If in some strange parallel universe, Shakespeare was born an IT director, he would have good cause in musing, “to web 2.0 or not to web 2.0: that is the question”. But literary puns aside, while the latest internet technology trend may not be quite up to Hamlet’s dilemma, it certainly isn’t making life easy for CIOs. A survey of over 1,000 young UK workers commissioned by content security specialist, Clearswift, and conducted by market researcher YouGov, found more than a quarter of young British office workers are spending three or more hours at work a week on ‘web 2.0’ social networking sites, such as YouTube, MySpace and blogs. A further 42 per cent of staff, aged between 18 and 29, use these web 2.0 sites to discuss work-related issues.

Ian Bowles, COO of Clearswift says the shifting demographic relationship with technology means IT organisations have to deal with the effects of web 2.0 technology whether they want to or not. “Quite clearly, the younger working generation is far more tech-savvy,” he says. “They are used to using the internet and mobile technology for participating in social forums and don’t differentiate that from the network access they have at work. Employers need to recognise this and create a balanced environment for work and social benefits. Locking down access to sites that use web 2.0 technologies is not going to engender a productive work environment and will stifle the creativity of your workforce.”

Justifying the use of web 2.0 technologies, like blogs and wikis, as well as access to online open forums and knowledge bases like Wikipedia, is becomingly increasingly easy for CIOs. So working out a governance policy should be a key priority. Gartner web services analyst, Ray Valdes, advocates that blogging, “can be a key element in a company’s repertoire of communication channels”.

New security precautions

Costly public relations disaster stories, leaked by disgruntled workers, partners or customers in their blogs are not only forcing organisations to acknowledge the extent of the blogosphere’s influence on market forces, but to engage with it. Many organisations now monitor the blogosphere to track what is being said about them and some are realising the value of targeting bloggers as part of a marketing or PR strategy.
“The biggest risk with regard to corporate blogs is not having one, which can result in being blindsided by competitors and broader market forces,” says Valdes. A significant number of organisations who participated in the Clearswift research acknowledged the potential business benefits to be realised from web 2.0 technologies, where 40.8 per cent consider social media to be relevant to today’s corporate environment.
However, most companies are failing to exploit them to gain competitive advantage with only 11.1 per cent currently using social media from a business perspective. Around 15 per cent of organisations were not aware of social media and had no plans to use them to benefit their operations.

While the majority of IT and business decision-makers were generally aware that their employees were accessing web 2.0 social media sites from the office, the research found that this awareness was not always reflected in security precautions. Nearly 20 per cent of those surveyed admitted their organisations did not maintain a best practise policy for staff on internet use.

"Every CEO needs to think about web 2.0. CIOs are going to have to learn how to segment technologies for certain customer sets and will need to have multifaceted IT and security infrastructures in place"

Ian Cohen, CIO, Associated News

Bowles says the mix of XML and HTML used to deliver a richer user experience of a personalised iGoogle homepage, for example, allows hackers to introduce spyware and malware to organisations despite firewalls at their perimeters.

“When you are going to one of these web 2.0 sites you may have to download an applet locally on to the desktop and that’s when there is the potential to introduce inappropriate code,” he says. “The point that’s coming out of discussions with CIOs is that they haven’t been given the budget or resources they need to defend against these new threats.”

WEB 2.0 BEST PRACTISE SPOTLIGHT

BT recently applied itself to web 2.0 best practise and came up with a useful three-step guide to coping with web 2.0 technologies that neatly summarises much of what Bowles, Norton and Cohen observe, as well as what the analysts advise.

Step one is concerned with behaviour – organisations must educate their users about what does and does not constitute acceptable usage of web 2.0 technologies.

Step two is related to technology aimed at limiting the availability and lifespan of posts. For example, software that allows users to limit who has access to their blogs and personal web pages will become more effective and more widely available.

Step three is for organisations to be foresighted enough to understand that web 2.0 technologies are here to stay. Fighting them is futile, successful companies will be those that find ways to integrate and take advantage of them.

Cohen concludes: “It is about understanding your internal, IT-user population, as well as understanding your external customers. Web 2.0 is just part of a whole new IT landscape allowing CIOs to do this, that also includes service oriented architecture (SOA), web services and software-as-a-service (SaaS). But they will need to do this in an agile, structured and proactive way.”

