No matter the size of your business, if employees are using instant messaging (IM) to chat with each other, customers, or friends or family, then Nancy Flynn, who is executive director of The ePolicy Institute, has one piece of critical advice: Your company needs an IM policy.

As the author of several books including Instant Messaging Rules: A Business Guide to Managing Policies, Security, and Legal Issues for Safe IM Communication, Fynn studies how enterprises use IM, and where it can cause trouble if there is no self-regulation plan in place. For example, according to a 2006 study by the institute and the America Management Association (AMA), 24 to 26 percent of employees say they have used workplace IM to send jokes, gossip, rumors or attachments. Another to 12 percent of employees admit to using IM to send pornography, romantic messages or private information about themselves or coworkers. The result is a mounting number of ways IM can compromise the security of a company’s network or get a business in legal hot water.

Yet despite IMs popularity and potentially risky uses, only 31 percent of the 416 mostly small and medium-sized businesses surveyed say they have a written policy for IM use on company time. “If you haven’t put a policy in place, and if you haven’t provided employees with formal training about IM risks and rules, it’s likely they are playing it fast and loose and transmitting the types of messages that do tend to trigger lawsuits,” Flynn says.

If IM is moving across your enterprise’s network—and the public Internet—Flynn and other experts offer these guidelines for how to develop an IM policy and enforce it:

Step 1: Know which IM programs are on your network

Free consumer IM programs are popular but they aren’t secure. If employees have downloaded free IM programs (and at least half have according to The ePolicy Institute survey), you need to know about it. Flynn recommends either surveying employees -- without repercussions -- to find out which IM programs they use, and scanning the network for the presence of IM software.

Step 2: Decide when (or if) IM is appropriate

Just because employees are already using IM, doesn’t mean it always makes business sense, says Chris Hazelton, IDC senior analyst, small and medium business markets. But banning IM is not a popular or necessarily productive tact. “It would be good for a small company to talk to employees about who they’re IMing, such as clients or customers, and what’s the advantage. Is there a business need?” For example, many companies now offer customer support via IM or employees use it to collaborate from disparate locations. The business cases for using IM should be made clear so that an appropriate IM policy can be formulated.

Step 3: Put a written policy in place

Flynn says if a company is going to allow -- or mandate -- the use of IM, then a written IM policy must address content and usage. For example, a policy might mandate that employees never use IM to transmit confidential customer or company information. Also, the policy should define how IM serves as a “business record.” For instance, IM chats surrounding the development of a new drug or financial services transactions would need to be archived, in compliance with regulations. It should detail how IMs will be logged, archived or monitored (including warning that IMs could be used during legal discovery). An IM policy could also address etiquette and productivity issues as well, such as requiring employees to use professional-sounding screen names, post “away” note when they are not at their computer, or allow them to  turn off IM when on a tight deadline or when they don’t want to be distracted.

Step 4: Choose an IM solution

If your company needs to secure and monitor IM, providers such as IBM Lotus Sametime, Novel GroupWise Messenger, Microsoft Live Communications Server (LCS), can log and archive messages and scan for malware or inappropriate content. If you need to add extra security and encryption to consumer IM programs like Google Talk or Yahoo Messenger, you should explore gateway products such as FaceTime or Symantec’s IMLogic. AOL’s free AIM Pro also encrypts IMs and allows users to securely share documents. If clients or suppliers expect to be able to interact with the company using public IM, consider an enterprise IM product that is compatible but keeps things on your end secure.

When in doubt, an IM policy should mirror a firm’s e-mail policy, Flynn says.  Once the policy is in place, employees need to be educated and it needs to be enforced to minimize liability. “If you have a policy in place, have conducted a formal training program and have installed the proper technology, you can walk into a courtroom and demonstrate that you’ve done due diligence,” she says.