Is Internet Messaging ready for business?
September 21, 2006 7:26 AM   Subscribe

Some folks in our office have shown the desire to use IM to communicate with other companies we do business with, pretty much at the urging of the external companies. I have some concerns.

As the IT guy for a small company with a remote office, up until now I've pushed back on this idea using concerns about security as my main reason. I’ve read here about some of the potential virus problems, but of course this is from a company that sells antivirus software. Then for me personally there's the aggravation factor, as I don't think that I would like to have to respond IM pop-ups while I'm in the middle of a project. Yet I still get regularly get emails from folks in the company wondering when I'm going to give the go-ahead, so I thought I'd ask the questions here.

Are my concerns valid? If I do allow folks to install IM, what kinds of problems should I anticipate? It seems there's an interest in both AOL and MSN IM - is one preferred over the other for business use? And is one client better than the other, or should I look at one of the 3rd party clients (we're a windows shop)?
posted by SteveInMaine to Computers & Internet (25 answers total) 1 user marked this as a favorite
 
In my company we don't allow IM because ther is no easy way to log it. (No paper trail)
posted by Gungho at 7:31 AM on September 21, 2006


If you ran a jabber server, with gateways out to AIM and MSN, you could have lots of interesting features - logging included - and start building interesting internal apps, with bots and so on.
posted by DangerIsMyMiddleName at 7:37 AM on September 21, 2006


IM can be a distraction and an interruption.

Please define the "some folks" who think they need it. Is this a top down thing or underlings who want officially sanctioned chat time with their buddies?

I would make the case for being "too available" to your customers and vendors. If someone has an urgent matter, there is this thing called a telephone. If they need a non-time-sensitive response, there is email
posted by freq at 7:38 AM on September 21, 2006 [1 favorite]


I can't speak to the security concerns of AIM and MSN, but I know that there is almost no security in AIM unless you use a third-party client on *both* ends and encrypt the session. A third option that wasn't mentioned is hosting a Jabber server. Jabber can be secured easily and many IM clients can connect to it. Since traffic is going through your server, I *think* you can also log conversations on the server. Standardizing to Jabber also keeps people from adding all their home 'friends' to their IM client and talking to friends all day instead of working.

That being said, we use AIM because we're not concerned about securing our conversations, and I have two accounts -- one for home use, with all my friends, and one for work use, with my roommate, girlfriend, best friend, and all of my coworkers on it.

As for interruptions, I find that IMs are much less distracting than phone calls when you're in the middle of a project. Maybe this is my fifteen years of use of AOL Instant Messaging here, but I find that I can stay focused on a task and let the darned thing blink down in the taskbar until I reach a mental stopping point, at which case I can call up the IM. It's also easy to leave a message that says "I'm here, but I'm very busy. Please take a number.", "I'm in another building", or something like that, which lets people know that if it's not very important, they shouldn't get in touch with you. Overall, when you need to work in a task group and you want to multitask, it's much easier to use AIM than it is to use phones.
posted by SpecialK at 7:40 AM on September 21, 2006


I communicate with my boss on IM more than I do on the phone. Our company uses AIM extensively for internal communications. I've got my AIM address in my business email sig, however only 2 or 3 customers have ever used it to contact me.

I don't see any problem with it, and it certainly is a more efficient way to get a quick answer from somebody, because they can answer on IM while they are on another phone call or in a meeting, etc.
posted by COD at 7:44 AM on September 21, 2006 [1 favorite]


I assume that the use of phones may be out of the question due to expense of long distance calls? Obviously Gungho, phones don't leave a paper trail either but have been used for a long time in business dealings.

I'm not sure what the problem is in dealing solely with email. Email is usually spontaneous. At most there is a few minutes delay but if the need to immediately discuss something comes up, a phone is the best option.
posted by JJ86 at 7:46 AM on September 21, 2006


JJ86, due to spam checking at many levels, network SMTP proxying, and backups on some campus resources, my university department sometimes sees delays of up to 4 hours on emails sent from external sources to our inbox. Internal email is instant, but external... not so much.
posted by SpecialK at 7:48 AM on September 21, 2006


You could use Trillian on your side to log conversations, which is what we do at my job (a private university). I second the notion that IM is a lot less intrusive than phones when dealing with projects, simply because you can wait to deal with it until you are ready to. With a phone, it rings, you don't answer, you then have a voice mail to retrieve. IM = more efficient.
posted by richter_x at 7:55 AM on September 21, 2006


My company integrates IM seamlessly with all internal and external tools. I don't think we'd function without it, being spread over multiple campuses and continents. Email works for transferring information, sure, but even just talking across to the next guy over and saying "here, I'll link you" makes IM much better than email.. the latter means you'd both be waiting a few minutes for the mail to show up in order to continue the discussion.

