Instant Messaging Can Usher in Instant Problems

But Magallanez adds that virus writers are turning an eye toward IM, upgrading worms and viruses to take advantage of IM. Magallanez says they're on the watch for malicious code that will enter computers through IM, much like it does today via email. But he also notes that some viruses out there today include instant chat clients that will -- unbeknownst to the user -- connect to a live chat room and wait for instructions from the virus writer.

Dan Woolley, a vice president at SilentRunner, a network security company, says instant messaging has been a security concern ever since it hit desktops. And with proof-of-concept viruses hitting IM more and more frequently, he says that concern is increasing.

''We've been concerned for a long time about instant messaging,'' says Woolley, adding that viruses are only part of the problem. ''IT managers have to remember that when a user carries on a discussion with the person in the cube right next to him, if it's not a corporate mechanism, it doesn't go from one computer right next door to the other one. It goes out of the corporate network and across different networks and then back to the other person's desk. Whatever is being transmitted is being transmitted in the clear.''

Russ Cooper, surgeon general for TruSecure, Corp. a security company based in Virginia, says there have been few security vulnerabilities in the major IM products, and viruses and spammers are just gearing up for it. The immediate threat is in-house communications, which could very well contain critical corporate information, traveling through outside networks.

''From a corporate secrets perspective, it's probably not what you want happening,'' says Cooper. ''It's likely that somebody will try to eaves drop on important conversations... So far we have not seen that type of action on a large scale but the possibility exists.''

Analysts say a surefire way to avoid that problem, along with IM viruses and spam, is simply to not allow users to install IM on their machines. Make it a policy. Enforce it. And just to be safe, block it from the network.

But analysts also say they realize that may be too restrictive for many companies. Another way to avoid that problem is for a company to standardize on an IM product designed for corporate use -- one with security features, like encryption, and an in-house server to keep private communications private.

''Adopting a standard and having your own instant messaging server -- the advantage is that it's completely under your control,'' says TruSecures Cooper. ''Instead of allowing any Tom, Dick and Harry to connect to the IM system we're using, I can keep this just for my end users. You then have control over who has access to information.''

Gordon Haff, a senior analyst at Illuminata, an industry analyst firm based in Nashua, N.H., says IM should be treated just like email. IT leaders need to sit down and form policies governing instant messaging.

''It's not that companies shouldn't use AOL Instant Messaging, but they need to include IM in their company usage policy,'' says Haff. ''It's a company resource. Excessive use, trading dirty jokes -- it should all be part of the policy... People need to be aware that there's a potential for certain types of problems and they need to follow basic, safe-computing practices.''

Gartner's Stiennon also recommends that users set it up so their IM will only receive messages from people on their Buddy List. Remind users, he also warns, not to click on anything that is sent over IM -- just as they wouldn't with email.

''I think most enterprises have to start looking at this today,'' says Stiennon. ''The productivity gains from IM are there, so if we're doing it securely, we're getting all the benefits.''