Survey: Web 2.0 security issues cause concern

According to a recent survey, UK information security pros are concerned about the threats that Web 2.0 applications pose to their enterprises.

Unsafe use of social networking sites is causing concern among British IT security professionals who believe users should take more care, and that Web 2.0 applications leave organisations open to significant threats.

Social network survey questions posed by the Ponemon Institute LLC polled the views of 2,100 IT and security professionals in the UK, US, Australia, Japan and France.

These applications are not going to go away, so the challenge is how to build policies and enforce them.
Franklyn Jones
Director of European corporate and field marketingPalo Alto Networks Inc.
Of the 400 UK-based professionals questioned, 49% said their users lacked security awareness when using Web 2.0 applications and rarely, if ever, took security into consideration when downloading content, browsing, uploading files, opening links or engaging in social networking at work.

The poll, commissioned by Check Point Software Technologies Ltd., asked which group should take responsibility for ensuring that Internet applications and content sharing should not affect the security posture of their organisation: users, HR, the CIO, IT security or the legal department. Although there was no clear single answer, most UK respondents said the responsibility laid with users themselves, followed by the CIO, IT security, legal and HR.

Only 11% of UK respondents felt that Web 2.0 security issues had no effect on the overall security posture of their organisation, while 58% felt they had a significant or very significant impact.

However, when asked what the biggest threats introduced by Web 2.0 applications were, UK respondents nominated workplace inefficiencies; in other words, they felt people were wasting their time on social networking sites rather than working. New viruses, malware and data loss were all considered significant, but lesser threats.

Compared with their counterparts in the US and Japan, the UK respondents seem more relaxed about Web 2.0 threats and generally do not view them as a priority.

Most respondents from the US (65 %) and Japan (69%) viewed the risk as high priority, while only 43% of UK respondents agreed. The French were the least concerned, with 63% saying it was not a priority at all.

Franklyn Jones, director of European corporate and field marketing for California-based network security vendor Palo Alto Networks Inc., said many IT professionals disapproved of Web 2.0 applications because of a "fear of the unknown" and their lack of tools to manage them. "These applications are not going to go away, so the challenge is how to build policies and enforce them," Jones said. "All Web apps have a mix of risk and reward, and the goal should be to take the best of applications like Facebook and Sharepoint and block off features that carry too much risk."

He said that Palo Alto's research has shown that younger users understood the risks of Web 2.0 applications, but didn't care about them.

According to Orla Cox, security operations manager for Symantec Corp.'s security response team, the best approach for enterprises is to issue detailed policies and procedures governing the use of social networking sites. "The scary thing for enterprises is the kinds of information that people divulge on social networking sites," Cox said. "We know that when targeted attacks take place, the attackers will try to get information about the company. They'll try to find a good employee to target who might have access to what they want."

She said attackers will target people who have a big footprint on the Internet, and will often be able to collect valuable information, especially when the individual leaves their profile open for others to view.

"If you are going to allow social networking, then you need a policy, and you probably need to get people to sign and agree to it," Cox said. "The policy should define information that they should not divulge, and should also ensure they have their profiles locked down and not openly available."

Read more on Hackers and cybercrime prevention