You can always filter internal URLs and whatnot at the firewall. It also makes for happier users during the day, since they can communicate with friends and family in a lightweight fashion rather than making phone calls and composing emails - both of which are heavy context switches. There's a lot to be said for allowing your users a bit of freedom, since they're going to do it anyway (see: meebo.com), and better that they're not antagonistic about it.
posted by kcm at 7:56 AM on September 21, 2006


Microsoft has a product called Live Communication Server that handles encryption, logging, and all of the IT requirements you mention. There are also gateways for LCS that allow you to talk to AOL and Yahoo (and maybe others, I dont know) as well as MSN Messenger clients.

I have no idea how much it costs, or how much of a pain it is to setup and administer. IM is a huge productivity tool for me and my team.
posted by stupidcomputernickname at 8:02 AM on September 21, 2006


Wow, I'm surprised to see all this anti-IM discussion. I can see why the IT guys don't like IM, but then again a lot of IT guys were suspicious about the Internet 20 years ago, too. Could you imagine requiring your employees to not use email? IM is just as vital and valuable as email. Allow it.

Trillian Pro is an excellent third party Windows client. Avoid any solutions that require that both parties set up new IM clients / accounts.
posted by Nelson at 8:14 AM on September 21, 2006 [2 favorites]


Response by poster: Please define the "some folks" who think they need it.

These are people who deal with external suppliers, and the suppliers have claimed it's easier to contact them using IM. I brought up the subject of chit chat and management trusts that IM wouldn't be abused this way.

Jabber sounds like it would be an interesting project, but one that I don't have a terrible large amount of time to set up and spend administering. Our IT "department" consist of two of us who are more analysts and developers than systems admins.

Based on what others have said above, I think we can handle it culturally. My main concern is how to make it secure in our environment.
posted by SteveInMaine at 8:14 AM on September 21, 2006


IM can also be a great tool during conferance calls. It allows you to talk to your coworker without the client knowing you think he's a wanker.
posted by Mick at 8:17 AM on September 21, 2006


I've never used it, but there's a program out there called aimsniff that purports to 'sniff' AIM traffic on the LAN and log it. If you've got a well-configured network, this should be doable. To stay ethical, just make sure everyone is aware that it's being logged.

But as others have pointed out, phones aren't usually monitored, and yet everyone has those. (But then again, AIM is a major timesink for me. I'd never use it at work, because I'd get no work done.)
posted by fogster at 8:20 AM on September 21, 2006


Steve, what are your security concerns and needs then? Do you require encryption? Do you require logging? The hive mind can probably point out a way to do things, but we need the reqs.
posted by SpecialK at 8:22 AM on September 21, 2006


as far as i am aware there are no remote exploits for aim that do not require a user to click on a link. i don’t see how this posses any more risk than email. am i missing something?

also gaim is a good cross platform client that includes logging and encryption of conversations with the otr plugin.
posted by phil at 8:23 AM on September 21, 2006


Response by poster: Good question, Specialk. I'm going to hate to admit this, but our network inside isn't terribly secure. I've spent some time configuring our firewall, and we're up to date on our virus software. My main issue is that internally we use simple file sharing with open shares on PCs, so if there's a virus or malware that isn't caught but either the virus software or firewall we could be screwed. I'm fairly comfortable that we're protected while surfing or reading email, but not sure if our current protection is good enough for IM.

