Social network survey questions posed by the Ponemon Institute LLC polled the views of 2,100 IT and security professionals in the UK, US, Australia, Japan and France.
The poll, commissioned by Check Point Software Technologies Ltd., asked which group should take responsibility for ensuring that Internet applications and content sharing should not affect the security posture of their organisation: users, HR, the CIO, IT security or the legal department. Although there was no clear single answer, most UK respondents said the responsibility laid with users themselves, followed by the CIO, IT security, legal and HR.
Only 11% of UK respondents felt that Web 2.0 security issues had no effect on the overall security posture of their organisation, while 58% felt they had a significant or very significant impact.
However, when asked what the biggest threats introduced by Web 2.0 applications were, UK respondents nominated workplace inefficiencies; in other words, they felt people were wasting their time on social networking sites rather than working. New viruses, malware and data loss were all considered significant, but lesser threats.
Compared with their counterparts in the US and Japan, the UK respondents seem more relaxed about Web 2.0 threats and generally do not view them as a priority.
Most respondents from the US (65 %) and Japan (69%) viewed the risk as high priority, while only 43% of UK respondents agreed. The French were the least concerned, with 63% saying it was not a priority at all.
Franklyn Jones, director of European corporate and field marketing for California-based network security vendor Palo Alto Networks Inc., said many IT professionals disapproved of Web 2.0 applications because of a "fear of the unknown" and their lack of tools to manage them. "These applications are not going to go away, so the challenge is how to build policies and enforce them," Jones said. "All Web apps have a mix of risk and reward, and the goal should be to take the best of applications like Facebook and Sharepoint and block off features that carry too much risk."
He said that Palo Alto's research has shown that younger users understood the risks of Web 2.0 applications, but didn't care about them.
According to Orla Cox, security operations manager for Symantec Corp.'s security response team, the best approach for enterprises is to issue detailed policies and procedures governing the use of social networking sites. "The scary thing for enterprises is the kinds of information that people divulge on social networking sites," Cox said. "We know that when targeted attacks take place, the attackers will try to get information about the company. They'll try to find a good employee to target who might have access to what they want."
She said attackers will target people who have a big footprint on the Internet, and will often be able to collect valuable information, especially when the individual leaves their profile open for others to view.
"If you are going to allow social networking, then you need a policy, and you probably need to get people to sign and agree to it," Cox said. "The policy should define information that they should not divulge, and should also ensure they have their profiles locked down and not openly available."