Businesses had better address enterprise instant-messaging issues now or run the risk of allowing IM to proliferate within the company without rules and safeguards, a Yankee Group report released Tuesday said.

In its "Vendors Race To Get A Piece Of The Enterprise IM Market" report, the advisory firm lays out the case for enterprise instant messaging, notes that unsupervised instant messaging can potentially prove catastrophic for businesses, and outlines several recommendations that companies can use to make intelligent enterprise IM decisions.

According to the Yankee Group, there are more than 25 million business users of instant messaging in the United States, the bulk of them "stealth IMers" using public networks such as MSN, Yahoo, and America Online without the knowledge of the IT department. What's the enterprise to do?

"Companies need to take action to manage any IM use. They have to recognize that it's happening and take steps to minimize risk," says Paul Ritter, program manager of the Yankee Group's Internet business strategies.

Among the problems Ritter cites with unwatched IM are the lack of audit trails, logging, and archiving; employee use of anonymous screen names; and file attachments delivered via IM (a feature found in all public IM services), which could let viruses and worms into a company's systems.

Ritter recommends that companies develop a written IM strategy and implementation plan to get ahead of the curve.

"Enterprises realize that employees will use instant messaging while at work," Ritter says. "The question is not whether to allow such use but how to manage and track it to the best advantage of the corporation." The two worst things a company can do are block IM entirely--eliminating both the potential problem but also the benefit--and do nothing.

Companies that face regulatory requirements to track and archive instant messages (and retrieve if necessary) are particularly at risk, Ritter says in the report, even if the fines for noncompliance aren't leveled for some time. "The communications occurring today could be the ones that create the problem," he says.

But even companies not forced to log every communiqué should realize the potential problems that unmonitored instant messaging can cause.

"Companies without IM supervision have no ability to know what communication takes place between employees and outsiders, and what files are coming into the enterprise as IM attachments and what files are leaving," Ritter says. He contrasts that with business E-mail, which provides these kinds of controls and audit trails.

The choice of an IM vendor may hinge on whether the company wants to give employees access only to people within the organization or also make it possible for them to IM customers, partners, and suppliers, Ritter says. If IM is to be used only within the firewall, server-based IM systems, such as those from Lotus (Sametime) and Microsoft (Exchange 2000 IM and the upcoming Greenwich) are smart picks, he says.

Tying the company to a public network such as Yahoo or AOL is not the right idea. Not only does that bring up the interoperability problem--even with progress in setting standards, true interoperability is not likely before year's end--but it limits choices down the road. "Companies that tie their IM future to one public IM vendor will likely regret that decision when they change their plans and opt for a multinetwork solution," Ritter says.

As an alternative, the Yankee Group report suggests that companies wanting to offer employees access to IM outside the firewall look into products that bridge several IM services and standards. Among the most visible products, Ritter says, are IMlogic Inc.'s IM Manager and FaceTime Communications Inc.'s IM Director, which partner with a variety of public services and server-based IM.