Creating Effective Enterprise IM Policy

Instant messaging is quickly becoming a preferred method of communication among co-workers, partners and customers. As IM usage continues to increase, administrators need to effectively protect their corporate networks from the growing number of security risks that are targeting IM platforms.

Virus and worm outbreaks, denial of service attacks, and exploits targeting security vulnerabilities like buffer overflows and encryption weaknesses are increasing in frequency.

So, how can companies continue to allow employees to utilize IM without opening their network to additional attacks or the broadcasting of undesirable message content?

A successful IM deployment strategy must include technology for managing and monitoring IM applications, IT staff training and a clear usage policy for employees. Although organizations should be concerned about each of these areas , this article is focused on recommendations for creating IM policies that deal with prevention, education, acceptable use and continual enforcement.

These policies need to reflect a company’s business goals, communication methodology, and security and compliance requirements.

Acceptable Usage Policy

It is advised that companies institute a specific acceptable usage policy (AUP) for IM and that it be distributed and signed by each employee. This policy should closely match the organization’s overall electronic communications policy so that it is consistent with guidelines for email and other communications, and includes provisions for acceptable language and confidential information.

Some common areas that are often covered in a company’s AUP for IM are appropriate contacts for business buddy lists, allowable user names, access to chat rooms, files that are not allowed to be sent or received via IM and specific language that is considered unacceptable.

Companies need to identify and publish allowable communications and potential violations that can be considered grounds for dismissal.

In addition to establishing guidelines for usage, the AUP needs to clearly outline the actions that will be taken for each offense and how the management team will enforce these actions. It is highly recommended that the AUP be posted to an internal website where it can be easily updated.

Policy for Prevention

Many users view IM applications as unrestricted and informal. This results in conversations that tend to be less inhibited and increases the risk that potentially sensitive information may be shared inappropriately.

To comply with regulatory legislation and avoid the leaking of sensitive data or potential lawsuits, companies need to create a consistent and enforceable policy focused on preventing and blocking IM conversations that utilize pre-defined keywords or attempt to send unauthorized files.

The list of unacceptable keywords and file extensions should be included in the company AUP and should be constantly updated in order to ensure it remains current with company projects, issues or information.


Virus writers, scam artists and hackers consistently morph their tactics in an effort to trick users into clicking on fraudulent links, download infected files or unknowingly providing access into their systems. Companies need to maintain a program for continual education designed to update employees on these tactics, methods for reporting possible viruses and what to do if they feel they have been infected.

Published virus alerts, technical articles and real-life examples can all be utilized in order to raise the level of awareness among employees. Such a program can easily be done electronically through employee newsletters, e-mail reminders or postings on an internal website.


The key to successful IM deployment and continued management is creating and — most importantly — following through on a policy for enforcing disciplinary action as necessary.

As companies develop their AUP, they need to determine what constitutes a violation of policy and the disciplinary action that will be associated with it. Violations can include inappropriate language, spending too much time on non-business related communications, attempts to violate the file sending/receiving policy and sharing sensitive or confidential information.

Depending on the offense, penalties can include additional training, verbal or written warnings or dismissal.

Just like e-mail, IM has quickly become a popular and effective tool for extending the communication capabilities of businesses around the world. When designed effectively with clear and concise policies, organizations can reap the productivity benefits that IM promises without exposing their networks to malicious threats, hacking or the proliferation of undesirable messages.

Joe Licari is vice president of Sybari Sybari product management. He is responsible for the management and implementation of Sybari’s product development and marketing initiatives. Licari is a messaging and collaboration security industry veteran and a frequent security conference speaker and can be reached at [email protected].