Companies underestimate Web 2.0, social networking threat, says survey

The research, sponsored by Web security and filtering company Websense Inc., found that companies still rely on traditional antivirus and URL filtering to block threats from the Internet, but fail to understand the threat of infected websites, and the loss of confidential information via social networking sites.

Although websites and Web applications have increasingly become a target for hackers to plant malware, the growing threat is still not reflected in the responses of the sample of U.K. managers. Recent research from Websense Security Labs found that 70% of the top 100 most popular websites have hosted or directed users to malicious code, phishing or fraud. In the survey, however, only 12% of respondents felt those sites posed any serious threat.

Views of U.K. IT managers, according to Websense Inc. * 12% of respondents believe the top 100 most popular sites hold the most Web security threats  (Websense research shows that 70% of the top 10 most popular sites have hosted or directed users to malicious code or other criminal activity).  * 37% admit employees at their organisation have tried to bypass IT security policies to access Web 2.0 sites.   * 82% have confidence in their organisations' Web 2.0 security.   * 43% have tools in place to prevent a company's confidential data from being uploaded onto the Web.   * 36% have tools that provide real time analysis of website content.   * 9% are unsure of their own IT security policies.   * 57% believe that Web 2.0 technology is necessary to their business.   * 70% allow access to email services such as Hotmail and Gmail, as well as wikis.   * 43% allow access to hosted business software such as Salesforce.com.   * 75% feel under pressure to allow more access to Web 2.0 sites.

"IT and senior level managers think they are way more protected than they actually are," said Mark Murtagh, technical director at Websense. "There are clear gaps in their organisations' security postures. … IT is struggling to deliver a framework to the business to allow employees to communicate in a rich fashion, and to do it safely and securely."

He said company managements know that staff, especially younger employees, expect to be able to communicate via multiple channels, and that these applications can deliver real business benefits.

To avoid the new threats that may arise, he said, companies need to be able to analyse websites in real-time to detect infections, and they also need to analyse the content of any material uploaded to or downloaded via social networking sites. "As a business user on LinkedIn, you could easily upload company-confidential data to showcase [your activity] to other members, for instance," Murtagh added. "Once you're granted access, the systems need to kick into another gear, and you need to inspect the nature of the content stream. At the moment, that is not taking place."

Security professionals seem to be divided about the best way to proceed. At a recent London meeting of the CSO Interchange, an informal grouping of senior security managers, 31% said they still had no policy on the use of social network sites. Of those that did have a policy, 54% said they blocked them altogether. Another 32% allowed them under controlled conditions.

The group concluded that the technology would need to be embraced, but that user education, in particular, was crucial to alert them to the dangers.

The Web 2.0 and social networking analysis, sponsored by Websense, was carried out by independent research firm Dynamic Markets, and sought opinions from 1300 senior managers in 10 countries, including 100 managers in the U.K. According to Murtagh, findings showed few differences between countries.