Enterprises are not prepared for the security threats posed by Web 2.0 technologies, because they use insufficient web filtering and have failed to train users and make employees aware of potential risks, a Forrester Research survey found.
Bandwidth is also being sucked up by employees using Web 2.0 staples such MySpace, YouTube, RSS feeds, Google Maps, blogs and wikis, often for non-business purposes. This unofficial use of Web 2.0 applications along with their inherent security threats complicates the decision-making processes for corporations that want to safeguard data while embracing collaborative technologies in ways that enhance productivity.
"Organisations are struggling to maintain a balance between the need to regulate Internet usage and making effective use of what the Internet and Web 2.0 has to offer," Forrester states in a new report commissioned by the vendor Secure Computing.
Forrester surveyed 153 IT and security professionals at enterprises with at least 1,000 employees about their concerns and approaches to dealing with Web 2.0 risks. One-third of the organisations reported data leaks that caused significant problems, while more than half are extremely concerned about viruses and Trojans.
Almost every official surveyed thinks they are prepared for web-borne threats, but a look at their actual practices shows they are not, Forrester reports.
Most enterprises primarily use gateway URL filtering and antivirus scanning for web security, but zero-day attacks must be caught using behavioural and heuristics-based detection. Only one out of four enterprises use behavioural analysis to detect zero-day malware, and 37% use heuristics-based detection, Forrester's survey found.
"Despite the fear for malware and its disruptive consequences, organisations are not doing enough to protect themselves," the report states.
Substantial majorities of surveyed businesses have been hit by viruses and spyware in the past year, and 12% have found zombie computers within their networks.
Forrester also examined bandwidth consumption related to Web 2.0. More than half the organisations surveyed say at least 30% of their bandwidth is consumed by non-business use of rich media and social networking sites like YouTube, MySpace and Facebook. One out of seven enterprise executives say sites like these consume more than half of their Web bandwidth.
Businesses are also suffering decreases in employee productivity since employees log on to many of these sites for personal use.
The main challenges for businesses going forward are personal use of social networking, user-contributed content, mobile content services, enterprise integration of Web 2.0 services via mash-ups, and increased risk of data leaks, according to Forrester.
The research and consulting firm offers a few pieces of advice: examine the adequacy of security policies and protection capabilities; improve user awareness training on Web 2.0 and other web-borne threats; and use next-generation web filtering technologies, like reputation services, content filtering, blended threat protection, heuristics and behaviour-based detection.
"The proliferation of Web 2.0, which led to a prevalence of rich and interactive content on the internet, has exacerbated the problem [of companies responding slowly to new threats]," Forrester writes. "Malware writers are now using the web to propagate a plethora of new threats undeterred by traditional security means. The need for more effective web protection has never been greater."
In addition to commissioning the Forrester study, Secure Computing is launching a new initiative called SWAT – Secure Web 2.0 Anti-Threat. The initiative aims to provide customers with research, tools, software and best practices for web and messaging security, and is also driving ongoing development of the vendor's Webwasher web gateway security product.