Analyst warns that Web 2.0 threatens corporate security

With the Web becoming central to the way companies do business, cybercriminals are taking increasing advantage of Web 2.0 and social networking sites to launch attacks, according to Christian Christiansen, vice president for security products and services for IDC.

The Web isn't the benign resource for information that once people saw it as, said Christiansen, who spoke today at Kaspersky Lab's Surviving CyberCrime Event in Waltham, Mass. "One of the things that's happened that's disconcerting, and it's been growing over the last 10 years, is the blending of people's private lives with their corporate lives," he said.

Employees' personal lives -- their online shopping habits and interactions with friends and families -- get intermingled with the interactions they have at work with customers, fellow employees, partners, and suppliers, he said. "So that creates a perforated perimeter where there isn't a hard, fast separation between the corporate world and the personal world," he said.

The problem is that employees don't always follow their company's security policies -- probably because they don't know what those policies are, nor do they know what their company's acceptable use policy is. The result: Employees don't know what's allowed and what they're barred from doing. Sometimes, Christiansen said, the very people who set up the corporate policies don't even follow them.

Problems also occur when an IT department no longer controls the products being connected to the corporate network. That list could include everything from smart phones to new and untested laptops and desktops to different application environments, he said.

"We're seeing the realization that the internal security problem is growing -- the threats are coming from inside the network," he said.

The latest threats to network security now are coming from collaboration and Web 2.0 environments -- where employees casually click on links that could lead them to malware -- and they come from the wide variety of devices that may be accessing private as well as corporate networks, he said.

"We're seeing a change in the threat environment," he said. "Instead of the threats, the malicious code, being distributed as e-mail attachments, we're seeing more and more that they're being embedded in Web 2.0 links," he said. "In the past, what you saw was an immediate effect, now we're seeing much greater levels of subterfuge and much more sophisticated attacks."

To better avoid potential problems, IT departments need to control user behavior, the types of devices being used to access information, the applications being used, and content contributions.

"Risk reduction requires policy managements and layered protection -- at the gateway to the Internet as well as at the endpoint [desktops, laptops, and servers]," he said. "You need a whole series of checks and balances."

IDC is a part of IDG, which is also the parent company of Computerworld and InfoWorld.