Web 2.0: A Complex Balancing Act – The First Global Study on Web 2.0 Usage, Risks and Best...

8/8/2019 Web 2.0: A Complex Balancing Act The First Global Study on Web 2.0 Usage, Risks and Best Practices

1/15

Web 2.0

A Complex Balancing ActThe First Global Study on Web 2.0

Usage, Risks and Best Practices


2/15

In collaboration with experts in the elds o security

and social media, McAee took a close look at these

questions. Commissioned by McAee, Proessors

Mihaela Vorvoreanu and Lorraine Kisselburgh rom

Purdue University and the Center or Education and

Research in Inormation Assurance and Security

(CERIAS) undertook extensive research with experts

rom around the globe.

International research rm Vanson Bourne surveyedmore than 1,000 organizational decision-makers

in 17 countries worldwide, and combined with

expert interviews, we developed an in-depth

study o emerging policies and practices into how

organizations balance the risks and benets o

using Web 2.0 technologies.

Our ndings show high Web 2.0 adoption. Three

out o our organizations worldwide use Web

2.0 or a variety o business unctions such as IT

(51 percent), marketing and sales (34 percent),

customer relations (29 percent), advertising and

public relations (28 percent) and human resources

(22 percent). The main driver or Web 2.0 adoption

is new revenue potential, according to two thirds o

our respondents. Only 42 percent o those surveyed

elt strongly about the importance o present

Web 2.0 tools. While organizations acknowledge

revenue potential and business value in Web 2.0

technologies, leaders and decision makers debate

employee use o Web 2.0 in the workplace

either in the oce or on the road.

Security is the leading issue. Hal o the

organizations say it is their primary concern or

Web 2.0 technologies. For another third, securityis the main reason they dont use Web 2.0 more

widely. Six out o 10 organizations suered large

losses averaging $2 million each because o security

incidents during the past year. Together, more than

$1.1 billion was lost by these organizations due to

security incidents.

One o the main sources o security threats is

employee use o social media. Thirty-three percent

o organizations worldwide restrict employee use

o it; 25 percent monitor use; and 13 per

block all social media access. Social netw

are regarded as the main security threat o

social media tools. As a result, nearly hal

organizations we surveyed block Faceboo

Organizations need to employ a variety o

to ensure sae use o Web 2.0. Social me

and technological protection are the two

measures used today. Two thirds o organworldwide have social media policies or

employees, and 71 percent o those use t

to enorce them. However, that leaves on

organizations without a social media polic

almost hal o the organizations lack a po

Web 2.0 use on mobile devices.

To address these challenges, many organ

have increased security protection since in

Web 2.0 applications. Seventy-nine perce

increased rewall protection, 58 percent

greater levels o web ltering, and 53 pe

implemented greater web gateway prote

out o ve organizations are budgeting o

2.0-specic security solutions.

Security experts strongly recommend a m

layer security approach thats customized

2.0-specic challenges to mitigate adopt

Eugene Spaord, ounder and Executive

o CERIAS at Purdue University, notes tha

best protections are those that dont get

o getting work nished, because users a

tempted to circumvent those controls. As

inormation needs to be protected in the

and not all users are going to interact wittechnologies in the same manner, deens

be tailored to t the circumstances o use

Executives and industry experts agree tha

successul organizational use o Web 2.0

complex balancing act. It requires analyzi

challenges and opportunities while mitiga

risks, and combining policy, employee tra

technology solutions to ensure security.

Web 2.0: A Complex Balancing Act

he First Global Study on Web 2.0 Usage,

sks and Best Practices

Executive Summary 3

Introduction 4

Web 2.0 Adoption in Organizations 5

Employee Use o Web 2.0 10

Balancing Act 18

Conclusion 24

Appendices 26

CONTENTS

Executive Summary

What are Web 2.0s leading trends in business? Dened broadly as co

social media applications such as Facebook, Twitter and YouTube, and

specialized Enterprise 2.0 solutions, Web 2.0 has become a term surro

by many debates: To adopt or not? How can organizations use Web 2

technologies? What are the business benets? Will Web 2.0 use incre

decrease employee productivity? Is the security risk worth the benet

Web 2.0: A Complex Balancin


3/15

80%

40%

0%

100%

60%

20%

USA

Australia

Canada

UK

Japan

Germany

Benelux

Sweden

UAE

France

Poland

Italy

E r r r r il r

rc il r c i i

Mexico

SNG

India

Spain

Brazil

Organizations who use Web 2.0 for business (%)

Web 2.0 Adoption Rates by Country


Survey data conrmed market research group

Gartners anticipated trend: By 2014, social

networking services will replace e-mail as the

primary vehicle or interpersonal communications

or 20 percent o business users.

