Recently in Public IM Category

Today's guest blogger is Eric Young.  Eric is FaceTime's Sr, Director of Field Services, and works with FaceTime customers to implement leading edge security and compliance solutions for Unified Communications and Web 2.0.  Eric's worldwide role gives him an insight into the global requirements of organizations implementing real time communications technologies to enable their businesses and works closely with our product team to ensure that FaceTime solutions remain at the forefront of the industry.

Yesterday's solution doesn't address today's issues.

I was onsite with a customer recently completing our fifth competitive replacement within the Fortune 400 in the past 6 months.  As the customer was detailing all of the requirements the previous solution did not satisfy, it made me wonder, how are other customers of these competitors feeling they are operating in a compliant fashion? 

If you, as a compliance officer or legal counsel, cannot make sense of a group chat conversation, cannot actually view the content of a blocked message, or can't see what folks are trying to post to a social networking site; how can you possibly defend your organization from SEC fines or from a lawsuit in a court of law? 

Security technologies evolve quickly, especially in the area of real-time communications - but the adoption of tools like Unified Communications, Instant Messaging and social media has grown exponentially - in many cases even without the knowledge of either IT or compliance.

Regulation and compliance changes too, with the times.  Most recently I've seen FINRA starting to address the issue of social media and issuing guidelines to member organizations and individuals on how usage should be treated. 

We all understand there is a big difference between "logging" and "being compliant" but knowing there are still some banks and other highly regulated companies using these legacy solutions that were designed for technology of a few years back, it begs the questions:  What are the minimum requirements for security and compliance for Unified Communications, Instant Messaging and Social Media?

And, what are you doing about dealing with emerging technology?

[Halcyon:  Oxford English Dictionary: Definition  adj & n calm peaceful]

Sarah Carter definition:  sepia tinted memories of days where you only remember the good bits...often a rose tinted remembrance...

I read a report from Reuters about British Think Tank, Demos, saying that bosses shouldn't stop their staff from visiting social networking sites because it could actually benefit their business.  Music to my ears I thought.  I'm obviously pretty pleased with the conclusions that they came to, not least because it absolutely marries up with the results of FaceTime's fourth annual survey  of Internet Trends  (more on this in a moment), but it marries up with how I work.

The Demos report concluded that

"The value of networking within an economic downturn is perhaps more important than ever and I believe it could mean the difference between a business collapsing or capitalizing on the tricky conditions."

Paraphrasing the report, it means that employees should be allowed to use MySpace, or Facebook, because there is very little difference between social networking and professional networking.

The FaceTime survey also looked at the changing way in which IT professionals and employees use the Internet. This year, 81% of survey respondents said they use social networks at work for personal reasons. But what's interesting is a nearly equal number - 79% - said they use these sites for business reasons. And 51% are accessing them several times a day. 

  I'm definitely one of those 51% of the 79%. You'll find me regularly on LinkedIn and Facebook, both for social and legitimate business reasons.  I actually think that my local supermarket owes me some coupons or at least a pat on the back.... I recently posted a tip on Facebook about beating the credit crunch with a special deal they had on some wine, and I know for certain that my buddies bought at least 5 cases.  So Tesco, if you're listening....you know where I live.

However, there's one point in the report that I don't agree with.

"Bans on Facebook or YouTube are in any case almost impossible to enforce; firms may as well try to put a time limit on the numbers of minutes allowed each day for gossiping." 

You see this is one of the great things that FaceTime - and our flagship product, the Unified Security Gateway (or USG) does. 

Ban the access if you want, USG lets you do that.  Or, enabling you to truly realize the value of networking, it gives you granular control over who can do what. Whether its downloading one of the more than 20,000 thousand applications on Facebook, or setting who can use AIM or Yahoo! Messenger or GoogleTalk or myriad other real time chat and communications tools. 

So while we can't stop the gossip around the real water cooler, we can stop them getting to the virtual one!

They say you can find anything on Google. Turns out it's especially useful when one is searching for personal data to crack a Yahoo! Web mail password.  

In the remote case you missed it: Vice Presidential candidate Sarah Palin's Yahoo! Webmail was hacked last week, and the contents were posted on Wikileaks.  Wired reported that the hacker easily broke into Palin's Webmail, hoping to find incriminating evidence that could derail her campaign.

We see this happen a lot. While IT installs email and IM archiving software, the workforce moves their personal and sometimes ill-advised communications to what I would call rogue channels. These channels include Webmail, public IM, Skype, and even Facebook. Employees think that management doesn't monitor or control these tools and it becomes an appealing place for improper or even illegal activity to occur.

Michael Osterman explained this well when he wrote about the lessons IT should learn from the Sarah Palin Webmail hack.

More examples of infamous rogue channel use in recent times include Senator Mark Foley, whose IM conversations with a intern cost him his job. Jerome Kerviel, the French banker who alledgedly cost his company $7B, and Scott Sidell, the former CEO who funneled client lists to himself through Webmail.

What are your employees doing thru Webmail, personal IM networks and social networking sites?

