Make IM work for your company

Instant messaging can be a valuable productivity tool, but first you have to make it secure. Lee Schlesinger outlines your options--and how to keep your IT staff out of hot water.

Instant messaging software appeared on your network because it was fun to use and easy for even inexperienced users to install.

But this seemingly frivolous application can be a full-fledged productivity tool, especially in the hands of an IT department that can manage its use and avoid its pitfalls. To do that, there are several issues you have to tackle.

IM short on security

The biggest concern with IM is its current lack of security. Flaws in several common IM applications, including Yahoo Messenger may allow attackers to take over your PC, and viruses can bypass antivirus software when they hitch a ride in files transferred by IM. Organizations also worry that unencrypted messages can be eavesdropped on.

Most of those problems stem from a lack of corporate control over the public messaging networks of companies such as AOL, Yahoo, and MSN. Applications that use these networks require users to download a special client, but don't require a server component on your network, because the vendors themselves run the services. The applications often employ TCP/IP ports that would not otherwise be opened in the corporate firewall, which makes some security administrators frown.

Unfortunately, there's no effective way to fine-tune the security of commercially available IM. The typical choice is between allowing or banning IM. You can ban the application by corporate policy, by closing off the TCP ports each application uses, and by strong policy enforcement of the applications you allow users to run. If you allow IM, be sure your clients all run antivirus programs and, ideally, personal firewall software too. You may also want to consider running a program like Cordant's IMScribe that logs all users' messages, so you'll at least have a rudimentary archive and audit trail.

In-house IM

If you want to implement an internal IM system, you can use a program that runs on a server in your organization. You manage the server, you authorize clients, and you set policies for what can pass through the system. This group includes products like Lotus Sametime, Jabber Software Foundation's open-source Jabber, and Divine's MindAlign. These programs tend to have higher-end features than the services, including searchable message stores, multi-person chat and broadcast messages, shared workspaces and files, voice, video, and encryption. However, the tradeoff for these extra features is that the programs require more time from corporate IT staff to set up and administer.

If you don't lock down clients' desktop configurations, users can still use third-party IM clients even if you implement an in-house program, which could raise security concerns. You should configure an in-house server not to communicate with outside IM systems.Recently we've seen a third type of instant messaging: an application (generally written in Java) that you embed in a Web page. Such products include Bantu Messenger, JMD's QuickSilver Instant Messenger, and Parlis. This blending of the Web and instant messaging offers some control, in that you can manage who uses the application, but users must have a Java virtual machine on their systems (most do; Windows XP doesn't include the software, but you can download it later) and access the application from a Web browser.

Live chat on a Web page is well-suited for customer service applications, as well as communities that might like immediate discussion of the material on a particular site. Because it's tied to a Web page, it's not a compelling alternative to normal IM for most uses, however. One advantage of such applications is that you don't have to download a new client application. A disadvantage, however, is that you must integrate these platforms into your Web pages, which requires more development effort than simply installing client software. If the application is hosted, you run into the same security concerns we've already discussed. If you install it on your own servers, you add to your administration workload.

The bottom line

Which IM product is right for you depends on how much time and money it will cost to roll out and manage. You need to determine which advanced features you'll use beyond simple real-time text messaging. Start by surveying your current users. Knowing what features they currently use, and what features they would most like to have will help you target what specific business issues you want IM to address--and whether you need the additional security and administration load of an in-house IM server, along with its additional expense.

If all this indicates that an internal system may make sense, calculate what kind of return you'll get for your IM expenditure. Some of that return is tangible--for instance, you may find that customer support reps average less time on calls when they're able to IM colleagues for help. Much of the return is harder to quantify, however. The added camaraderie and connectivity IM provides, especially between users who don't share physical office space, can do a lot to promote job satisfaction and organizational loyalty.

Whichever way you go, use the same common-sense approach you would take when rolling out any new application. Start small with a pilot group of users, monitor the deployment carefully, and use their feedback to refine the project before installing the system across the organization.

Do you think IM can help improve your company's productivity? What type of IM do you think is most enterprise-worthy? TalkBack below or e-mail us with your thoughts. And, don't forget to register your vote in our quick poll.