[Gartner (2010). Predicts 2010: Social Sotware Is

an Enterprise Reality.]

Web 2.0 solutions are used or a variety o

business purposes. About hal o the organizations

surveyed employ Web 2.0 solutions or IT

unctions, and roughly a third o organizations use

them or marketing, sales or customer service. One

in ve organizations reported using Web 2.0 or

public relations or human resources especially

recruitment. India leads in adoption o Web 2.0

or IT solutions, with about three out o our

Indian organizations reporting such use.

Introduction

Web 2.0 dened here broadly as consumer social media applications such

as Facebook, Twitter and YouTube, and specialized Enterprise 2.0 solutions

has become a term surrounded by many debates: To adopt or not? How can

organizations use Web 2.0 technologies? What are the business benets?

Will Web 2.0 use increase or decrease employee productivity? Is the security

risk worth the benets?

McAee, in collaboration with communication

media and IT security experts, and with the help

o international research rm Vanson Bourne,

investigated these questions. A survey o more

than 1,000 organizational decision makers

rom 17 countries, and in-depth interviews

with experts, paint a complex picture with

two main Web 2.0 issues: the opportunities

provided to organizations that have adopted

Web 2.0, and the challenges o embracing

emerging technologies at inrastructure and

employee levels. In balancing these challenges

and opportunities, the report discusses measures

organizations take to ensure sae use o Web 2.0.

The survey data and expert opinions corroborate

that while Web 2.0 has considerable value, using

Web 2.0 applications successully is a balancing

act that requires a combination o technology,

policy and education.

Web 2.0 Adoption in Organizations

Our survey shows high adoption o Web 2.0 in the enterprise. More than 75

percent o organizations reported using Web 2.0 solutions or many business

unctions. While adoption rates vary across countries, they were high overall,

and reached 90 percent or higher in Brazil, Spain and India. Web 2.0 adoption

was lowest in the United States and the Commonwealth countries o the

United Kingdom, Australia, and Canada.

By 2014, social networking

services will replace e-mail as the

primary vehicle or interpersonal

communications or 20 percent o

business users. [Gartner (2010).

Predicts 2010: Social Sotware Is

an Enterprise Reality.]



4/15


Three out o our

organizations that use

Web 2.0 reported that

expanded use o Web 2.0

technologies could create

new revenue streams or

their organizations.

New revenue streams emerged as the highest

driver o Web 2.0 adoption. Three out o our

organizations that use Web 2.0 reported that

expanded use o Web 2.0 technologies could

create new revenue streams or their organizations.

This is especially true in Brazil, India, the United

Arab Emirates and Mexico, where nine out o 10

organizations share this belie. Even 65 percent

o organizations in the public sector that already

use Web 2.0 see revenue potential rom using

it. However, perceived importance o Web 2.0

solutions was tempered. Forty-two percent o

respondents who reported using Web 2.0 solutions

agreed they were important to business, but about

the same percentage was neutral.

Frank Gruber, co-ounder o TECH cocktail,

discusses some o the ways that companies

are leveraging Web 2.0 technologies and

particularly the people participating in these

platorms to acilitate production, marketing,

and customer service:

For example, crowdsourcing has been used or

design work, solving dicult problems and even

to make product decisions. There are a number

o companies leveraging Web 2.0 technologies

or social media marketing campaigns and or

customer service. Ford has been leveraging social

media and outreach to connect with a newly

invigorated Ford Fiesta. Zappos leverages Web 2.0

or customer service, because every employee

has a Twitter account or customer support and

eedback. Intel works with bloggers to spread the

word about their innovations.

