IT strategy: Anti social - data loss prevention must take centre stage

Are the wheels are coming off the Web 2.0 bandwagon? The
‘social-networking’ phenomenon springing from it took a hammering, with reports
suggesting that Twitter, Facebook, MySpace and LinkedIn are the cause of
increasing security and productivity issues in the workplace. The first six
months of 2009 saw cyber-criminals dramatically increasing their focus of
attacks on social networking sites, according to the latest Security Threat
Report from IT security company Sophos. The report warns that criminals are
exploiting social networks to identify vulnerable companies and individuals and
to identify when to attack them.

Outside the workplace, Web 2.0 sites are blamed for stifling the development
of children and generally turning their users into tongue-tied sociopaths who
cannot interact with real people in the real world. If Archbishop Vincent
Nichols, head of the Catholic church in England and Wales, is to be believed,
rather than helping to enhance social relationships, these sites can even be a
factor in pushing vulnerable individuals to commit suicide.

Finance directors may dismiss this catalogue of woes, but such complacency is
dangerously misplaced. You may think your first concern should be loss of
productivity: according to Nucleus Research, allowing staff access to Facebook
costs an average of 1.5% in productivity ­ though admittedly that works out at
barely a fag break a day.

More importantly, though, evidence is emerging that employees share too much
personal information through social networking sites. In fact, the Sophos
research estimates that two-thirds of businesses fear social networking is
creating a real and present danger to their corporate security: unmanaged use of
Web 2.0 sites by staff can give malicious third parties sensitive data and so
open backdoors into corporate IT infrastructures.

A more direct threat comes from the fact that social networking sites are
increasingly exploited by malicious cyber-criminals as a vector for d
istributing unsolicited spam email, viruses and other malware. Estimates vary,
but unsolicited spam accounts for around 90% of messages clogging up the world’s
corporate IT email systems. Web 2.0 sites are also being used as a platform for
launching ‘phishing’ attacks, when criminals try to trick unwitting surfers into
entering passwords and other sensitive data on bogus webpages designed to look
like legitimate sites.

Sophos estimates that a quarter of UK organisations have been exposed to such
attacks as a direct result of employee use of social networking sites. However,
despite these fears, the Security Executive Council, a risk mitigation research
organisation, recently conducted a poll of US enterprises which shows that 86%
of companies allow staff to use Facebook and other Web 2.0 applications.

A Gartner research report warns that a recent series of malware attacks
against the Twitter social networking service highlights the potentially serious
dangers inherent in allowing consumer technologies to be used by staff in the
workplace. It notes that “cool” services are typically designed with ease of
use, rather than high security as a priority. In the wake of a successful
attack, security measures that were not built in are retrospectively “sprinkled
on” as an afterthought.

However, Gartner advises companies to be pragmatic, noting that such Web 2.0
services are not going away anytime soon, so they need to take their own
security precautions. It counsels that prohibition of social networking services
is unlikely to be in the best interests of a business. Instead, it believes that
“real business benefits” can be enjoyed from properly-controlled use of
consumer-orientated technologies.

Such benefits ­ most obviously improved communication both within the
business and with third parties ­ can, apparently, outweigh the risk of allowing
consumer services into the workplace before they are mature enough to offer e
nterprise-class security. The question that companies need to ask is, how much
will it cost to integrate such services with corporate systems, or to bolt on
additional security so that any threat they pose may be contained?

On a practical level, education should be a prerequisite. Companies need to
make sure all workers accessing corporate systems have no illusions about the
risks of using consumer-focused services in the workplace. Gartner advises that
malware-blocking and data-loss-prevention capabilities should be a central
component of any business that plans using Twitter or other consumer-grade
technologies.

There is a good argument that the main Web 2.0 companies should wake up to
their responsibilities and take urgent steps to stamp on the virus writers and
identity the thieves, spammers and scammers who are using their services for
nefarious purposes.

There is some evidence that this is beginning to happen, but doing nothing
and hoping the problem will go away by itself is not a viable option. The onus
of responsibility falls squarely on the shoulders of the companies that must
take urgent action to protect their own infrastructures.