Effusia Blog

When we started Liquid in 2001, instant messaging was still a relatively new phenomenon in most office environments. At the time there was much debate in the IT press as well as mainstream media as to whether the inevitable introduction of IM corporate life would help or hurt productivity. As we began to talk with potential customers about Effusia, many managers we spoke with were excited about the potential of the technology but several maintained serious reservations. Of this (generally hardcore) minority, one of the most common concerns was the perceived “interruptiveness” of IM; the feeling being that workers would not be able to complete “real” tasks without having to stop every five minutes to attend to some distracting and unwanted flashing window.

Six years on from these initial conversations, our experiences has been that the fear of IM interruption has decreased dramatically as managers have come around to the idea that the benefits gained from instant communication generally outweigh the downsides. Now, a new paper titled IM=Interruption Management? Instant Messaging and Disruption in the Workplace published in the Journal of Computer Mediated Communication by R. Kelly Garrett from Ohio State and James N. Danziger from UC Irvine casts some academic light on our anecdotal experience of the last several years.

Garrett and Danziger surveyed 912 people who fit their criteria of “computer-using workers” to find out more about how they use (and perceive) IM in the workplace. Their main hypothesis was the somewhat counterintuitive idea that IM users would actually report feeling less interrupted. Turns out, it seems this is true. Though they found that IM users report having just as much work communication as non-IM users, they actually reported fewer interruptions. This is surprising until one starts to think that maybe the features of IM technologies actually empower people to manage interruptions more easily than with other technologies. The authors provide some insight into scenarios we’ve all experienced as IM users:

Nardi and her colleagues (2000) suggest that IM actually provides increased opportunities for negotiating the timing of interactions. From the sender’s point of view, IM provides a relatively unobtrusive way to test availability. The sender does not need to be as concerned about when to initiate communication, because he or she knows that the recipient can ignore or dismiss the IM notification easily or can provide an explicit indication of status quickly (e.g., “I’m busy right now. Can we talk in 15 minutes?”). Although an IM pop-up is disruptive, it is not as distracting as an inopportune telephone call or an unexpected office visit.

And also:

…because the presence awareness functionality provided by IM clients is generally quite limited, ignoring an incoming IM is often socially acceptable. Thus IM offers the recipient “plausible deniability” (Nardi et al., 2000, p. 84), because a non-response might simply mean that the person is away from the computer.

As a member of several IM-using organizations, I can say from experience that this “ping” approach is extremely common. Most of my conversations (both started by me and started by someone else) begin with a simple “there?” message. The great thing about the ping is it allows the receiving party to opt-out of the conversation gracefully. It’s perfectly ok to ignore the ping message for a little bit (but not too long) or respond with a “yes, but busy”. It’s a tacit acknowledgment of the fact that the sender’s desired conversation may not be the most important thing the recipient has going at the moment.

Basically, IM affords users the “power to ignore” in a way that other interactions do not. You can’t pretend not to hear an office-mate’s question as they stand in your doorway as that would be considered very rude. I would also venture to say that we’ve been conditioned our entire lives to pick up a ringing phone. Though it may briefly grab your attention, that blinking window in the corner of your screen can be dismissed in a way an uninvited co-worker cannot. Go forth and use the power to ignore, but do it wisely.

I’d like to introduce you to our ongoing series of blog posts about using public instant messaging applications in your business. First, let me make clear what I mean when I talk about public IM applications. These are free applications designed for consumers to use on their home computers for quick communication with friends and family. When your kids aren’t texting each other on their phones, they’re using these to communicate. We’re talking about AOL Instant Messenger (AIM), Yahoo! Messenger, Google Chat and the like. Now, given that we sell a secure business instant messenger and we’re calling this “Public IM Perils” we obviously already have an opinion on this issue. However, we’re not here to throw out a lot of FUD; instead we’d like to give you some things to think about when choosing what’s right for your business (and sometimes that is public IM).

What is social engineering?

Sarah Granger’s article on the subject, Social Engineering Fundamentals, Part 1: Hacker Tactics at Security Focus defines it like so:

…social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system.

So basically social engineering is not about engineering at all, it’s a good old fashioned con. Basically hackers convince people to do something that’s a bad idea for plausible sounding reasons. It’s no different than con artists who get Grandma to pay for a driveway repaving that never happens. It just so happens that social engineering usually involves some kind of technology.

So what does this have to do with Public IM?

One of the first things a social engineer needs to work his magic is access to someone on the inside. Public IM is all about access. With public IM your users can be talking to anyone at any time about anything. As a business owner or IT department you don’t control who’s allowed on the system and you don’t control your user’s contact lists. Even if your users aren’t actively engaging in talking to nefarious outsiders (of course they aren’t!), it’s relatively easy for these outsiders to lookup your users in public directories and contact them. In fact this is how many of the so-called IM viruses actually work. PC world discusses these types of viruses here. A man even lost his job due to one.

What are the risks?

There are two major risks with these types of social engineering attacks: loss of information and actual damage to your internal IT systems. When a social engineering hacker or a virus written by one targets a user, that user may inadvertently give up all sorts of proprietary information that your company doesn’t want released. Not only do most public IM apps permit the transfer of information in the form of messages, they permit file transfers as well. So you’re not just at risk of an employee saying something you’d rather not be said, but that employee could send documents to outsiders as well. As for your IT systems, public IM provides yet another “attack vector” like email. A message with the appropriate wording could convince a user to click on a link which executes a malicious file or takes the user to a dangerous website.

Mitigating the risks

One of the draws of public IM is its openness. It makes it very easy to communicate with people outside your organization. The big caveat is it leaves your users and your company open to social engineering attacks from people who exploit this openness. To combat this, we’d suggest using a secure, internal IM system like Effusia Business Messenger (but you knew we’d say that). If you don’t choose to do that, make sure you’ve educated your users about the risks. Make sure they know the following:

• Don’t click on links sent by unknown people
• Don’t open or download files sent from unknown people
• Don’t send files or privileged information to other users via public IM systems

Bottom line, if you’re using public IM in your business, your users should follow that timeworn motherly advice: “Don’t talk to strangers”.