Market pressure was not, overall, a big driver o

Web 2.0 adoption. The exception is India and

Brazil where 78 and 58 percent, respectively,

reported that customers and partners are

requesting organizations to engage in Web 2.0.Perceived market pressure was higher in the

public sector, where almost hal o organizations

eel it, as opposed to only a third in the private

sector. In the largest organizations, the pressure

to engage in Web 2.0 oerings was highest.

Almost hal o large organizations reported

partner or customer demand, compared to only a

third o small organizations.

The survey data suggests that in 2010

Web 2.0 solutions are not perceived as crucial

to organizations. This is not surprising, given

that some o the technologies have not reached

maturation, and uses are still being explored.

However, respondents see great potential or

Web 2.0 in the uture, and the data suggests that

this belie drives adoption. Stowe Boyd, analyst

and business strategist, claims the real benets o

Web 2.0 become apparent when adoption rates

reach 90 percent. The more people use social

tools, the more ecient the tools become,

states Boyd.

In addition to supporting communication and

collaboration among employees, organizations

recognize the value Web 2.0 technologies bring

to clients and customer relations. About 40 to

45 percent o organizations eel that Web 2.0

improves customer service, and 40 percent eel it

enhances eective marketing.


The survey data suggests

that in 2010 Web 2.0

solutions are not perceived

as crucial to organizations.

owd-sourcing is one o the ways that companies are leveraging

eb 2.0 to create new revenue streams. InnoCentive is an online

owd-sourcing company where organizations as large as Eli Lilly,

Pont, Boeing, Procter&Gamble and NASA post research problems

need o solutions. Scientists rom all over the world, whether

mateur, proessional, or retired, choose problems to work on

d post their solutions. Companies select a winning solution and

y the scientist a cash prize ranging rom $5,000 to $1 million,

pending on the problems complexity. InnoCentive enables

mpanies to solve dicult research problems at a much lower cost

an their own R&D departments, and to have access to a diversity

solutions, ideas and expertise that is unlikely to occur within just

e organization. http://www2.innocentive.com

The more peopleuse social tools, the

more ecient the

tools become.

Although Web 2.0 was not

considered extremely critical

or many organizations in thisstudy, or one organization it i

vital. charity: wateris a nonpro

organization that provides clean a

sae drinking water in the develop

world. It directs 100 percent o pu

donations to unding water proje

charity: waterdoes nearly all o itsundraising online and has no bud

or marketing or advertising. char

waterhas raised more than $7.5 m

in its frst two years o operation

using mainly an online community

platorm and social media. With thpower o social media alone, in 20

more than $250,000 was raised in

single day when charity: waterwa

the benefciary o Twestival Globa

This resulted in more than 55 wate

wells in Uganda, Ethiopia and Indi

and touched the lives o an estima17,000 people. Web 2.0 is the hea

our operation and our primary sou

o revenue. Were a Web 2.0 charit

says charity:waterdirector o digit

engagement, Paull Young. charity:

is a convincing example o the impsocial media can have on ROI.


5/15

I Web 2.0 is useul or business unctions, what

is preventing organizations rom using it more?

Security is the leading concern or Web 2.0

technologies. Hal o the respondents name security

risks as their primary concern with Web 2.0, while

a third identiy ear o security issues as the main

reason Web 2.0 applications are not used more

widely in their business. Trepidation about security

is higher than average in India and Brazil, two

countries with the highest Web 2.0 adoption rates.

Large organizations are twice as likely as small

organizations to avoid using Web 2.0 because o

security ears. With more employees and more

complex inrastructures to protect, it is no surprise

that large organizations perceive higher risks. At

the same time, large organizations report the

highest benet rom using Web 2.0 tools such as

collaborative platorms.

Fears and concerns about security are well

ounded. Six out o 10 organizations experienced

some sort o security incident the previous year

because o Web 2.0 technologies virus and

malware inections were the most common.

The nancial loss associated with these security

incidents was high. On average, organizations lost

almost $2 million the previous year because o

security incidents.

49%

27%

15%

9%

Security

Productivity

Legal risks

Reputation

Primary concern about Web 2.0

Large organizations paid even steeper costs or

security breaches because o Web 2.0 usage. The

average loss or a large organization was $4.5

million, with an average reported loss around $10

million in Japan and Singapore, and more than

$8.5 million in Canada. Large organizations in the

United States have managed their security risks

better, and reported a relatively lower average loss

o $1.7 million.

