The lines that separate online business and personal lives are becoming thinner and thinner. The social networking sites that people started using to connect with their friends – such as Facebook, LinkedIn and Twitter – are now embraced by employers for use in the corporate environment. These and other Web 2.0 applications such as corporate blogs, wikis, instant messaging (IM) and peer-to-peer sites are now seen as valuable business enablers and effective communication tools.
But what are the security implications of the widespread business use of Web 2.0 tools? Do employees take the same care when using them in the workplace as they would in private? For many organisations, this is a growing concern. According to a Ponemon survey of attitudes toward Web 2.0 usage in the workplace conducted earlier this year, around 74% of IT professionals regard Web 2.0 as a threat to the security posture and general business function of their company.
The main downsides cited in the survey are:
Security risks: The list of potential security risks linked to Web 2.0 applications is long – from malware and spyware that specifically exploits those apps, to data leakage, illegal activities or reputation damage. Web 2.0 tools have increasingly become popular instruments among cyber-criminals, which makes their use within the corporate network a genuine threat. There’s also the risk of staff simply making a mistake, and putting sensitive corporate information onto a public social networking site news feed.
Bandwidth matters: Applications such as YouTube or file-sharing can quickly start to erode enterprise bandwidth. According to several recent research findings, around 10% of all corporate bandwidth is consumed by employees watching YouTube videos, with Facebook taking a further 4.5%. This type of bandwidth drain often drives IT administrators to restrict or block access to such resource-hungry sites, to prioritise business-critical applications.
The office social: While many Web 2.0 applications are useful for business, there are a large number of apps and sub-apps (widgets) that could be classified as diversions, impeding productivity in the workplace. Many organizations prefer to limit the use of certain apps only to specific users, or to specified times. For instance, they may want to allow access to Facebook during lunch hours only, while blocking it during working hours. Or they may want to allow employees to use Facebook, but not unproductive sub-apps and games like Farmville or Bejewelled Blitz.
Allow, deny or manage?
These issues have led many organizations to restrict the use of Web 2.0 apps and simply ban social networking sites, using either firewalls or web filters to block access. But as businesses look to make more extensive use of these apps, banning access may no longer be an option.
Also, many employees (especially recent graduates) have grown accustomed to having social media apps at their disposal for both work and personal purposes, and even expect to be able to use them in the workplace: the term ‘employee 2.0’ has already been coined to describe these users.
The Ponemon survey mentioned earlier shows that IT professionals are concerned about employees’ activities on the internet, yet at the same time businesses want to take advantage of Web 2.0 for legitimate commercial activities. So the question becomes: how should you control the use of these apps effectively, to minimise the security risks and maximise employees’ productivity? In other words, how do you make your organisation an employer 2.0?
Becoming an employer 2.0
To harness the benefits offered by Web 2.0 without the security risks, organizations need better visibility and better tools to monitor and manage application and platform usage.
The first step is deploying new security controls that can differentiate between the thousands of applications running on the internet. Just a few years ago, it was enough to filter and discriminate URLs or domain names, and to classify policies based on IP addresses. Today, however, traditional tools like IP-based firewall policies and URL filtering have reached their limits in the Web 2.0 environment. What organizations need is more granular application awareness that can distinguish different applications sharing the same protocol and ports across the firewall.
Second, organizations need to be able to grant different privileges to users according to their role, group or function. The marketing or human resources departments, for instance, may need to access Facebook as part of their business activities, but you may want to restrict access from other departments.
User involvement
Because employees have rising expectations of being able use Web 2.0 tools in the workplace, it’s reasonable to expect that they should also take part of the responsibility for safe and secure use. This was highlighted by the Ponemon survey findings, which showed that a majority of IT professionals think end-users should participate in mitigating the security risks associated with emerging internet applications.
Yet, the IT professionals surveyed also believed that employees rarely, or never, consider corporate security threats in their everyday business communications. In order to close this gap, organizations need to improve overall user awareness of security issues.
Staff should be educated and made partially responsible for the potential dangers surrounding their online behaviour and use of Web 2.0 applications. Ideally, they should also be more aware of the corporate policies governing the use of Web 2.0 tools. Simultaneously, the IT department would better understand what applications are being used and for what purpose, fuelling their decisions to more accurately and effectively regulate personal or risky usage without interrupting day-to-day business.
Advance warning
An effective method for achieving such Web 2.0 management would be to give businesses an option to warn users about the potential risks that accessing Web 2.0 apps may cause. For instance, when an employee accesses Facebook, a pop-up alert could be displayed, informing the user in real-time about Web 2.0 risks associated with Facebook and its sub-apps, and reemphasizing the organization’s policies on Web 2.0 usage.
This mechanism creates a decision-point for the user, encouraging them to review what they plan to do with the Web 2.0 app. This reinforces their awareness and responsibility for their actions, and helps to correct any potential digressions from the company’s security policy before it happens. It also gives IT administrators a self-remediation function, relieving some of the management burden from IT staff.
Web 2.0 apps are powerful business enablers that companies cannot afford to simply ban and ignore. The challenge is more to ‘tame’ Web 2.0 rather than to restrain it. To achieve this, organizations need better visibility of employees’ Web 2.0 usage as well as reinforced monitoring capabilities to minimize the security threats. Giving employees themselves some responsibility for appropriate usage can further curb unproductive use and bandwidth consumption. With this measured approach to security, organisations can make of Web 2.0 a friend, not a foe.
Nick Lowe is head of Western Europe sales for Check Point. He is an expert across IT security, from technology development and evolving threats to compliance and security reporting. Lowe oversees all activities with Check Point's customers and partners in the region.