Web 2.0 disruptive, but necessary to business

Once cool, hip tools for the young, social-networking sites and other Web 2.0 applications are fast becoming essential business tools that can help drive productivity and reduce communication costs. But what about the security risks?
Written by Eileen Yu, Senior Contributing Editor
Once cool, hip tools for the young, social-networking sites and other Web 2.0 applications are fast becoming essential business tools that can help drive productivity and reduce communication costs. However, they also carry inherent security risks that may be overlooked by enterprises.

Competitive advantage can be gained by businesses looking to improve work processes through new technology such as those provided by Web 2.0 tools. However, in order to realize these benefits, companies must be prepared to restructure, said Andrew Walls, Gartner's research director of security, risk and privacy.

"Web 2.0 is a disruptive technology that leads to alterations in the way business is conducted and managed," Walls said.

So disruptive that even the U.S. government was prompted to relook its policy.

See also:

In February, U.S. congressman and a ranking member of the country's House Intelligence Committee, Pete Hoekstra, drummed up much controversy for using microblogging site Twitter to post real-time updates detailing the location of a secret congressional envoy in Iraq. His posts included when the delegation arrived in Baghdad, and when it was at the U.S. embassy.

Hoekstra's oversight prompted the Pentagon to reevaluate their current policy and identify different ways to communicate non-disclosure policy of traveling delegates.

As society grows more dependent on Web 2.0 tools for work and personal enrichment, there are more opportunities for unethical acts and security loopholes for malicious hackers to exploit, said Koh Hong Eng, global government industry director of public safety and criminal justice, Sun Microsystems.

"While it is important for politicians to keep in touch with their constituents, they must be mindful that they are also high-value targets in the eyes of terrorists and organized criminals," Koh said in an e-mail interview. "Efforts by security personnel to protect their [charges] will be compromised greatly if the latter broadcast their whereabouts and activities via non-traditional media."

"If politicians, indeed, see value in communicating such information, then I think they ought to do it after they've left the location or completed the activities," he said.

Steve Hodgkinson, Ovum's research director for public sector, noted that accidental disclosure of confidential information on social networks such as LinkedIn, Facebook and blogs is the security threat most often highlighted. These are usually platforms for more casual conversations, so the threat arises when individuals are imprudent with what they disclose in public, Hodgkinson said in an e-mail interview.

The ease and immediacy that Twitter provides can lead to mistakes, and that is where the danger lies, he said. The analyst added that politicians who leverage the microblogging site need to recognize the rules of what they should or should not say.

As with other security issues, human error is a critical component.

Twitter, by itself, does not present unique security issues, Walls told ZDNet Asia in an e-mail.

"Like all forms of communication, use of technology must be based on an assessment of the risks created by the use of that technology," Walls explained. "Users must be informed of appropriate applications of the technology, and their use must be monitored by appropriate security staff to ensure compliance and to identify risky practices."

Security, he added, is fundamentally a human issue. Walls explained that Web 2.0 allows users to rapidly disseminate information through various tools and to a wide variety of users, so much so that the level of speed and reach is often beyond a user's anticipation.

For example, he noted that most people are surprised when their postings on a social network receive comments and feedback from apparent strangers. This lack of anticipation indicates that users act before they fully understand the consequences of their actions, and this can generate unexpected security issues.

Arun Chandrasekaran, industry manager with Frost & Sullivan, said: "Users are definitely the weakest link from a risk perspective."

With Web 2.0 technologies infiltrating the workplace, it is increasingly pertinent to instill the right employee mentality and attitude regarding the usage of such tools, Chandrasekaran said in an e-mail.

Hodgkinson said: "A more insidious threat is where employees use Web 2.0 platforms for work-related tasks, for example, using Zoho Wiki as a group collaboration platform. There are risks related to sensitive data being outside the firewall and corporate policy control, and risk of downloaded browser plugins and widgets containing malware."

Eric Hoh, Symantec's vice president for Asia South, said malware can be introduced into corporate networks when employees access compromised Web 2.0 sites or fall victim to targeted social engineering attacks propagated through Web 2.0 mechanisms.

For example, people often divulge considerable amounts of personal information on blogs and social-networking sites, including details about their employment, Hoh told ZDNet Asia in an e-mail. Attackers can gather and leverage this information to carry out targeted social engineering attacks, tricking victims into downloading malware or divulging sensitive company information, he added.

Don't block a business necessity
Companies in Asia, it seems, are not taking any chances when securing their networks.

According to Gartner, 70 to 80 percent of businesses in the Asia-Pacific region block access to social networks at the workplace. However, it is "very unusual" for companies to block all Web 2.0 applications, Walls said.

"Web 2.0 techniques are used in a wide array of application environments, both internal and external, and provide strong functionality that supports key business processes," he said. "It is important to realize that blocking user access to innovative technology is only a temporary measure. Eventually, each organization must find a way to take advantage of new technology while maintaining appropriate levels of security. Blocking is not a long-term security solution."

Hodgkinson agreed, noting that a blanket ban is pointless and not feasible because offices with knowledge workers need to allow these employees to utilize Web 2.0 applications to drive innovation.

However, security measures must be in place to monitor such access.

Paul Wood, Symantec's senior analyst for MessageLabs Intelligence, said that while the use of social-networking, social bookmarking or microblogging sites is a personal choice, it must be governed by corporate guidelines and user policies.

Depending on each company's needs, it may be appropriate with the right level of training and policy to allow access to Web 2.0 applications, Wood said in an e-mail. "Some companies may deem it appropriate to block access to everyone, bar a few departments, typically R&D and HR, in order for them to monitor online profiles of prospective candidates.

"Provide guidelines about what can be shared and written, as well as how to conduct oneself online when representing a professional business," he said. "Technology is also key in order to manage and monitor the implementation of any policies."

Because Web 2.0 tools encourage and support high-speed development and deployment that can applied by staff outside the organization, they can also lead to major security flaws. Walls said this Web 2.0 environment can facilitate much innovation¸ but the lack of development process controls and insufficient planning in such tools poses major security risks.

He noted that while a growing number of companies are expanding existing security policies to include social media and other Web 2.0 tools, most of these policy statements fail to address core human issues that encourage the development of such applications.

Policies must address the motivations for user participation and not simply prohibit such activities, he said, adding that even where Web 2.0 access has been outlawed, employees have found ways to circumvent security blocks and policies.

Calling on higher authority
To better address security risks from Web 2.0 adoption, Chandrasekaran believes governments have a broader role to play in ensuring the privacy of user data. He explained that cybersecurity is "a shared responsibility" between the government, businesses and citizens, where the government can help create an agenda encompassing aspects such as user awareness, training, legal framework and incident response systems.

Hoh concurred: "Governments have an active role to play in fostering cyber legislative frameworks and providing law enforcement officials with the tools they need to combat today's sophisticated cybercriminals."

However, it is not simply a question of implementing government regulations and law enforcements.

Walls believes, in general, that law enforcement "often suffers more from insufficient funding, technical resources and staffing" than from a lack of laws to enforce.

According to Wood, legislation can also hamper the market.

He explained that legislation is "a slow, blunt instrument" that could hamper ISPs that have to compete in a global economy, where one country adopts a different approach to another.

Moreover, some ISPs may choose to be proactive and responsible about adhering to the regulation, while others simply do the bare legal minimum, he noted. In addition, legislation often lags behind rapidly-changing technology, Wood added.

Hoh said: "Effective security is a combination of technology, people and processes. Technology is just part of the equation and in many security breaches."

Just like in the physical world, caution and common sense should also prevail in the online world, he said.

This article was originally posted on ZDNet Asia.

Editorial standards