Organizations in countries with high Web 2.0

adoption such as Brazil, India and Mexico were

most likely to have experienced security incidents

and to report large losses. The average amount

lost by Brazilian organizations was $2.5 mil lion.

Japan reported the highest average loss per

organization at $3 million. Organizations in the

United States lost, on average, more than $1.5

million due to security breaches.

More than $1.1 billion was los

by organizations surveyed due

to security incidents caused by

Web 2.0 technologies.

Virus and malware inections are the most

common types o security incidents. A third o

organizations experienced virus inections and

almost a quarter experienced malware inections

the previous year. In spite o concerns about data

exltration, very ew organizations (less than

one in 10) reported experiencing data leaks or

inormation overexposure. Security experts ound

this percentage to be lower than expected, and

explain that respondents might be aware o or

report only the more serious incidents. Pamela

Warren, McAee cybercrime strategist, stated,

more data leaks might have happened, but they

are outside organizations awareness.

Beyond security, other actors that account

or limited use o Web 2.0 in organizations

include lack o demand and lack o applicability,

reported by 18 percent o respondents. Lack

o productivity and legal risks also emerged as

Web 2.0 concerns. However, these reasons lag

ar behind security ears.

Despite high adoption rates and strong business

benets, concern over security remains theleading actor holding organizations back

rom exploring the ull potential o Web 2.0

applications. The cost and risk o security

incidents are very high. A large proportion o

security ears are related to employee use o social

media, both or work and personal purposes.


Six out o 10 organizations

experienced some sort o security

incident the previous year because o

Web 2.0 technologies virus

and malware inections were the

most common.


cAee CTO and vice president, Raj Samani, believes that more

mpanies should be concerned about security. He explains that

e security landscape has changed. Whereas 10 to 15 years

o data inltration was the biggest concern, these days data

ltration, good data going out, is the primary challenge. In an

onomy where inormation is the lieblood o an organization,

eserving the condentiality, integrity and availability o

ormation is vital. Virus and malware protection is still important,

t data loss prevention is ast becoming an indispensable

mponent o an organizations technology protection.

What accounts or Brazils high Web 2.0

adoption rate? Brazilian IT consultant an

ICANN member, Vanda Scartezini, explai

that Brazilians tend to love novelty and a

quick to adopt new technologies. At the

same time, Brazil is seeing huge inecti

problems originating rom social media

Scartezini recommends that organization

use more than one security sotware

applications to protect assets.


6/15

Web 2.0: A Complex Balancing Act Web 2.0: A Complex Balancin

Employee Use o Web 2.0

While organizations see revenue potential and business value in Web 2.0

technologies, decision makers continue to debate whether or not to allow

employee usage o Web 2.0 in the workplace either in the oce or on the road.

Some organizations emphasize education,

guidelines and usage policies that provide

parameters or appropriate and allowable use o

Web 2.0 technologies or work. In other cases,

organizations are responding to rising employee

and customer demand or making Web 2.0

technologies available, and are less concerned

about employee productivity or security threats.

But many organizational leaders are highly

concerned with potential threats rom Web 2.0

technologies. They worry about security, data

integrity, employee productivity, along with thereputational, nancial, legal and technological

consequences that can occur as a result o

Web 2.0 usage.

In spite o these concerns, 29 percent o

organizations do not have policies regarding

employee usage o Web 2.0 in the oce, and

ewer still have policies in private sector and

small organizations. Seventy-ve percent o

organizations without policies indicate they trust

their employees to use tools appropriately, or do

not consider social media a threat.

Perceptions o Web 2.0 Utility or Employee Use

WEB 2.0 TOOLRATED USEFUL BYORGANIZATIONS

PROVIDED BYORGANIZATIONS

WEBMAIL 48% 90%

COLLABORATIVE PLATFORMS 42% 82%

CONTENT SHARING APPLICATIONS 40% 86%

STREAMING MEDIA SITES 28% 82%

SOCIAL NETWORK SITES 25% 77%

Many organizations that do not restrict employee

usage report positive results rom social media

tools including enhanced communication

and increased employee productivity. Most

organizations rated webmail and collaborative

platorms as the most useul applications. Only

a quarter o organizations rated social network

sites and streaming media sites such as YouTube

as useul.

