Convenience and immediacy make instant messaging (IM) a popular collaboration tool. Underlying presence technology allows users to instantly see who is online and available, which makes it easy for groups of coworkers to share ideas, files, text, images, links, code and more.
The problem is that there is very little oversight of IM. Although consumer messaging apps such as WhatsApp, Messenger, Viber and Signal have become pervasive in the workplace, surveys show that more than three-quarters of all companies have failed to implement any kind of formal policy for IM and are therefore unprotected from a host of security threats arising from misuse of the technology.
What’s more, most organizations don’t even know what apps are being used by their employees, what information is being shared or where that information is being processed and stored. That’s largely because IM is a classic example of a “bottom-up” technology — one that has spread throughout the workplace largely because individual users have installed IM clients on their work and personal devices.
From a security standpoint, the problem with these ad hoc implementations of IM is that they create a chaotic mixture of applications that are not formally supported by IT staff. As a result, IM is bypassing a lot of the traditional security safeguards, such as antivirus scanners and firewalls. Unmanaged IM usage is also exposing organizations to regulatory compliance issues as sensitive information is often shared in an unsecure manner.
Most IM apps are based on the client-server model in which you download the client version to your device. When you are engaged in a chat with a coworker, it may seem as though you are communicating directly, but that’s not the case. Your messages are actually being routed to an IM server that forwards the message to your recipient. That can result in sensitive information being stored on a server that you and your company don’t even know about.
In general, your organization has three choices for dealing with IM — and two of them won’t work. You can ignore the issue, which will eventually lead to greater problems. You can prohibit IM usage within the organization, which will only alienate employees who will continue to use their apps anyway. Or, you can take control with tools and policies that allow you to intelligently manage security and reap the many benefits IM has to offer.
The first step is to educate employees about the risks of unmanaged IM and establish ground rules for the safe use of messaging apps in the workplace. Administrators need to frequently review firewall and domain-blocking rules, and they should consider using proxy servers. There are also a variety of products that provide policy management, file transfer control, virus scanning, centralized reporting and compliance archiving for public IM platforms.
To ensure data privacy, encourage the use of a messaging platform that routes all IM traffic through a secure server that stores all data locally. This allows your organization to log and audit messages to ensure compliance with regulations such as GDPR and HIPAA.
IM’s ability to let you see who’s online and available for discussion and instantly engage them in a time-sensitive, problem-solving conversation has tremendous value. However, organizations must ensure they have the policies and protections in place to ensure this important collaboration tool doesn’t create unnecessary risk.