When I ask IT professionals the above question the majority respond (very confidently) that nothing rogue or unsanctioned is happening on their networks. Common responses include, "We block it with our firewall" or "we have a policy against it."  Then we deploy an evaluation unit and provide a report of actual employee initiated traffic and it becomes clear: hope is not a strategy. 

As customers move to adopt Unified Communications platforms from Microsoft, IBM and others, I believe the same issue will exist - employees will use personal systems and corporate sanctioned systems interchangeably.  IT will have the hard task of managing policies and controls consistently across this heterogeneous environment. 

... or even what it is?

Back in the old days, TV networks would run public service spots before the nightly news saying: "It's 10 pm, do you know where your children are?" The fact that the spots ran for twenty years in cities like New York points out that it is easy to lose track of stuff, even important stuff.  Which brings me to ESI--Electronically Stored Information.  Not that it is as important as your kids, but in the discovery phase of a big lawsuit, it might seem that way.  And, like kids, ESI can be surprisingly easy to lose track of.

ESI is the catch-all term for the digitally stored files of litigants in a federal case.  During the pre-trial discovery phase of a lawsuit, all ESI is subject to discovery, meaning it all has to be checked for relevant information that the other side has requested to help it prove its case.  Only the relevant files need to be actually given to the opposing party, but all ESI has to be checked to make sure all the relevant files have been located and handed over.  It sounds simple enough, but it is hard if you are not prepared in advance and a lot can go wrong. 

When the e-discovery rules changed in late 2006, there was a lot of commotion about it, and a lot was written about the need for companies to have their ESI organized and well maintained in order to be able to respond to the tight discovery timelines set by the new rules. I don't think that message has really sunk in though.  And now that the rules are no longer "new," and the commotion has died down, it is easy for companies to lose track of whether they have really prepared to meet the current e-discovery challenges.  Yes, the e-discovery market is growing nicely, but more spending is not assurance that the companies really understand all the risks or even the problems they are trying to solve. 

As the resident lawyer at FaceTime, I am occasionally asked to talk about e-discovery issues with customers, or on a panel. Sometimes I can tell that a person I'm speaking with just doesn't want to have to deal with instant messaging in e-discovery, even when IM is used for business purposes in their company. To them, the most obvious way not to deal with it is to make it go away, or more precisely, to take the position that IM logs are not business records and therefore will not be saved. 

No saved IM records, no IM ESI, problem solved. 

There are undoubtedly circumstances where this is a sound policy, but what I've seen is that such a position is most often taken without enough attention to the reality of how easily IM logs are stored in hard-to-find places, and how difficult it is to effectively enforce a "no IM records" policy when employees use IM for business purposes and may need to refer to those logs the way they refer back to e-mail.  The company falls into the trap of mistaking its ESI policy, what the company wants its ESI to be, with the reality of what its ESI actually is -- i.e., what is actually saved, either inadvertently or surreptitiously against policy. 

The resulting danger is that the ESI is there, but the company doesn't know it exists until too late. My recommendation is usually that if IM is used for business, then it will generate business records that should be maintained and be treated on par with e-mail records for e-discovery purposes.

If the IM-savvy, and sometimes IM-dependent, companies that FaceTime deals with are still coming to terms with IM logs in regard to e-discovery, then I have to believe that companies in general have not moved much beyond e-mail archiving, if they have a proactive e-discovery solution at all.  To me, that's like being happy that one of your kids is watching TV with you at 10 pm. and forgetting about the one you haven't seen since yesterday.

I'm admittedly not an "early adopter," and I'm typically not the latest to jump on a new technology trend (and yes I still have problems organising my DVD recorder), but heading up FaceTime's EMEA marketing group has meant I've needed to get with the program. Along the way, I've made my share of social networking faux pas, so I came with a plan to see how many more luddites there were trying to make their way in the social networking world... and how many had made the same mistakes as me.

So, with this in mind, we launched a (completely anonymous) survey and I sent out invitations via good ole email, and even via my Facebook and LinkedIn buddies ... oh boy.  I have to say it was interesting reading (and I almost wish it hadn't been anonymous now!).

We immediately received stories from users who showed an almost Olympian prowess at doing the wrong thing. Computer Weekly reported on some of the results of the survey.

Here's a recap: More than a third of the 77% of respondents that can access IM services at work admitted to sending an instant message to the wrong person, occasionally to the very person they were talking about and frequently to their superiors. Sending kisses, checking on the whereabouts of loved ones and derogatory comments about co-workers and superiors have all ended up in a manager's chat window. One respondent even confessed to sending a joke of an explicit sexual nature accidentally to the Financial Director.

A lack of forward thinking (I put myself at the head of the list!) when posting new and updates generally was evident in faux-pas anecdotes given during the course of the survey.

One respondent posted to Twitter "Woohoo! I've finished for the day" at 4pm rather than his finish time of 5:30 pm, only to receive a call from a colleague asking how he was enjoying the sunshine. Another stated that he was an eager job seeker to his current, and rather surprised, employer.

Just 5% of respondents had sent confidential information to the wrong person. However, one such error resulted in the company's telephony and internet access being used by someone else at the organisation's expense.

