Using software such as AOL’s Instant Messenger or Yahoo Messenger, 50 percent of employees are using consumer instant message (IM) programs via company computers, according to a 2006 survey of 416 primarily small and midsize businesses by the America Management Association and The ePolicy Institute.

These consumer IM clients frequently quietly slide their way on to company networks because employees often use the same programs to chat with friends and co-workers when they’re off the clock, too. But consumer IM programs also can enable something that many companies won’t even risk these days when it comes to e-mail: Unfettered, unmonitored and unencrypted communication over the public Internet. What's worse is that only 47 percent of employers are aware of the IM programs running on their systems, according to the AMA study.

“IM is nothing more than turbo charged e-mail -- and all the IM risks that exist are the same as with e-mail,” says Nancy Flynn, executive director of The ePolicy Institute and author of several books including, Instant Messaging Rules: A Business Guide to Managing Policies, Security, and Legal Issues for Safe IM Communication.  

IM poses some of the same risks to a business as e-mail, from allowing employees to disseminate confidential company information to exposing company computers and networks to a virus, worm, or Trojan Horse that quickly spreads. And with those risks come the potential for a firm to be subject to the same legal liabilities for employee conduct over IM. So then the question becomes: Should companies allow employees to use free consumer programs or should they install enterprise IM that come with more security features? Here’s how to do decide if a business should go with business IM:

Does your company need to conduct business via IM?

Employees might not even have a legitimate business reason to be IMing the outside world, in which case a company could forgo allowing IM programs altogether. But if employees need to IM each other, vendors, or clients to conduct business, then a company needs to use secure IM, says Richi Jennings, lead e-mail security analyst for Ferris Research, a San Francisco-based research firm. “If they are going to use a consumer-based service, IMs should still be encrypted,” he says. “And there is no substitute for having good antivirus, spyware, and malware control in place.” Enterprise IM programs also can assign company-branded, professional screen names to employees.

Does your company need to archive IMs?

Regulators in the financial services arena, for instance, have made it clear that they don’t make a distinction between e-mail and when it comes to retention requirements. “When employees engage in IM chat via public IM tools, your electronic business records are not being retained,” Flynn notes. “It’s essential for all businesses--no matter what your size or industry--to retain your records if you’re in a regulated field.” For many companies, complying with regulations like Sarbanes-Oxley means logging and archiving IM sessions between employees and clients--or anyone. IM management tools or enterprise IM products can offer a built-in logging and archiving feature for legal or regulatory compliance. Free consumer IM programs, on the other hand, do allow users to choose to save individual chat sessions, but they don’t include enterprise-wide records management or archiving features.

Does your company need to secure IM?

If IM is being used on company time, experts say the answer is always, “Yes.” But there are different approaches to boosting IM security.

IBM Lotus Sametime, Novel GroupWise Messenger, and Microsoft Live Communications Server (LCS) are among the enterprise IM programs that offer an entire IM infrastructure installed on a company’s internal servers to enable archiving or defenses against threats like malware or IM spam (a.k.a. spim). Enterprise IM programs can be integrated with a user's e-mail program or allow Web conferencing as well. For instance, Microsoft LCS can allow employees to IM people who use public IM programs but it still encrypts and logs messages. IMB Lotus Sametime even encrypts users’ buddy lists.

IM management or gateway products -- such as Akonix, Akeni, FaceTime, or Symantec’s IMLogic--can also add layers of security to existing IM products like Google Talk, Yahoo Messenger or MSN Messenger by archiving messages, scanning for viruses or blocking messages containing restricted phrases to prevent that data from leaving a business’s network.

Depending on the level of security, management and additional features offered, enterprise IM can cost up to $5,000 for FaceTime’s RTG500 gateway product to about $500 for Microsoft LCS for five users to $10 to $40 per user for Akeni or IMLogic. AOL’s new AIM Pro powered by WebEx, which encrypts IMs and allows users to securely share documents or conduct conference calls, is free.

No matter what the size of a business, experts say there are affordable solutions for adding the necessary security needed if employees are going to be IMing on the clock:

“It only takes one employee to accidentally transmit the company’s client list or employees’ social security numbers, for example,” Flynn says. “If you decide to allow IM, you have to decide if you’re going to install an enterprise grade system or use freebies with IM gateway management technology to give your company the ability to monitor, filter, purge, and retain IM chat just like you do e-mails.”