While Web 2.0 tools were most likely to be

considered useul or improving communication,

survey respondents also reported other benets:

enhanced customer service, increased productivity,

as well as marketing and branding. For example,

hal o respondents reported that use o

collaborative platorms improves productivity.

Forty-two percent o respondents said social

network sites enhance customer service.

Organizational leaders diered, however, on

whether they elt Web 2.0 increased employee

productivity. Only 40 percent o organizations

agreed that Web 2.0 tools enhance productivity.

However, organizations are more likely to

indicate that collaborative platorm and

content sharing applications are more useul

or productivity than streaming media and

social networking tools. The social nature o

these tools may actor into the reluctance o

organizational leaders to embrace adoption, as

well as their relative novelty in the organization.

Analyst and business strategist, Stowe Boyd,

discusses the historical resistance to emerging

technologies in organizations. When American

businesses ater WWII started to think about rolling

out telephones on everyones desks, the biggest

objection that was raised by the senior managers,

who already had telephones, was that everyone

was going to use these phones or personal use.

They were going to call mom; they were going to

gossip. They werent going to use them primarily to

do business. But [most o the] time, business people

use telephones to conduct business because its an

ecient, and direct and obvious way to do it. The

exact same thing happened with e-mail, the exact

same thing happened with instant messaging, and

now with social media, especially the stu that has

social networks in it, they are saying exactly the

same stu. Weve got to manage this because

theyre going to be sitting there talking about

antasy ootball.

GE has used internal Web 2.0 collaboration tools or many

years now. As a large multinational corporation with a

workorce scattered all around the world, GE needed onlin

collaboration and social tools. By now, people have gotte

so used to them that theyve come to depend on them, sa

GE systems engineer Anthony Maiello. GE i s going beyond

your out-o-the box internal social networking solution:

Those are great or communication, but they do not meet

our specialized design needs, explains Maiello. GE i s build

sophisticated collaboration tools that enable engineers

to collaborate remotely and create complex technical

designs. Because new products are being created on this

platorm, security is a paramount concern. We do not wan

external parties attacking our network and getting to this

inormation, says Maiello.

venty-ve percent o

ganizations without

olicies indicate theyust their employees to

e tools appropriately,

do not consider social

edia a threat.

Only 40 percent o

organizations agreed

that Web 2.0 tools

enhance productivity.

Mobile social media access can be lie saving during larg

scale natural disaster emergencies, and played a major r

relie and recovery eorts during the 2010 Haiti earthqu

Twitter and Facebook were critical to communicating

inormation about relie eorts. Shortly ollowing the

earthquake, the U.S. State Department began posting assistan

inormation on its Facebook page.

Agencies, such as the American Red Cross, and citizens used Tw

to provide minute-by-minute status changes on the ground, a

to mediate communication with those outside the disaster zo

to assist in relie eorts. Volunteers used mobile GPS and cam

enabled phones to gather photographic and geographic data

about roads, buildings and people. The inormation was post

collective Google Maps mashup that allowed emergency pers

to locate open roads or relie transportation, and identiy la

seen locations o individuals seeking amily. Building a social

ollowing during quiet times ensures your message gets acros

quickly and credibly during a crisis, even i conventional lines o

communication are down.

http://cw.com/articles/2010/01/14/social-media-haiti-earthqua

relie.aspx

http://www.readwriteweb.com/archives/social_media_red_cro

foods.php


7/15


Large(>1000)

Medium(100-1000)

Small(


8/15


Top Perceived Security Threat rom EmployeeWeb 2.0 Usage

TOP PERCEIVED SECURITY THREAT FROMEMPLOYEE WEB 2.0 USAGE

MALWARE INTRODUCTION 35%

VIRUS INTRODUCTION 15%

INFORMATION OVEREXPOSURE 11%

SPYWARE INCREASE 10%

SPAM VOLUME INCREASE 6%

EXPOSED ENTRY POINTS 6%

DATA LEAKS 7%

BOTNET INTRODUCTION 5%

SPAM USE INCREASE 4%

The primary concern that organizations have

about employee usage o Web 2.0 technologies

is security. This concern is a specic obstacle

to adoption and integration o social media i n

organizations. The top our perceived threats

rom employee use o Web 2.0 are malicious

sotware (35 percent), viruses (15 percent),

overexposure o inormation (11 percent) and

spyware (10 percent).

