Martino Corbelli discusses the security and other implications

Martino Corbelli discusses the security and other implications of instant messaging and peer-2-peer communications

Public instant messaging (IM) systems, such as MSN and AOL, are often seen as a means of having an informal chat or arranging an outing to the pub with friends. However, the perception of IM as a purely social tool is shifting, as an increasing number of businesses are using secured IM systems in the workplace. One day IM could even take the place of e-mail communications. The IDC estimates that by 2005 more than 229 million workers will use IM to help get their jobs done.

In the meantime access to public IM systems from corporate networks remains a hot and controversial topic. According to IDC figures, around 18.3 million workers now use instant messaging for job-related purposes, a figure that represents a 300% jump from the number of corporate users last year. Despite this jump the majority of IM use in the workplace is non work-related and presents a very real danger to businesses worldwide.

The main issue is that of security. Public IM systems essentially represent a back door into the corporate network, as material transmitted via IM can circumvent any existing security measure a company may already adopt, such as firewalls for example. This means that public IM systems can be used as a means of disseminating viruses and exposing confidential data. In addition, pornographic, racist and sexist material can find its way onto users' desktops via IM. As a general rule, any security breach possible via e-mail can be achieved through IM.

The benefits of IM are obvious, as it allows instant communication with colleagues and business partners around the globe. Far more immediate than e-mail, users are now beginning to use IM for quick, informal exchanges relating to work issues.

As well as the possibility of a security breach, employers also need to consider the productivity implications of allowing employees to use public IM in the workplace. The conventional perception of IM is that it is used to gossip with your mates, exchange idle chat and arrange the next big night out. It is therefore understandable that staff would use it for similar purposes if they could at work. Whilst it is true that e-mail can (and all too often is) used in a similar way, workers are now more aware of management systems that can monitor e-mail communications. IM on the other hand offers the most convenient way of wasting time at work.

Today's businesses are not ignorant about the issues surrounding IM deployment. In a recent survey of UK IT managers conducted by SurfControl, 89% said that they believed that the use of IM and peer-2-peer (P2P) applications posed serious threats to security and productivity within their organisations. More worrying is the fact that of those questioned only half had actually implemented any security measures to protect their organisations. This number could be even lower, as some may be under the misconception that firewalls and gateway anti-virus software provides cover for the risks posed by IM and P2P applications.

The fundamental question that organisations need to ask themselves is whether or not there is a valid business case for introducing IM. If the answer is yes, then companies need to address how they are going to deploy it in such a way as not to put the network at unnecessary risk. A secured deployment intra-company will do this but it does not allow for external company communications: that is the trade off between safe deployment and lack of control over freely available public IM systems.

In terms of the development of IM technology itself, progress needs to be made to provide a more secure structure for the future. IM's closest relation is e-mail, and IM needs to follow a similar development route to that of its cousin. E-mail adopted the SMTP standard, making security measures far easier to implement and manage. So far there are no standards for IM, and each system adopts its own technology. In this sense IM is still a relatively immature technology, but with the adoption of IM in the workplace on the increase, this shift needs to happen sooner rather than later.

No need for P2P
Although the two are often grouped together, IM and P2P are in fact quite different propositions. Whereas it can be argued that IM can be a valuable business tool, it is doubtful whether the same can be said for P2P applications such as Kazaa and Morpheus. P2P is essentially only used for distributing copyright materials, such as music, movies and pornography. Cases where a company needs to be able to do this for everyday business purposes are rare.

Arguably, the legal risks associated with P2P use in the workplace far outweigh the potential for security breaches and productivity losses. Copying and sharing copyrighted material is a serious legal breach that can carry hefty consequences, and the anti-piracy fight has been gaining ground over recent months with the first cases of large organisations bringing actions against individuals recently announced. A recording industry trade group, the Recording Industry Association of America, stated that it plans to sue hundreds of individuals for illegally distributing copyright songs over the internet.

Although it may not be at the company's instruction, workers using P2P applications for this type of file distribution are placing their employers at risk because they are using company resources to do it.

Considering the benefits and the risks, there seems to be little reason why a company would want to allow its staff to use P2P. The underlying message to companies has to be that although it can be useful or simply novel to implement new and emerging technologies, the advantages have to be scrutinised and weighed up very carefully against the potential risks.

Wherever possible, technology should facilitate business activity and not restrict it, but as with many other technologies, IM and P2P applications carry security risks that need to be taken into consideration.

Martino Corbelli is marketing director UK, SurfControl plc, Tel: 01260 296172