Despite the acknowledged benefits of instant messaging communications, workers in the U.K. are willfully using unregulated, consumer versions of the technology to circumvent corporate oversight — according to a new study.
The findings come about in a survey conducted by enterprise security firm SurfControl, which last year licensed Akonix’s L7 Enterprise Gateway for its own corporate IM solution.
While surveying U.K. workers on their instant messaging usage, SurfControl found that 42 percent of non-managerial employees said they preferred IM because of its speed, compared to e-mail.
But in what should be a cause for alarm for IT admins, almost as many workers — 31 percent — said they used consumer-grade IM primarily because it enabled them to engage in activities that they avoid over corporate e-mail, presumably because most businesses have policies explicitly stating their right to monitor e-mail.
“We’ve seen a huge take-up in the last year of the use of public IM in the workplace,” said SurfControl spokesperson Martino Corbelli. “One [reason] is because the social use of e-mail has become more and more restricted. Companies are trying to ensure that offensive material isn’t distributed, and that people don’t waste too much time on non-work related matters.”
“All that’s well and good in keeping companies and employees safe,” he said. “But all the threats, the risk of leakage of confidential data and of defamatory content, are all reintroduced the moment someone starts to use public IM, which goes unchecked by the company IT department in many instances.”
Consumer IM has long been known to be a potential liability for corporate IT. That’s because public IM is essentially designed to make it simple for users to connect to others: clients typically find ports open in users’ PC or corporate firewalls, sparing users from having to manually configure their systems. Since it’s easy to install, IM can be up-and-running without administrators’ knowledge; and because it uses open firewall ports — including the commonly unsecured port 80 — it can be hard to block, or even detect IM traffic. And that means IT staff can’t halt the spread of sensitive information, or protect the network from inbound IM worms.
Ominously, the study would seem to indicate that end-users in the workplace are aware (or at least, believe) that administers lack the ability to monitor their instant messaging conversations — and are willing to exploit that fact.
Yet public IM users in the office aren’t necessarily malicious, Corbelli said.
“Most people have no idea what they’re doing when they download IM,” he said. “They’re not doing it to spread viruses around the networks, to leak confidential company information, or to do anything else they think is bad. But all those threats exist and are real. While they are IMing their friends, it could impact the whole network.”
Users also tend to be uncertain about whether corporate Internet policies govern IM use, SurfControl found. The survey asked whether employees knew whether their company had policies in place covering IM. Twenty-six percent of non-management employees said their company had no such a policy in place while 34 percent said they didn’t know whether such a policy existed.
Corbelli said companies could reduce a great deal of their liability by developing policy on instant messaging and communicating it to employees.
“Once it’s communicated to everybody, straight away you tend to get self-regulation,” he said. “There are boundaries that they know they have to work within. That’s what we’re trying to move the public consciousness towards. We managed to move things along on the mail side, so people know that there are certain boundaries they need to use that tool within.”
Christopher Saunders is managing editor of InstantMessagingPlanet.com.