Some security concerns are specic to

Web 2.0 tools used by employees. For example,

technologies that are perceived to acilitate work

productivity, such as webmail, collaborative

platorms and content sharing applications, are

less likely to raise concern than the mainstream

social media tools such as Facebook, LinkedIn,

YouTube and Twitter, which are not allowed by

40 to 50 percent o organizations. There are

regional dierences, as well, in which tools are

considered useul or employees. Organizations

in Brazil and Singapore, where overall adoption

is high, are much more likely to rate webmail

useul than organizations in the United

Kingdom. However, the United Kingdom reports

higher adoption o collaborative platorms and

content sharing tools. Adoption o streaming

media and social network sites is airly consistent

across all countries.

Industry analyst Charlene Li notes thatdierences in social media usage by country

are less about cultural dierences than

about dierences in access and social media

penetration rates. Li says that because o high

penetration rates, South Korea and Brazil

are more likely to be producing content, while

other countries like the U.S. lean more towards

content sharing.

Web 2.0 Applications Adoption by Country

60%

40%

20%

50%

30%

10%

70%

80%

Sweden

Germany

Poland

Benelux

UAE

Japan

Mexico

Canada

Australia U

K

USA

India

France

Italy

SNG

Spain

Brazil

il

i

ll i l

i i

i l i

I its popular, its going to be popular with

the bad guys, not just the good guys.

lE

i li

I

i

F

I

l i il

Webmail

Content sharing

Collaborative platforms

Streaming media

Social network sites

Social network sites are

perceived as the riskiest o

all Web 2.0 tools rom a

security standpoint.

Facebook is banned by nearly

hal o the organizations,

especially mid to

large-sized ones.


9/15

Social network sites are more likely to be linked

to security issues than other technologies. Among

respondents who have experienced security

incidences in their organizations, hal suspected

social network sites as the cause, and 44 percent

suspected webmail. In contrast, only 20 to 25

percent o organizations suggested content sharing

and collaborative platorm tools as the cause o

security incidents.

These statistics suggest that many organizations

perceive employee usage o Web 2.0 to be non-

productive and potentially detrimental to business

goals. Facebook is banned by nearly hal o the

organizations, especially mid to large-sized ones.

In certain European countries like Benelux, Italy and

Spain, more than 60 percent o organizations restrict

usage. In contrast, only a third o organizations in

Japan, Germany and Brazil restrict Facebook.

Security experts explain that negative media

coverage o Facebook over unilateral privacy

changes might account or some o this concern.

Also, the more users a tool has, the more likely

it is to be a target. I its popular, its going to

be popular with the bad guys, not just the good

guys, said an IT security proessional rom a major

global nonprot.

One in our

respondents did

not have concer

about employee

using social med

inappropriately.


In some cases, organizations are concerned about

situations that might give rise to employees

inappropriately using social media. Close to hal

o the leaders surveyed elt that employees are

most prone to using social media i nappropriately

by accident, perhaps due to lack o awareness,

or when they are dissatised with compensation

or management. Concerns about inappropriate

usage caused by managerial disputes are higher

in Spain, Brazil, Mexico and India, while pay

disputes cause more concern to organizations

in the United Kingdom and Australia. Concerns

about accidental misuse are highest in the United

Kingdom and Canada.

In contrast, one in our respondents did not

have concerns about employees using social

media inappropriately. Respondents rom small

organizations and rom Sweden, Germany, Japan

and the United Arab Emirates were the least likely

to be concerned that employees would use social

media inappropriately, where approximately 40

percent o leaders were unconcerned.

ose to hal o the leaders surveyed elt that

mployees are most prone to using social media

appropriately by accident, perhaps due to lack

awareness, or when they are dissatised with

ompensation or management.

