While Internet and e-mail usage policies are the norm in today"s workplace companies are yet to respond to instant messaging (IM) technology.

In fact, access policies for IM and peer-to-peer applications are being ignored despite the threat potential it creates for IT managers.

In a survey undertaken by SurfControl"s Global Internet Threat Center, 90 percent of the respondents said they had an Internet access policy, but 49 percent had no policy concerning the use of IM.

SurfControl Australia managing director Charles Heunemann, said that IM, when left ungoverned, is an easy vehicle for accidental or malicious disclosure of sensitive corporate data.

"Clearly, companies must combine detailed, accepted-use policies with effective technology to manage IM in the workplace," he said.

IDC senior software analyst, Megan Dahlgren, said IM is still being used for personal reasons in most Australian organizations.

"I think as far as security is concerned, it"s limited in its seriousness at the present moment, but there is a vulnerability opportunity," Dahlgren said, adding that IT managers have more immediate issues to focus on.

"IT departments focus on what"s critical, and IM hasn"t been a critical vulnerability and it is only now becoming commonly used," Dahlgren said.

IT managers who spoke to Computerworld admitted IM was widely used in their organizations but they hadn"t implemented policies.

"The focus right now is on mobiles, e-mail and handheld devices. IM is one of those technologies that is moving faster than policy," one IT manager said.

"Both IM and PDAs were introduced by employees for personal use long before we had a chance to formulate a policy to deal with it."