Article for Financial Times, Personal View Online
September 2008
Web 2.0 – Opportunity 2.0 or Threat 2.0?
According to evangelists, Web 2.0, a catch-all term for online social networking and making websites as interactive as possible – things like Facebook, YouTube and their copycats – and is the next stepchange for the Internet. All manner of companies are starting to adopt Web 2.0 technologies, encouraging employee blogs, customer forums, greater use of multi-media content and images and self-created encyclopaedias (or ‘wikis’).
Fine – up to a point. As with all new technologies, there are issues. First and foremost, privacy – the rapid growth of social networking has meant the risk of harmful private information or compromising photographs or video being published to the world is far greater. There are also financial costs: impaired employee productivity and increased use of the company's network bandwidth for private networking, for example. Maybe it's time to talk about Threat 2.0.
If there is a threat, it's not just a problem or a few geeks – it's one for all of us. Part of the excitement about Web 2.0 technologies is that they have such widespread personal adoption. A survey carried out by IT Governance in May of this year showed that over 39% of people who responded are typically on a Web 2.0 site for more than an hour every day. This is especially true for the 16 to 25-year-old demographic, our Generation Y successors. These people, now entering the workforce in appreciable numbers, think e-mail is what Grandad used; they want their Messages Instant and they expect to talk to their friends about what they did last night online, sharing photos, music files, bits of video – whatever they can manipulate digitally, it seems.
What to do about this, if you're an employer? Social networking is a challenge. Your staff are spending work time doing all this. And the danger is, of course, that confidential corporate data and protected personal information could very easily find its way into the public domain via this sort of largely unsupervised electronic interaction, along with the embarrassing shot of an employee after one too many drinks.
The uncomfortable reality is that it's your business’s expensive corporate bandwidth and data storage that is supporting the sharing of holiday snaps, interactive gaming, viewing of video footage what have you between 9 to 5. The threats associated with Web 2.0 are not clearly understood, but range across the whole gamut from regulatory and compliance issues to electronic and cyber attack.
Connotations of 'friendship' mean that Web 2.0 users are lulled into a false sense of security – and because the web service is free, users assume that it is acceptable, safe and compliant with data protection and privacy regulations. That’s a dangerous and usually unfounded assumption.
Also, the security settings for personal and sensitive data on social networking sites are not transparent. This means that individuals are not immediately aware as to how much of their information is accessible to possibly unwanted third parties. Malware (worms, Trojans and spyware) can be spread, for example, via the (so far!) 25,000 different free third-party applications available for users of Facebook. There's a lot 'out there' to worry about.
And what goes 'out there' tends to stay there – Facebook accounts cannot be deleted, for example, merely ‘deactivated’. This sort of easy-to-acquire personal data, as well as professional information on the Web like CVs and previous employers is an open door to conmen to steal individual identities. And that rule also goes for corporate information, in terms of data leakage and also exposure of what businesses would really like to keep inside the firewall.
So any company looking at this way of opening up to the outside world needs to consider how Web 2.0 could lead to nightmare scenarios like the risk of litigation, significant brand damage or other privacy and data protection transgressions.
A very natural impulse is to just put controls in place to regulate Web 2.0 use. But this could be too crude a response. The negative aspect of this approach is that it may prevent staff from carrying out tasks that they need to do in order to do their jobs and work effectively. Any means of controlling access to Web 2.0 material needs to be appropriate, and will only success if it is based on an intelligent engagement with Web 2.0's real pluses and minuses.
After all, ‘Web 2.0’ is only really a shorthand for the second stage in the evolution of the World Wide Web. While Web 1.0 was essentially one-way (you went to a site and it told you things), Web 2.0 enables a multi-directional, sharing of information (you go to a web site,mark it with your presence and upload your own content, as do your peers). This offers enormous business benefit – by helping people share knowledge.
In any case, Web 2.0 is now embedded in the cultural DNA of tomorrow’s workforce. The best and brightest of tomorrow’s workers will gravitate toward organisations in which they feel comfortable – and, in the knowledge economy, that may be bad news for those that can only attract those for whom Web 1.0 was probably more than enough, anyway.
So how to get the mix of controls and access right? The first step is to produce a Web 2.0 roadmap that will clearly identify what Web 2.0 means to the organisation as a whole, and how it may affect the competitive environment in future. You need to identify those Web 2.0 technologies that could be usefully deployed, together with a realistic description of the benefits, current and future risks staff could open you up to. e.g. data 'leakage' and reputation damage – and set out an appropriate risk management strategy.
Doing this will enable your people to offer staff the more information-rich and agile way of working and operating they crave – and curb the risks you will miss out on what could be the biggest change in working and social practice we shall see in our lifetimes.
Alan Calder is chief executive of IT Governance Limited (www.itgovernance.co.uk), an organisation offering a range of information security resources. Alan has recently published a special report on the issues outlined in this article, ‘Web 2.0: Trends, Benefits & Risks,' which is available from http://www.itgovernance.co.uk/products/1800