Web 2.0 Internet Apps: Spyware, Malware, and Trojans Galore
November 10, 2008 Timothy Prickett Morgan
While IT departments are understandably excited about the possibilities of so-called Web 2.0-style online applications and how they might be used within their organizations, these same IT shops are equally perplexed about how they are going to control and secure the use of these online applications among their end users.
In a way, this is an echo of how the commercialized Internet first entered corporations in the mid-1990s. And it did not enter from the data center, but from the end user desktops. And ditto for the wide use of PCs in the mid-1980s and then graphical user environments in the mid-1990s as Windows 3.X took off, now that I think about it. Sometimes, end users get way out in front of the IT department. But guess who gets to clean up the mess and support the technologies that have not been properly vetted yet?
FaceTime Communications, which sells a Web gateway security appliance that aims to add a layer of security to Web and collaboration software, commissioned a survey of over 500 IT managers and the employees at their companies (in North American and Europe) to assess the usage of collaboration, social networking, and other Web 2.0 applications such as those hosted by Google, Microsoft, IBM, and a host of others (pun intended) and the security risks these applications present. This is the fourth annual such survey that FaceTime has done, and the security situation is getting worse, not better, even as deployment of these applications within the enterprise (either officially or unofficially) is on the rise.
The data gathered from the survey is presented in a report entitled The Collaborative Internet: Usage Trends, Employee Attitudes and IT Impact, which you can read an executive summary of at this link.
The use of Web 2.0 applications is nearly universal now in some form or another at the companies surveyed, with 97 percent reporting they are using such software in their day to day business. That’s up from an 85 percent penetration in the 2007 survey. Web conferencing, streaming audio, and Web-based email are the top such applications. Some 72 percent of employees say they are using Web conferencing now, up from 72 percent in the survey last year. IT managers reported that the number of Web 2.0 applications in use has quadrupled since the 2005 survey, and now a company, on average, has 9.3 different Web 2.0 apps being used in day-to-day business. Two-thirds of those surveyed said they had eight or more, so clearly there are some companies in the poll that have lots and lots of Web 2.0 applications to pull up the class average like that. A little more than half of the employees access social media sites at work each day, and 79 percent of employees use sites including Facebook, LinkedIn, YouTube, and such at work for business reasons. (Yes, I am laughing, and you probably are, too.) Some 74 percent of end users actually fessed up and said they use their PC at work for personal reasons, usually to look at personal email, to do personal banking, or to surf the Web.
Now, given what FaceTime does, you’d expect they were interested in how the use of these applications affect the security situation on corporate networks. As it turns out, some 73 percent of IT managers in the poll said they had at least one security incident relating to the use of Web 2.0-style apps. Among the larger companies polled–wait for the hook–IT managers project that it costs them, on average, $125,000 a month to cope with security remediation for Web 2.0 applications because of malware (viruses, Trojan horses, worms, and other nasties), spyware, data leakage, compliance, and other issues. The typical security issue takes 22 person-hours to remediate. The estimates above are based on a $70 per person-hour cost, and even midrange companies (presumably fairly large midrange shops) polled were reckoning a cost of $50,000 per month. IT managers polled reported an average of 34 security incidents relating to Web 2.0 applications per month. Companies with fewer than 100 employees had 10 incidents, on average, while those with 5,000 employees or more reported an average of 68 incidents. Clearly, being smaller doesn’t help all that much, and that is probably a function of the more rigid network security and compliance framework at the larger companies.
This year was the first time that FaceTime asked questions about intellectual property and regulatory compliance issues, and found that 37 percent of IT managers said that these apps gave them compliance issues and another 27 percent said that these apps resulted in the unintended release of corporate data.