The data does not require encryption, and logging would be nice to have, but not required.
posted by SteveInMaine at 8:32 AM on September 21, 2006


Response by poster: ...and I think that Phil just answered my big concern. If the biggest risk is clicking a link, then the best protection is well trained users, right?
posted by SteveInMaine at 8:33 AM on September 21, 2006


The decision to allow instant messaging needs to be made by the business, not IT. Companies spend a great deal of effort working out who communicates with clients, what sort of commitments they can make, and how rapid a response is given to phone calls and email. IM may not fit into how the company wants to present itself to the client, and may in fact undercut it. For instance, in a larger IT shop, you'll have a help desk fielding calls and escalating tickets to second or third tier technicians. When those techs start getting calls directly from users, it means 1) they're distracted from what they're working on, and 2) users expect a level of immediate support that isn't sustainable. It gets ugly.

IM has the additional problem that it doesn't have a common standard of politeness: see this askMe thread, where the poster is upset that his friend ignores his messages for a day. And that issue was between friends - imagine how messy things could get once there's money at stake.

And more, it's generally accepted that you don't get a response to business email or calls after hours unless there's a pre-existing agreement. What happens when a client messages you with an emergency when you're IMing drunk at 2am?

I'm not saying this can't work, but it's up to management to work out policies about IM, not you. Get the OK from the company, then worry about securing the system.
posted by a young man in spats at 8:43 AM on September 21, 2006


Syemantec makes a product called IM Manager that acts as a proxy for IM clients. It secures and logs the messages. It's trivial to configure it to not go through the proxy, but I think there are ways to keep your clients from doing that.

Live Communication Server that stupidcomputernickname mentioned also secures and logs traffic. I am also unsure of the costs for LCS.

IM can be a pain to manage. It's easy to tell people that clicking links may cause problems on their PC, but they'll still do it. They'll still click the link because they think it's a legitimate link. IM Manager can (I believe) block messages meeting certain specifications. It's worth looking into, especially if you need to get approval to bring IM into the company. It would be good to say, "our staff wants to use IM and here's a way I found that can help protect us from the risks involved."
posted by bDiddy at 9:37 AM on September 21, 2006


As a programmer, IM can sometimes kill productivity. If I'm in the middle of something and some one suddenly wants to chat, it's easy to get distracted and lose focus, even if it's work related. Unfortunately there's no way to prioritize messages or senders with IM.
posted by blue_beetle at 10:55 AM on September 21, 2006


Clicking links is the usual method for malware, but I believe there have been some exploits (for the AIM client) that didn't require user interaction. Another thing is that AIM has god-awful flash ads.

We're migrating to the Gaim client (and a Jabber server--it can integrate with Active Directory) and will probably use a plug-in to filter out http links from incoming AIM messages.
posted by MikeKD at 12:16 PM on September 21, 2006


i just want to to make it clear. i understand that clicking on links is normally how worms spread all i was getting at is that allowing users to communicate via instant messages did not seem any more unsafe than allowing email.
posted by phil at 1:57 PM on September 21, 2006


IM is kind of a pain, in that IM windows pop up and steal the focus. It's easy to type into the wrong window, it's easy to type the wrong IM content into the wrong IM window. We use it at work, and recommend that people use our supported server and client, which is only sortof non-secure.

There's a social factor, as well. Older workers are often less comfortable with IM, may not type fast, and use different vernacular. I tend to use full sentences and proper grammar, and correct my spelling, and I notice that younger people type faster, use phrases, use lots of acronyms, and insert smiley icons. If you implement IM, you might want to do some work on how to use it in a reasonably business-like manner, while still making the most of the speed.
posted by theora55 at 2:24 PM on September 21, 2006


This might sound wimpy, but any time I need to make a potentially unpopular decision (such as saying "no IM allowed") I present the facts to my boss and let him make the call. He's not extremely technical but he's smart enough to balance the pros and cons given to him and make a business decision. Working in IT, I'm very hesitant to ever give users something I might have to take away in the future.

On a seperate note, we use IM within our tech department to talk to each other and we have three staff members (out of ten) that IMHO abuse it. Once their buddies see them online they're going to send them messages during the workday and there's no way to stop that. IMing their friends and family has now become an integral part of their day. Most users will manage their usage appropriately, but there's always a few that must push the envelope and ruin it for everyone. Personally, I created a seperate account for work so I don't get bothered.
posted by bda1972 at 7:54 PM on September 23, 2006


« Older ISA to PCI or Serial Converter?   |   Keep the foam thingies on my earbuds? Newer »
This thread is closed to new comments.