Take the example of instant messaging (IM). IM, in its various forms (MSN, Yahoo and AOL being the most common) is increasingly being used within business; sometimes the most appropriate method of conversation is IM, especially when the parties are geographically distant, or where there are more than two parties, when international telephone conferencing is an expensive alternative.
I was recently discussing a software issue with three people, one in Paris, one in London, and the other in the USA. We used IM clients over the Internet. Not only did this achieve the communication required but it also allowed us to review and digest what each person said in real-time. To achieve the equivalent by phone would have involved two costly international phone calls and possibly an expensive third-party conference service. Clearly, some forms of two-way communication beyond the voice telephone have some business advantages.
Why then are some organizations attempting to prevent this kind of interaction?
IM (and other systems such as VoIP and desk-to-desk videoconferencing) are considered "electronic communications" methods by compliance regulation agencies such as the SEC and the FSA. Regulations issued or enforced by these bodies require that all electronic communications, not just email, as has traditionally been assumed to be the case, be retained for three years or more on a readily available, non-erasable medium. Furthermore, scrutiny from these bodies is (understandably) focusing on "new" methods of electronic communications, as these new methods open up new liabilities.
With the capability of users to encrypt IM conversations, and with compliance to Basel II and other European regulations having similar retrieval and storage requirements, some organizations have decided to block the use of IM so they won't have to deal with the monitoring issue. Many companies try to prevent their employees from using IM because, while they are aware that employees' email, webmail and visits to websites can be tracked, they are uncertain how IM can be monitored, when, in fact, with the right tools, all electronic communications can be recorded, archived and retrieved cost-effectively.
Blocking IM is as short-sighted as the smashing of Gutenberg's printing presses in the 1450's to try to prevent the widespread distribution of books. We would be better to both embrace new communications technologies (and all the benefits they bring) and find ways of achieving compliance. There is no reason why we can't implement a Public Key Infrastructure (PKI) to ensure that encrypted communications can be read, if necessary, by use of the recovery key held by the organization. Then we can achieve compliance by recording encrypted communications; they can be decrypted later if required either by the organization or by a court of competent jurisdiction.
By implementing systems to record, secure and archive electronic communications of all types we can enable business practices to evolve, while still meeting compliance requirements; by monitoring and alerting against suspicious content in all kinds of electronic communications, including IM, we can be made aware of potential issues, and by use of retrieval and replay we can make sensible decisions during investigations to make them more effective.
Once a suitable solution is deployed and an appropriate acceptable use policy (AUP) is in place, an organization can worry less about the rigors of compliance and start to embrace the revolution that these new methods of electronic communication can bring to its business.
Melville J Carrie MBCS MIoD is VP, Research and Development at Chronicle Solutions (UK) Plc.