There are both real and perceived consequences o

inappropriate Web 2.0 and social media use:

The nancial consequence or security incidents

(including downtime, inormation and revenue

loss) is an estimated average o $2 million or

all Web 2.0 technologies.

Sixty percent o companies report that the

most signicant potential consequences rom

inappropriate social media usage are loss o

reputation, brand, or client condence.

One in three organizations reported unplanned

investments related to work-arounds

necessary or implementing social media in

their organization.

Fourteen percent o organizations report

litigation or legal threats caused by employees

disclosing condential or sensitive inormation,

with more than 61 percent o those threats

caused by social media disclosures.

Organizational leaders are acing real

consequences when adopting Web 2.0

technologies, but they recognize a growingdemand or employee usage. They continue to

seek the right balance to ensure technological

security while embracing and integrating the

opportunities presented by Web 2.0 technologies.

Legal risks are a major concern o

highly regulated industries such as

healthcare or fnancial services. One

hospital system, however, ound a w

use social media successully while sta

within the limits o the Health Insurance

Portability and Accountability Act (HIPAA

Scott & White Healthcare is one o the la

healthcare systems in the United States,

operating 10 hospitals in the Texas area

& White uses Facebook, YouTube, Twitte

blogs to communicate with the public. O

Nov. 5, 2009, a soldier opened fre at the

Hood military base in Texas, killing 13 pe

and wounding dozens o others (CNN, 2

Scott & White Memorial Hospital in Tem

Texas, was the closest Level 1 trauma cen

and received the highest number o For

Hood casualties. Steve Widmann, directo

web services at Scott & White, used Twitt

blog and YouTube to issue continuous u

throughout the day about access to the

hospitals emergency room, hospital ope

status and to keep the media and public

inormed. Both the local media and the showed support and gratitude or being

up-to-date on developments.

http://www.cnn.com/2009/CRIME/11/12

hood.investigation/index.html

http://www.orimmediaterelease.biz/in

php?/weblog/comments/the_hobson_h

report_-_podcast_503_november_23_20


10/15


40%

20%

0%

50%

30%

10%

UK

Brazil

India

M

exico

Spain

P

oland

Be

nelux

Au

stralia

Japan

USA

Sing

apore

Canada

Italy

France

UAE

Sw

eden

Germany

60%

Organizations without social media policies

Balancing Act

Globally, leaders o organizations agree that security concerns and issues

with employee use o social media are the two major barriers or successul

implementation o Web 2.0 in their organizations. In order to maximize the

benets rom Web 2.0, organizations need to take measures to mitigate

these risks.

Shel Holtz, consultant and writer, summarizes the

balance or which organizations should strive:

Between shutting everybody o altogether

and opening everything up to every risk possible

theres a lot o room in between those two

extremes to nd a balance. The balance is a

combination o technical solutions and training and

education. Ultimately, i you arm your employees

with the knowledge they need to protect the

organizations assets and engage eectively when

theyre talking about work and connecting rom

work, youre likely to experience very ew o these

issues. Organizations do risk benet analyses

every single day in other dimensions o business

and decide that the benet o doing something

is worth the risk. I dont see why Web 2.0 should

be any dierent. I we can, or example, reduce

our customer service costs by 10 million dollars a

year, by having our employees engaging through

these social channels, and we calculate the risk at

being one million dollars, thats a nine million dollar

addition to your bottom line. And I dont know

an organization that wouldnt be willing to risk a

million dollars to make nine.

A third o organizations have no

social media policies in place, and

close to hal do not have policies or

social media use on mobile devices.

We vehemently encourage ev

one o our clients to have a so

media policy beore anybody

engages in social media.

Matthew Gain, Head o DigitalCommunications, Edelman Australia

Our research indicates that risk mitigation

measures most commonly include social

policy combined with protection through

technology. Seventy-one percent o orga

have a workplace social media policy in p

Both security experts and industry analyst

agree that social media policies are very

important, although some argue that exi

policies can extend to emerging contexts

channels o communication. However, a

o organizations have no social media po

in place, and close to hal do not have po

or social media use on mobile devices. B

Holtz and Pamela Warren, McAee cybercstrategist, argue that social media policies

are not sucient and must be supplemen

employee education and training.


