Web 2.0 sites could encourage data leaks

Employees may be revealing sensitive corporate information on social media sites

Nearly three quarters of enterprise workers under 30 now access Web 2.0 internet sites, such as social networking sites and blogs, in the office, according to new research released today. However, questions have been asked about the potential data security problems and brand damage that could result.

A survey of over 2,500 office workers by content security specialist Clearswift found that under-30s use Web 2.0 sites most regularly – 39 percent access them several times a day – and nearly half of this group said they had discussed work-related issues on such sites.

But given that the medium encourages users to post comments in a more ad-hoc, spontaneous manner, there is a risk that sensitive corporate information could go up too, according to Clearswift's chief operating officer, Ian Bowles.

"It's very informal – these [sites] suck people in and they drop their guard, " Bowles argued. "IT management has never had to think about this in the past and we don't think they've got to grips with this new threat."

Bowles added that a firm's brand could also be damaged by what is said by an employee on the web – whether intentionally or not.

A new web site due to go live in the next few weeks could realise these fears. Wikileaks aims to be "an uncensorable version of Wikipedia for untraceable mass document leaking and analysis".

Mark Murtagh of content security specialist Websense agreed that brand damage for online retailers could be a major concern, although he argued that criminals are more likely to obtain sensitive corporate information via keyloggers and screenscrapers than trawling social media sites.

Nigel Stanley of analyst Bloor Research admitted that some sensitive data could be inadvertently discussed on these sites, but argued that the major impact of corporate workers using such sites would be in lost productivity.

"The biggest problem is people wasting business time going on these sites during the day and I'd hope most businesses would prevent access to them anyway, " Stanley argued.

Stanley added that, from the criminals' standpoint, Web 2.0 sites are a too ineffective and random way of harvesting sensitive information.

Meanwhile, last week, antivirus firewall vendor Fortinet again highlighted the more familiar security risks of Web 2.0 sites. The firm discovered hackers have embedded malicious scripts into Blogger.com blogs, which can then redirect users to phishing sites and download Trojans.

"Employees need to understand it's not OK to talk about their enterprise and exchange data on [social media sites] by any means," argued Fortinet's Guillaume Lovet. "To prevent cross site scripting attacks on users' browsers, firms need anti-virus software to track and block them, or unified threat management at the network edge."

In related news, datacentre security specialist Imperva has launched a new downloadable resource designed to advise firms how to mitigate the risks from Web 2.0 technologies used in the enterprise.

"The application owners should be responsible for the safety of users using their applications, even if it involves exchange of content between users," argued the firm's CTO Amichai Shulman.