Web 2.0 Is Security Soft Spot for Enterprises, Report Says

IT professionals also largely lack risk awareness, user training and consistent policies related to Web 2.0 threats, according to a security report by Forrester Research commissioned by enterprise gateway security firm Secure Computing.

"The report reveals a security blind spot. Some 90 percent of enterprise organizations are still deploying security measures designed for the last generation of attacks," Ken Rutsky, executive vice president of product marketing for Secure Computing, told TechNewsWorld.

To help enterprises close this security lapse, Secure Computing launched on Monday its Secure Web 2.0 Anti-Threat Initiative (SWAT). Secure Computing designed the new security service to raise awareness of Web 2.0 threats, provide essential guidance on threat protection and deliver protections that help organizations address the increased Web 2.0 risks, Rutsky said.

As part of SWAT, Secure Computing will offer organizations research findings, best practices, design criteria, white papers and product information.

Forrester's Findings

The study, which surveyed 153 IT professionals and security decision makers, found that organizations spend up to US$13 billion globally for direct malware remediation costs. Based in part on that spending, 97 percent of all enterprise IT staff consider themselves prepared to deal with Web 2.0 security issues.

However, 79 percent reported frequent attacks from malware. Some 57 percent of those surveyed said they were concerned about viruses. Fifty-one percent said they have concerns about trojans.

Forrester concluded that a gap exists between the level of concern over Web 2.0 security issues and the actual level of preparedness displayed by organizations now using Web 2.0 applications.

Misplaced Spending?

The Forrester report suggests that enterprise spending for network security involving Web 2.0 exposure may be misdirected. While nearly 97 percent of those surveyed consider themselves prepared for Web-borne threats, 68 percent conceded that there is room for improvement.

Despite their use of traditional security measures, enterprise organizations responding to the survey said they were experiencing more than infrequent occurrences of malware. Viruses and spyware were the leading issues they reported.

Some 46 percent of these organizations reported that they spent more than $25,000 in the last fiscal year for malware cleanup exclusively, Forrester disclosed.

"We are seeing daily new Web 2.0 threats to support ID theft or malware that opens back doors to corporate networks. We see key-logging programs load up on workers' computers upon visiting Web sites," Paul Henry, vice president for technology evangelism for Secure Computing, told TechNewsWorld.

Survey Says

Enterprise users of Web 2.0 applications recognize value from some of the new Internet features, according to 96 percent of those responding. However, less than 5 percent have implemented comprehensive gateway protection, Secure Computing's Rutsky said.

Another 57 percent said that taking away access to social networking and rich media sites will visibly increase employee productivity, according to the survey results.

Some 92 percent of the respondents indicated that outbound data leakage prevention is an important aspect of Web filtering. Fifty-eight percent consider data leakage an extremely important business concern, the report noted.

However, most existing enterprises are still depending on products designed for Web 1.0 threats, noted the study. Only 33 percent of the respondents have data leakage prevention capabilities in place today.

Not Yet Ready

Malware such as the Storm Worm exploits Web 2.0 weaknesses, according to Secure Computing's Henry. Losses to businesses hit with intrusions have doubled in the last year, he said.

At least 75 percent of enterprise Web 2.0 users say they are prepared, but 80 percent of their networks are still being hit, Rutsky added.

"This is costing enterprise organizations at least $30 per user per year just for the malware clean up," said Henry.

Report Recommendations

Given the complexity of the current threat and technology environments, Forrester Research and Secure Computing recommend that organizations look beyond a simple filtering solution and employ next-generation Web filtering technologies. The goal is to put in place enterprise-grade performance, scalability and support for management.

Next generation capabilities include reputation services, blended threat protection and behavior-based detection, explained Henry. Additionally, outbound content control such as data leakage and application control is essential.

Also, IT managers have to re-examine the adequacy of security policies and protection capabilities. Report data shows that most organizations are confident that their protection policies and mechanisms are adequate in the face of the latest trends of Web-borne threats, especially those connected with Web 2.0 applications.

To reach this goal, organizations have to improve user awareness and training on Web 2.0 and Web-borne threats.

"The infrastructure is now beginning a refresh cycle for Web filtering and Web proxy. Organizations need to replace several existing products with a single one. What they are using has reached the end of its life," Rutsky said.