Web 2.0 Security: Time to do More than Fight Technology with Technology

The problem is almost as old as the World Wide Web itself: Security threats, in the form of viruses, malware and data loss, have been worrying IT security folks for many years now.

Typically, the response is to fight technology with technology: That is, put up so many layers of firewalls, password protection and data encryption that your company becomes a virtual fortress. And, even throw in a “sandbox” that can snag up the hackers within a faux environment.

But, with more and more social networking and Web 2.0 services becoming part of enterprise operations, security gets even more complex. A new survey out of Ponemon Institute finds 80% of 2,100 IT security administrators believe social networking, Internet applications and widgets “have significantly lowered the security posture of their organization.” (An executive summary of the survey findings is available.)

There's nothing new about the security threats Web 2.0 presents. The respondents’ fears are about the usual suspects: viruses, malware, botnets and workplace inefficiencies.

So is it time to buy and throw up the next generation of security solutions, some of which may not even be developed enough to handle all the exposures Web 2.0 brings?  Is it enough to keep fighting technology with technology?

Or, perhaps, it’s time to fight Web 2.0 with Web 2.0, which means taking user-empowered networking and securing it with user empowerment. In the report, Ponemon recommends putting employees themselves in charge of security issues. More than half of U.S. respondents believe the most responsible party for minimizing Web 2.0 security risk should be the end-user, followed by information security (CISO) and corporate IT (CIO).

Of course, you can't just hand security details to the end users and tell them to deal with it. Training and education are needed to keep users aware of the threats and the consequences. In the survey, the security executives expressed reservations about the abilities of end users to manage this.

But having end-users take more responsibility for the security of their activities makes perfect sense. We can't afford to have police watching every mile of highways for traffic violators—we rely on the common sense of every individual driver to keep themselves in line and driving safely. (And this works most of the time.) Likewise, as end-users become more self-directed, and either engage in online communities or build their widgets, we need to rely on their better judgment to avoid security mistakes. That's where the training comes in.

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.