11/15

Implemented Security Measures Post-Web 2.0

USAGE

INCREASED FIREWALL PROTECTION 79%

INTRODUCED GREATER LEVELS OF WEB FILTERING 58%

GREATER WEB GATEWAY PROTECTION 53%

APPLIED SITE VERIFICATION/AUTHENTICATION 31%

INTRODUCED ELECTRONIC POLICIES 27%

Many organizations choose to restrict social media

use or some employees, and give unlimited access

to their marketing or public relations departments.

For hal o the organizations surveyed, social

media policies varied by department, but an equal

number applied the same policy to all employees.

Private sector organizations, which have greater

marketing needs, are more likely to vary social

media policies across departments. Respondents

seem to be sensitive to the ast-changing Web 2.0

landscape, and almost hal o them anticipatemodiying their social media policies within a year.

Industry experts agree that in addition to policy,

organizations need one or more levels o

technology to protect the organization and its

assets. The organizations we surveyed reported

using several types o technology solutions to

enorce social media policies. O the nearly three

quarters that reported using technology solutions,

our out o ve use web ltering and rewall

technology. Two thirds reported using endpoint

security such as antivirus sotware, and 41 percent

said they protect against data leakage.

Seventy-one percent o

organizations have a workplace

social media policy in place.

Policy Enorcement Technology

USAGE

WEB FILTERING TECHNOLOGY 83%

APPLICATIONS FIREWALL TECHNOLOGY 78%

ENDPOINT SECURITY (E.G. ANTIVIRUS) 63%

DATA LEAKAGE PROTECTION 41%

Industry experts caution that social media policies

should be enabling, not restrictive or punitive.

Most social media policies I see are bad to begin

with, says Dion Hinchclie. They are pages upon

pages o though shalt not, and by the time youre

done reading, you dont know what you CAN talk

about. A good policy is short and to the point

Stowe Boyds avorite is Microsots Blog smart.

Hinchclie recommends including examples in

social media policies, so that employees are exposed

to a range o possible situations.


We asked organizations that do not have a social

media policy in place the reasons why. Trust in

employees and an unperceived threat were equally

important reasons, each mentioned by more than

a third o respondents. Several countries have

high trust in employees. About 50 percent o

respondents rom Singapore, Poland and India

reported trusting employees to know what is in

the companys best interest. Threat perception

related to social media also varies signicantly

across countries. Seventy percent o respondents

in the United Arab Emirates, and about hal o

respondents rom Mexico, Brazil and Sweden do

not perceive any threats. However, the reported

costs o recent security incidents in Mexico and

Brazil suggest that social media is more o a threat

than perceived by this group o respondents. Only

7 percent o organizations without social media

policies reported intending to introduce them in

the near uture.

For the more than two thirds o surveyed

organizations with social media policies in place,

coverage typically includes employee liability in the

case o inappropriate use, along with guidelines

or approved social media sites.

Social Media Policy Coverage

TERMS OF POLICY COVERAGE

EMPLOYEE LIABILITIES IF INAPPROPRIATE USE OCCURS 54%

GUIDELINES ON COMPANY-APPROVED SOCIAL MEDIA SITES 45%

GUIDELINES ON SECURITY ISSUES OF SOCIAL MEDIA 39%

GUIDELINES ON COMMERCIAL DANGERS OF SOCIAL MEDIA 38%

COMPANY LIABILITIES IF INAPPROPRIATE USE OCCURS 37%

GUIDELINES ON REPRESENTING THE COMPANY USING SOCIAL MEDIA 30%

ONLY CIO-AUTHORIZED STAFF USAGE ALLOWED 26%


More than hal o surveyed organizations have

increased security measures since allowing access

to Web 2.0 applications. These results suggest

emerging trends in security measures that provide

enhanced protection or Web 2.0 challenges.

Increased rewall protection was the most

commonly reported measure, but, organizations

use a combination o technologies.

Web 2.0 applications are deployed in the

cloud and accessed with desktop, laptop, and

mobile devices over both wired and wireless

inrastructures. This represents a challenge or

security practices that have ocused on endpoint

and network-level inrastructure controls. