Criminals are taking increasing advantage of “Web 2.0” and social networking to attack companies, according to analyst Christian Christiansen, vice president for security products and services at IDC.
The web isn't the benign information resource that once people saw it as, said Christiansen, speaking at Kaspersky Lab's Surviving CyberCrime Event in Massachusetts yesterday. "One of the things that's happened that's disconcerting, and it's been growing over the last 10 years, is the blending of people's private lives with their corporate lives," he said.
Employees' personal lives get intermingled with the interactions they have at work with customers, fellow employees, partners and suppliers, he said. "So that creates a perforated perimeter where there isn't a hard, fast separation between the corporate world and the personal world," he said.
The problem is that employees don't always follow their company's security policies - probably because they don't know what those policies are, nor do they know what their company's acceptable use policies are. Sometimes, Christiansen said, the very people who set up the corporate policies don't even follow them.
Problems also occur when an IT department no longer controls the products being connected to the corporate network. That list could include everything from smart phones to new and untested laptops and desktops to different application environments, he said.
"We're seeing the realisation that the internal security problem is growing - the threats are coming from inside the network," he said.
The latest threats to network security now are coming from collaboration and Web 2.0 sofware - where employees casually click on links that could lead them to malware - and they come from the wide variety of devices that may be accessing private as well as corporate networks, he said.
"We're seeing a change in the threat environment," he said. "Instead of the threats, the malicious code, being distributed as email attachments, we're seeing more and more that they're being embedded in Web 2.0 links," he said. "In the past, what you saw was an immediate effect, now we're seeing much greater levels of subterfuge and much more sophisticated attacks."
To better avoid potential problems, IT departments need to control user behaviour, the types of devices being used to access information, the applications being used and content contributions.
"Risk reduction requires policy managements and layered protection - at the gateway to the Internet as well as at the endpoint [desktops, laptops and servers]," he said. "You need a whole series of checks and balances."