Keeping tabs on staff

More than one third of UK and US IT and business decision makers polled by Clearswift say their organisations did not monitor employees’ use of the internet despite 23.3 per cent having the capabilities to do so. While almost half of businesses did not know whether they had lost confidential information via social media outlets.

When asked to rate the importance of various IT security issues to their organisations, survey respondents said loss of confidential data was the second-most important – behind preventing virus/worm infections – and damage to company reputation was third.

However, the possible avenues for these threats – security breaches via blogs, forums or instant messenger – were placed 17th (last), 16th and 15th in the survey respectively, in terms of priority.

Some would see this situation as putting CIOs between a rock and a hard place, but Steve Norton, head of IT, M&C Saatchi, the advertising firm, prefers to stay positive: “The only things we block are webmail and adult material,” he says.

“The nature of our business means most things we do day-to-day involve the web. Some of our biggest clients like BA and Sainsbury’s have massive presences on the web, not to mention those of their competitors. We currently have quite strict internet policies and procedures but, as it stands, it only really applies to email, in terms of it being legally binding. We’ve not got anything about blogging in there but after hearing about the Clearswift research we will be updating that.”

Challenges ahead

But Norton is confident his current antivirus software and firewall protection will be sufficient complement to more robust acceptable use policy and procedures.

“I’m very confident of the network protection my existing investments offer,” he says. “If we need to do other things, like researching unsecured sites, we use a separate and secure wireless network as a test area.”
Ian Cohen, CIO of Associated News, agrees that it is impossible to ignore the impact of web 2.0 within enterprise IT.

“For me personally, I see web 2.0 as central to the shift in the way people interact with the web,” he says. “It’s all about collaboration and using next-generation web technologies to bring customers and suppliers together. It changes the dynamic from searching and static presentation to interaction with richer and more personalised environments.”

The company recently launched the first tabloid version of an internet-based eReader for its Daily Mail newspaper, using Really Simple Syndication (RSS) web 2.0 technology features.

“With the eReader we can become better at engaging with the reader how, when and where they want. Now web 2.0 is giving us the ready made opportunity to achieve this.”
Despite being at the forefront of such technology, Cohen admits: “It can be a huge challenge to police web 2.0 use. But you want to work with the best and brightest people and they aren’t going to want to work for you if they have a lowered powered, less specified PC than the one they have at home.

“Every CIO needs to think about web 2.0. CIOs are going to have to learn how to segment technologies for certain [internal and external] customer sets and will need to have multifaceted IT and security infrastructure in place. It will need to be open to enable and empower your workforce but it must also run hand-in-hand with a secured system.”

WEB 2.0 SURVIVAL TACTICS

There is no guaranteed way of protecting your organisation’s sensitive data. But Gartner recommends a diligent approach that involves defence, detection and deterrence.

Take a look at what you have. Evaluate whether your antivirus software can adequately protect your network from malware coming from identified and authorised devices. Re-evaluate whether you need to update your antivirus and malicious-code protection for web traffic. Use a combination of antivirus software, URL filtering, application controls, website reputation services and safe search technologies.

Consider deploying content monitoring and filtering technology.

Establish a blog oversight committee – a group of employee bloggers who can be proactive in making sure the company’s interests are served.

Update ethics, trade secret and other employee policies to deal with blogs and community sites. Establish a policy that specifies who can use which mobile and networked devices, and under what circumstances.

Allow only corporate-owned devices on to your network. Consider using applications that block non-authorised access to USB ports. Implement sound data-protection policies that include the encryption of sensitive data, so if a mini device is lost, the data is not compromised.

Before banning. Before imposing an instant messaging (IM) or public website ban, examine business uses for the technology.

Adopting IM. In the early stages of IM adoption, consider incorporating IM into the established rules for email usage and follow email best practises.

Know your audience and consider the most effective media for getting a particular message across to different crowds.

Be interactive. Interactive communication techniques, such as video games and comical multiple-choice quizzes, can be engaging while providing managers with a means of assessing their effectiveness.

Adopt a common communication approach to acceptable use policies. A ‘top-down’ approach can alienate younger workers.

Think outside work. If you offer workers information security recommendations that can be applied outside the workplace – on the technical risks of sharing music files, for example – employees are more likely to pay attention to policies that apply at work.

Look at employing a communications specialist to give your security strategy a less IT-led look and feel.