Businesses failing to understand Web 2.0 risks

Analysts say use of Web 2.0 tech may necessitate a shift in focus from securing the infrastructure through which data moves to securing the data itself

Web 2.0 presents a barely understood risk to companies embracing social-networking and instant-messaging technology as business tools, and could force a change in corporate IT security and greater use of encryption.

Almost two-thirds (65 percent) of US companies do nothing to block third-party collaboration tools, such as real-time communications and information sharing, according to research from Yankee Group.

Tom Raschke, senior analyst at Forrester Research, said 25 percent of US chief information officers in a recent survey admitted adoption of Web 2.0 tools would be a priority in 2008, even though the strategy could potentially increase areas of attack and infrastructure complexity, in addition to the fact that the return on investment is not clear.

Raschke warned that traditional security tools, such as firewalls, do not go deep enough into rich content to determine whether it is a security risk — either incoming, as malware, or outgoing, as data leakage.

Essentially, what is needed is a shift in focus from securing the infrastructure through which data moves to securing the data itself, said Raschke.

The group head of information security at Standard Chartered Bank, John Meakin explained that the banking industry is embracing Web 2.0 tools in two ways.

Externally, banks are responding to customer demands that interactions with their bank mirror the other interactions they are used to on the internet. Internally, banks are using Web 2.0 tools to communicate and collaborate across their large organisations and many business units spread around the globe.

Meakin told "Banks are under pressure to operate more efficiently. Web 2.0 applications help people collaborate, which, as businesses, we would be foolish to look away from. At the same time, we have to be clear we are not introducing risk into the process; our businesses are based fundamentally on trust."

Meakin noted that embracing Web 2.0 tools may mean competitive data residing outside the organisation.

Meakin said: "Banks will have to make sure they haven't lost complete control over the integrity of their data if they use Web 2.0. One way to do this is to make sure the data is encrypted. This is a limited solution because it doesn't take into account the way the security status of data can change. Financial reports, for instance, are sensitive until the day they are announced, when they [enter the] public domain. A better approach is to make sure that, even if data is accessed through something like Facebook, the data still resides within your organisation."

Meakin and Raschke were speaking at a seminar attended by financial analysts and global banks, and organised by security specialist WorkLight.