put their organizations at risk, inadvertently revealing sensitive customer and employee data or trade secrets in the messages they sent.Without thinking, they used IM to ask time-sensitive, business critical questions, such as: “Have we announced the acquisition yet? I have an investor on the line.” 

Keeping up with compliance. At the same time that employees were engaging in this free-for-all of real-time communications, the regulatory environment was growing increasingly complex. There are dozens of laws that impact real-time communications use. Which ones an organization is subject to depends largely on what industry it’s in, or whether or not the company is publicly traded.

The Federal Deposit Insurance Corporation (FDIC), for example, mandates that member banks and financial institutions retain and review all electronic communications. The Sarbanes-Oxley Act requires publicly traded companies to make historical communications available for audit. The Freedom of Information Act stipulates that federal government agencies and contractors must control and retain all records. HIPAA mandates that health care-related organizations protect all information pertaining to patient health care records.

And the Gramm-Leach-Bliley Act requires companies in the financial industry to protect customer financial data. Demonstrating compliance with these rules and standards—and those of many other regulations presents an ongoing challenge for all organizations. The consequences of failing to meet that challenge are clear: Out-of-control real-time communications can lead to fines for non-compliance, lost reputation, lost intellectual property, and further liability to your business.

Real-time communications are out of control. From technical vulnerabilities, to inappropriate use, fines for noncompliance with government regulations, and damage to reputation, real-time communications use is putting organizations everywhere at risk. The free-form use of all communications applications and protocols with few constraints on usage has created an out-of-control situation.With no central accountability and oversight, no one knows what is going on in the network.