Nearly 16% of respondents said that they had clicked on an attachment or a link within an IM that had turned out to be malware. 42% of those said their anti-virus protection did not catch it.

Nearly three quarters of people surveyed could access social networking sites at work, but only two thirds said that their employer's policy allowed them, showing that adequate policy enforcement tools were not in place. The most popular sites by far that people used were LinkedIn and Facebook, with 33.1% of respondents saying they had the most friends on LinkedIn, compared with 32% that said real life friends topped their list. 

The bottom line is, people are engaging in communications via IM and social networking at work. Enabling IM and Web 2.0 communications can bring great benefits to companies, but IT departments need to consider the risks involved and make sure that security, policy control and compliance are introduced as standard best practice.

Perhaps the best advice for users is summed up by one of the survey respondents who said "I always check twice, to see if I've been naughty or nice."

I recently did a podcast interview with Michael Osterman of Osterman Research for Messaging News.

Here at FaceTime, we're immersed in unified communications every day. We talk to our customers about what they hope to get out of UC, what modalities (messaging, VoIP, Web Conferencing, etc.) they are deploying first, and how they are struggling with internal issues regarding architectural considerations, alignment with business processes, IT ownership and more. Sometimes I get too close to these issues, so it's nice to step back and think about how to answer questions like the ones Michael presented in a way that provides a broader market perspective.

I hope I did that in this podcast and I hope you have time to listen to it. For those of you with time constraints, here are some of the points we talked about:

• UC is entering the workplace in much the same way as the original PCs, or more recently, wireless access points. Users are downloading consumer-oriented UC-like applications like Skype, and  reaping collaboration benefits.
• Most organizations aren't deploying UC with multiple modalities all at once. They are starting with presence and  IM and extending to Web Conferencing and VoIP - putting policies in place that can be extending across future modalities once they are deployed.
• Productivity through collaboration is typically the #1 driver for deploying UC, but cost savings and employee attraction and retention are close seconds.
• More avenues are available to bring information into the organization and more options for employees to communicate outside the company. This means that security and compliance are top concerns when deploying UC.
• IT wants effective management and control of all these communications options, but the bottom line is that forward thinking IT professionals want to add value - they are motivated by enabling employees to be productive and contribute to the success of the company.
• When an organization rolls out UC they often find it exists in a heterogeneous environment that includes "rogue" consumer applications that do not go away. It's not uncommon to have 8-15 rogue applications (IM clients, file sharing tools, social networks etc.) running on the enterprise network. They may not all be bad, but they're not visible and not sanctioned.

Bottom line, management is looking for two things: strong ROI from its UC platform and a way to control the universe of consumer-oriented applications that employees bring onto the network. We see a range of company policies - lots of companies are experimenting and don't want to shut things down if it can provide a competitive advantage through better employee collaboration. Others are in an industry with stricter requirements and need to block or closely manage certain apps.

I'd love to hear how your company is dealing with unified communications, both the consumer and enterprise versions. Does the above ring true for you?

This week we announced a major update to IMAuditor. The most significant new capabilities are around data leak prevention, and it got me thinking about how our business has shifted over the past few years. 

FaceTime first introduced its IMAuditor software in 2001, half a lifetime ago in Internet terms. At the time, it became the standard by which banks monitored and recorded conversations their employees (mainly traders) were having over IM to comply with SEC regulations. Over the past seven years, we've refined and advanced the product to stay ahead of the changing Internet and changing employee behavior. Today, employees routinely communicate over social networking sites like Facebook and LinkedIn, use Web-based file sharing sites like SlideShare and transfer information with P2P file sharing software such as LimeWire. That's the nature of the New Internet.

This also means that setting and enforcing policies for information is more complex than ever... hence, constant updates to IMAuditor. 

In parallel, it's been interesting to observe how my conversations with customers have changed over the past four years that I've been CEO of FaceTime. Foremost, our customer base itself has changed: from primarily financial services companies to large enterprises in general. And, the primary concern has shifted from regulatory compliance to security and integrity of enterprise data. Most interestingly, new triggers and pain points have emerged - from AIM to Facebook, from Napster to Skype.  As employees bring new Web 2.0 applications onto the enterprise network, protecting the organization against data leaks over these new channels is overtaking concern about incoming malware.

Something else is changing too: companies have started to realize that blocking these new Internet applications is not a solution. Especially in the case of IM, companies have seen the value of real-time communications and are rolling out unified communications suites like Microsoft OCS and IBM/Lotus/Sametime in an effort to realize these new productivity gains. And now, when savvy IT mangers discover that consumer-based applications like public IM or Facebook are in use on their networks, they realize that what they need is not a blocking mechanism but a good policy and some gentle reminders that help enforce it.

Don't get me wrong - I'm not saying you should not trust your employees. But I've believed for some time that the biggest security threat to the organization doesn't come from the outside, it comes from the company's own employees. Not because people are malicious, but because people are people.

Last month, we commissioned Osterman Research to survey IT managers about their concerns for information leakage, as well as their preparedness to prevent it in their organizations. The most interesting data point for me is that more IT managers are concerned about unintentional or accidental information leaks than they are about intentional leaks or data loss from malware. Surprised?