Columns
Energy company puts juice into monitoring IM
- By Mathew Schwartz
- January 1, 2006
Is your company's use of instant
messaging secure? Does it meet regulatory
requirements?
That's what Kansas' largest electric
utility Westar Energy wanted to know.
Although many employees sent and received
IM, the company had no official policies
regarding its use. Given the threat from
outside attacks, spam sent over IM (SPIM),
and the need to monitor energy-trading transactions
for regulatory reasons, however, Westar
began to evaluate IM monitoring tools.
Experts say more orgs now employ such
technology, especially in regulated industries.
Lack of an IM policy can produce problems
during a legal-discovery process. For example,
what if an executive logs IM conversations locally,
yet the company at large doesn't? Abusiness
can put itself at risk by not having an
authoritative record of IM communications.
Even so, many orgs still turn a blind eye to IM.
Lack of IM controls opens orgs to technical
as well as legal liabilities. A study by the
American Management Association and the
ePolicy Institute, which surveyed 840 companies,
found 2 out of 3 employees used IM.
How IM was used may fall afoul of most orgs'
security or human resources groups. The
study found 19 percent of respondents said
they used IM to send attachments; 9 percent
admitted to swapping some kind of confidential
information over IM; and 6 percent
used it to send sexual, romantic or pornographic
content.
Policing IM
To implement IM monitoring, experts recommend
a three-step approach: understand who
uses IM, develop and publicize policies for acceptable
use, then implement technology to
track, monitor and enforce acceptable use.
With this advice in mind, Randy Meinholdt,
the IBM WebSphere administrator
for Westar, studied how employees used IM.
Instant messaging was used within Westar,
and it was used externally by energy traders.
In addition, he found a total of four IM
clients in use: AOL IM, Yahoo, MSN Messenger
and Lotus Sametime.
IM use hadn't been prohibited.
So before Westar would decide
whether to monitor it, Meinholdt
turned to peers for advice. "I spoke
with three other energy companies
during my [product] evaluation," he
recalls. "They all had implemented IM monitoring products."
As a result, Westar began moving toward adopting an
IM monitoring product.
Eventually, Meinholdt's short list included products from
Akonix, FaceTime and IMlogic. Comparing the three, he
says, "IMlogic seemed to be very similar to Akonix." Face-
Time used an external appliance, but Westar didn't want to
go the appliance route. The energy company was most impressed
with the Akonix Enforcer, especially the supplier's
responses to their queries.
"We began using Akonix as a demonstration product on a
single server," recalls Meinholdt."The basic install was very
easy," he adds. Overall the company is happy with the product.
"There have been issues from time to time on configuration,
but Akonix has been very responsive to our needs," he says.
"[We] had a bit of trouble implementing a second backup server
at another location." Akonix helped solve the problem.
Although the Enforcer offers extensive security features,
Meinholdt says, "We are still learning as we go." What he especially
likes about the product are the automatic updates for
SPIM and malware. In addition to monitoring outside threats,
Westar uses Enforcer to block any unsafe peer-to-peer activity
inside the company.
Westar has standardized on the four IM clients its employees
already use. For the future, Meinhardt has one major
product request. "We would like to see Akonix make the product
available on Linux servers," he says.
ILLUSTRATION BY COLIN JOHNSON