Risk Management in Web 2.0
Interaction, openness, knowledge-sharing and malleability are the newest online money. The world wide web has always represented a safety challenge, but with the emergence of Web 2.0, the next generation of internet-based services that highlights social interaction and user-driven content, and its dependence on open-ended, user-generated content, things just got even more complex.
The change of consumer-oriented Web 2.0 tools into the corporate enterprise, such as use of social networking sites like Facebook, YouTube, Craigslist, Flickr and Wikipedia, in addition to the proliferation of blogs, RSS feeds and other emerging technologies, introduce an entirely new level risk.
Ultimately, it’s the social and interactive nature of Web 2.0 technologies which make them inherently difficult to secure. Couple that with the rate with which new widgets and applications have been created and started, and you have a possible catastrophe in the making for the unprepared.
Ready or Not
In addition to using them for personal reasons, workers and companies are increasingly embracing Web 2.0 tools as legitimate and useful business tools. Already the term Enterprise 2.0 has been coined, and conditions such as “enterprise social computing” are being used to tag the adoption of Web 2.0 by company.
According to Nemertes Research, 18 percent of organizations currently use sites, 32% use wikis (collections of web pages that everyone can change or contribute to) and 23% use RSS feeds. These amounts are expected to grow quickly, with major analyst firms like Gartner, the Radicati Group and Forrester Research predicting that business spending on Web 2.0 company social software could reach around $4.6 billion dollars by 2013. The famously secretive CIA even recently launched an internal wiki named Intellipedia to catch intelligence gathered from its international network of field agents and internal researchers.
Web 2.0 holds the key to breaking down the barriers between siloed business groups and in making valuable company information and organizational intelligence more accessible, searchable and more readily shared. It’s a primary reason why wikis currently are among the most popular social networking tools for enterprises.
Web 2.0, with its built-in alliance, promises to help capture and derive value from institutional knowledge and know-how. The fact that information is no more centrally controlled and that the misuse of publishing tools is extremely simple, however, is a justifiable reason for concern.
Regardless of what particular technologies are utilized, it’s how Web 2.0 is implemented and how the related risks are handled that will be most significant. Even those organizations that aren’t using Web 2.0 themselves will want to take action to secure users and their internal systems.
In some cases Web 2.0 tools and practices are being introduced on an ad hoc basis, without complete knowledge or supervision by IT or direction. Employees are just taking the resources and running together. Wikis, blogs, Flickr, social tagging, bookmarking and the like are all resources which could have a valuable role to play in business-that is, if the risks are known and the necessary precautions and training have been undertaken throughout the organization to decrease those risks.
The Risks Involved
As Web 2.0 solutions become more popular and more pervasive, safety in the corporate enterprise will continue to be a significant element. As already outlined, the interactive nature of those applications creates new avenues for data leakage, and makes them inherently difficult to secure.
New technologies, like RSS, instant messaging, and Ajax, a web development technique that’s used to create interactive web applications, all introduce new vulnerabilities. “The heavy use of Ajax and the move of processing from the almost exclusive domain of servers to client devices and handheld technologies heightens risks,” says safety blogger Carl Weinschenk.
“There are also social dangers to take into account. The heart of Web 2.0 is increased interactivity. The more people participate, the more likely it is that they might disclose proprietary information about themselves or their companies.”
With the ability to post photos, video and audio recordings to sites, employees can inadvertently “flow” confidential company information and post inappropriate personal information that puts both the employee and the business at risk, from both reputational blackeyes and litigation.
In January 2008, a social networking attack called “Secret Crush” duped Facebook users into inviting friends to join them in downloading the “crush calculator.” It was being used by more than one million unsuspecting Facebook users, who “publicly” chose to install the widget at the cost of disclosing their personal information.
While the comments made by “Janet in ExxonMobilCorp” were largely positive, they were nonetheless unauthorized by the company.
We have all read of instances where an overzealous employee posted a derogatory comment about a competitor on a blog, forcing senior executives to apologize and backtrack. Thus, most companies that are blogging today moderate all corporate posts prior to publication. They also append language to their blog’s comment area, dictating the tone of the blog and warning that inappropriate comments will be removed.
Publicly traded companies have another level of concern and must consider applicable regulations, especially given the recent SEC announcement that companies can now use corporate blogs for public disclosures. Under certain circumstances, companies will now be able to rely on their websites and blogs to meet the public disclosure requirements under Regulation FD (Fair Disclosure). Notably, the SEC outlines boundaries for sharing information as well as holding companies and their employees liable for the information they post on blogs and discussion forums.
Balancing Risk with Flexibility
The challenge for businesses in a Web 2.0 world is how to make use of these technologies while ensuring that they do not open themselves up to any new threats. Despite the fact that we are in an era in which more and more applications are moving to the web, a large number of websites still have vulnerabilities, so visitors’ data, despite privacy preferences, remains vulnerable to security exploits. Applying content-control mechanisms to safeguard networks from malicious activity and preserve maximum organizational productivity is very important.
A site security audit should be a first step to determine vulnerabilities. Safety applications and internet security appliances that scan the real content of web traffic coming in and out of the community for malware, spyware, viruses, worms and Trojan horses should also be considered.
DNS-based net filtering software provides another safety tool to help mitigate net dangers and keep employees away from potentially harmful websites altogether and may be especially beneficial for small and medium businesses that may not have significant internal IT support. An abbreviation for “domain name service,” the system that translates domain names to numbered IP addresses for routing via the world wide web, DNS filters might be deployed and managed entirely offsite and supply a close real-time protection to present web threats. New domains are detected and classified at centralized locations and then pushed out to the DNS filters in near real time. Requested user websites are then compared against a list of known or allowed malicious sites, preventing users from going to the damaging websites by the return of a blocked server address instead of the actual host address. This procedure is fast, transparent to the user, and requires no third party software installation on the client machine.
Like any emerging technologies, Web 2.0 software can provide a broad selection of advantages to modern companies, but increased interconnectivity may also expose a business to unforeseen dangers. Companies must stay vigilant in order meet these challenges and avoid becoming casualties of the electronic age.
