Companies underestimate Web 2.0, social networking threat, says survey

By Ron Condon, U.K. Bureau Chief 10 Jun 2009 | SearchSecurity.co.uk

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

The research, sponsored by Web security and filtering company Websense Inc., found that companies still rely on traditional antivirus and URL filtering to block threats from the Internet, but fail to understand the threat of infected websites, and the loss of confidential information via social networking sites.

Although websites and Web applications have increasingly become a target for hackers to plant malware, the growing threat is still not reflected in the responses of the sample of U.K. managers. Recent research from Websense Security Labs found that 70% of the top 100 most popular websites have hosted or directed users to malicious code, phishing or fraud. In the survey, however, only 12% of respondents felt those sites posed any serious threat.

Views of U.K. IT managers, according to Websense Inc. * 12% of respondents believe the top 100 most popular sites hold the most Web security threats  (Websense research shows that 70% of the top 10 most popular sites have hosted or directed users to malicious code or other criminal activity).  * 37% admit employees at their organisation have tried to bypass IT security policies to access Web 2.0 sites.   * 82% have confidence in their organisations' Web 2.0 security.   * 43% have tools in place to prevent a company's confidential data from being uploaded onto the Web.   * 36% have tools that provide real time analysis of website content.   * 9% are unsure of their own IT security policies.   * 57% believe that Web 2.0 technology is necessary to their business.   * 70% allow access to email services such as Hotmail and Gmail, as well as wikis.   * 43% allow access to hosted business software such as Salesforce.com.   * 75% feel under pressure to allow more access to Web 2.0 sites.

The research, which was part of a global study of 1300 companies, found that most companies are already quite liberal in allowing the use of webmail, and allow access to business-oriented social networking sites such as LinkedIn. And three-quarters of respondents said they were being pressured by the rest of the business to open up to more Web 2.0 applications.

"IT and senior level managers think they are way more protected than they actually are," said Mark Murtagh, technical director at Websense. "There are clear gaps in their organisations' security postures. … IT is struggling to deliver a framework to the business to allow employees to communicate in a rich fashion, and to do it safely and securely."

He said company managements know that staff, especially younger employees, expect to be able to communicate via multiple channels, and that these applications can deliver real business benefits.

To avoid the new threats that may arise, he said, companies need to be able to analyse websites in real-time to detect infections, and they also need to analyse the content of any material uploaded to or downloaded via social networking sites. "As a business user on LinkedIn, you could easily upload company-confidential data to showcase [your activity] to other members, for instance," Murtagh added. "Once you're granted access, the systems need to kick into another gear, and you need to inspect the nature of the content stream. At the moment, that is not taking place."

Security professionals seem to be divided about the best way to proceed. At a recent London meeting of the CSO Interchange, an informal grouping of senior security managers, 31% said they still had no policy on the use of social network sites. Of those that did have a policy, 54% said they blocked them altogether. Another 32% allowed them under controlled conditions.

The group concluded that the technology would need to be embraced, but that user education, in particular, was crucial to alert them to the dangers.

The Web 2.0 and social networking analysis, sponsored by Websense, was carried out by independent research firm Dynamic Markets, and sought opinions from 1300 senior managers in 10 countries, including 100 managers in the U.K. According to Murtagh, findings showed few differences between countries.

Tags: Data Protection Solutions and Strategy,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Web Application Security CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors Microsoft gives Internet Explorer a major security overhaul

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary