September 1, 2004

Why many companies are clueless about monitoring IM issues

Author: Ian Palmer

Risks associated with having electronic communications subpoenaed during lawsuits or regulatory investigations have prompted some businesses to establish policies to address email concerns, but many firms are clueless when it comes to handling instant messaging issues.

Co-sponsored by the American Management Association and the ePolicy Institute, the 2004 Workplace E-mail and Instant Messaging Survey, based on responses from 840 U.S. businesses, showed that while 79 percent of employers have a written email policy, only 20 percent regulate IM. And only 11 percent employ IM gateway/management software to monitor use.

IM content runs the gamut from A to Z

Respondents who use IM reported sending and receiving inappropriate content such as attachments (19 percent); jokes, gossip, rumors or disparaging remarks (16 percent); confidential information about the company, co-workers or clients (9 percent); and sexual, romantic or pornographic materials (6 percent).

Companies are having such a hard time determining how best to monitor IM use in the workplace; in fact, that some have simply banned it altogether, said Jesse Dougherty, security analyst at Sophos in Lynnfield, Mass.

"In a lot of cases financial services companies are starting to say to their employees: 'You're not allowed to use IM until we can figure out a way to properly manage it,'" explained Dougherty, adding that his company, which doesn't offer solutions for combating IM misuse, has options available for fighting viruses and spam-plagues that can wreak havoc in the absence of policies.

"Policies are also important for general security," he continued. "It's really important for email admins to also understand that what they choose to allow into their organization changes the level of risk that's posed to their internal organization. They should start to consider tightening up the policies about what they'll allow to be delivered to their internal stakeholders."

The AMA-ePolicy Institute survey not only highlighted what companies are doing wrong but also revealed potential consequences for businesses that aren't diligent enough in setting up and enforcing electronic communications policies.

Subpoenaed messages on the increase

For instance, 21 percent of employers reported having employee instant messages subpoenaed over the course of a lawsuit or regulatory investigation, up 7 percent over last year. And 13 percent of employers said they have experienced workplace lawsuits stemming from employee email. The fact that only 6 percent of businesses reported retaining and archiving business record IMs also highlighted the problem.

Gary Steele, CEO of Proofpoint in Cupertino, Calif., said that while most email monitoring software is keyword based, the system his company provides allows users to identify particular documents they don't want being emailed. The technology then fingerprints the documents and monitors the email stream to ensure these documents aren't being emailed.

"There's a classic problem where many large organizations have internal memos that ultimately get leaked out by employees," said Steele. "Those internal memos get leaked out and [could] ultimately end up out on the Web or in someone's hands where they shouldn't end up."

On behalf of Proofpoint, Forrester Consulting fielded an online survey involving 140 responses from companies with 1,000 or more employees. The focus of the study: outbound email. Among the findings: more than 43 percent of large corporations employ staff to monitor outbound email; almost 75 percent of large corporations view outbound email risk mitigation as "important" or "very important" over the next year; and close to 93 percent of respondents said it was "important" or "very important" to have outbound messaging compliance technology integrated with inbound anti-spam and anti-virus solutions.

While Steele said IM is an area of development for Proofpoint, he added that his company does not currently offer products businesses can use to monitor IM use in the workplace.

New monitoring products coming to market

As turns out, there are a number of IM monitoring solutions on the market. For instance, Akonix Systems' Akonix L7 Enterprise is a IM management solution that is deployed at the network perimeter to both manage employee access to IM and protect against IM vulnerabilities. And Blue Coat Systems' ProxySG series combines proxy support of all Web protocols with integrated content filtering, instant messaging control, peer-to-peer control, pop-up ad blocking and Web virus scanning.

But what it all comes down to, according to David Bender, counsel at White & Case LLP in New York, is that it simply makes sense to establish and enforce policies governing use of electronic communications in the workplace.

"In most states the general rule is that an employer is liable for the acts of the employee that are committed within the scope of employment," he said. "[If] the employer has a policy … and has made it known to employees, then it's going to depend on whether this act of the employee could reasonably be construed as [being] within the scope of employment.

"If it was really a frolic and a detour, like he was sending pornographic messages to someone or was defaming somebody on the Internet, then I think the employer -- if he had a policy and enforced the policy -- might well have a defense."

Ian Palmer is a free-lance IT business writer based in Toronto.


  • Programming
Click Here!