By Alan Calder, Chief Executive of IT Governance Limited
All manner of companies are beginning to adopt Web 2.0 technologies, encouraging employee blogs, customer forums, greater use of multi-media content and images and self-created encyclopaedias (or ‘wikis’). As with all new technologies, there are issues, argues Alan Calder, Chief Executive of information security experts IT Governance Limited.
First and foremost, privacy – the rapid growth of social networking has meant the risk of harmful private information or compromising materials being published is far greater. There are also technical Web 2.0 security issues – like the recent Facebook and MySpace worm – which are only the start of what might be called Threat 2.0.
Part of the excitement about Web 2.0 technologies is that they have such widespread personal adoption. A survey carried out by IT Governance in May of this year showed that over 39% of people who responded are typically on a Web 2.0 site for more than an hour every day. This is especially true for the 16 to 25-year-old demographic. These people, now entering the workforce in appreciable numbers, think e-mail is outdated; they want instant messaging, they expect to talk to their friends about what they did last night online, sharing photos, music files, bits of video – whatever they can manipulate digitally, it seems.
What to do about this, if you're an employer? Social networking is a challenge. Your staff are spending work time doing all this. And the danger is, of course, that confidential corporate data and protected personal information could very easily find its way into the public domain via this sort of largely unsupervised electronic interaction, along with the embarrassing shot of a member of staff after one too many drinks.
The threats associated with Web 2.0 are not clearly understood, but range across the whole gamut from regulatory and compliance issues to electronic and cyber attack.
Connotations of 'friendship' mean that Web 2.0 users are lulled into a false sense of security – and because the web service is free, users assume that it is acceptable, safe and compliant with data protection and privacy regulations. That’s a dangerous and usually unfounded assumption.
Also, the security settings for personal and sensitive data on social networking sites are not transparent. This means that individuals are not immediately aware as to how much of their information is accessible to possibly unwanted third parties. Malware (worms, Trojans and spyware) can be spread, for example, via the (so far!) 25,000 different free third-party applications available for users of Facebook.
And what goes 'out there' tends to stay there – Facebook accounts cannot be deleted, for example. This sort of easy-to-acquire personal data, as well as professional information on the Web like CVs and previous employers is an open door to conmen to steal individual identities. And that rule applies to corporate information, in terms of data leakage and also exposure of what businesses want to keep inside the firewall.
So any company looking at this way of opening up to the outside world needs to consider how Web 2.0 could lead to the risk of litigation, significant brand damage or other privacy and data protection transgressions.
A very natural impulse is to just put controls in place to regulate Web 2.0 use. The negative aspect of this approach is that it may prevent staff from carrying out tasks that they need to do in order to do their jobs and work effectively. Web 2.0 enables a multi-directional, sharing of information). This offers enormous business benefit – by helping people share knowledge. In any case, Web 2.0 is now embedded in the cultural DNA of tomorrow’s workforce. The best and brightest of tomorrow’s workers will gravitate toward organisations which embrace these new working and social practices.
So how to get the mix of controls and access right? Identify those Web 2.0 technologies that could be usefully deployed, together with a realistic description of the benefits, current and future risks staff could open you up to, e.g. data 'leakage' and reputation damage – and set out an appropriate risk management strategy.
Doing this will enable managers to offer staff the more information-rich and agile way of working and operating they crave – and curb the risks, so you will not miss out on one of the biggest change in working and social practice in our lifetimes.
IT Governance Ltd is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
Alan Calder is chief executive of IT Governance Limited (www.itgovernance.co.uk), an organisation offering a range of information security resources. Alan has recently published a special report on the issues outlined in this article, ‘Web 2.0: Trends, Benefits & Risks,' which is available from http://www.itgovernance.co.uk/products/1800
Source: Infosecurity PR
<>