Creating an Employee IM Policy

A few years ago, a technology startup's CEO was mortified to discover that thousands of his confidential instant messages had been posted on the internet. His messages were an enormous embarrassment for his company and its business partners, and the CEO even received death threats.

Though IM has many advantages, its growing use in the workplace can expose small businesses to a host of security, legal and other risks. To help protect your business, it's advisable to draw up and implement an IM best practices policy. Here are some tips to get you started.

• Decide whether or not to allow IM. Instant messaging can keep your business connected with customers, partners and suppliers in ways not otherwise possible. For an overview of IM's benefits, see last month's column, "Should Your Business Use Instant Messaging?."

  Content Continues Below

  ---

  IM may also expose your network to viruses, hacker attacks, spyware and other security breaches. Instant messages can be used as evidence against your business in legal proceedings, and personal use of IM at work can be a frequent productivity drain.

  The first step is to decide whether to even allow employees to use IM on your network. (Instant messaging can be blocked with firewall rules and other network security measures.) Keep in mind, however, that the benefits of instant messaging for small business are significant, and its risks can be greatly minimized.

• Standardize one IM service. There are a variety of IM services available. Most are closed services that don't allow users to send messages to users of other IM services.

  To streamline IM management, decide on one service for your employees and standardize it for your best customers and business partners to use.

• Make sure IM sessions are protected. Some IM services offer encryption and security standards, such as Secure Sockets Layer (SSL), to protect messages. Nonetheless, it's essential to protect all your small business's electronic communications with a firewall, which defends against unauthorized computer access, as well as anti-virus and anti-spyware solutions. Another option is a virtual private network (VPN), which enables remote and mobile workers to access your network over a secure connection. For more about basic network security, see "Is Your Biz Safe From Internet Security Threats?."

• Educate employees about the risks. If your business uses IM, make sure all employees are aware of the risks. Ideally, create a written list of IM's risks in specific but not-too-technical detail and make sure each employee has a copy. The list of risks can be incorporated into an overall IM/e-mail content policy, described below.

• Create an IM content policy. Because of their informality and immediacy, IM conversations can come back to haunt you. One hastily dispatched message--a sexist joke, for instance--could have unfortunate legal consequences down the road. And yet, only about one-third of companies train employees how to use electronic communications properly, according to ePolicyInstitute.com, an online resource for avoiding risks associated with IM and e-mail.

  A written policy clearly outlining content not allowed in instant messages (or e-mail, for that matter) will help limit your business's exposure to IM's risks. Your written IM content policy should forbid the following: profanity; confidential business or personal information; offensive jokes; and potentially slanderous or unflattering comments about customers, business associates and other employees.

• Define penalties for IM content breaches. Rules are only as good as their enforcement, and IM content policies are no exception. Make it clear what the penalties are for disobeying IM policy and, when necessary, enforce them. Having employees sign a copy of your IM policy will help minimize misunderstandings.

• Consider limiting IM. Because viruses and other security risks can be passed along in instant messages, advise employees against corresponding via IM with anyone they don't know. Under no circumstances should an unknown file attached to an IM be opened. Also, set a policy for personal IM use by either forbidding it altogether or restricting it to lunchtime and other break periods.

• Archive IM logs. As with e-mail, IM sessions should be archived to protect your business in the event of a lawsuit or other dispute. Add extra storage to your network for IM archiving if necessary, and make sure IM logs and messages are regularly backed up. Storing back ups offsite is always prudent, as it helps protect the data against fire, theft, viruses and other risks.

• Stay up-to-date. With IM security threats on the rise, you should regularly review your IM security, as well as content policy and best practices, and revise them accordingly. If you don't have the expertise in-house to keep your IM communications sufficiently protected, consider hiring a network security consultant or managed service provider. Your network vendor or reseller can also provide resources to help your business take advantage of IM securely and cost-effectively.

With proper use on a secure network, instant messaging can keep you in closer touch with your customers, partners and suppliers--and that's good for business.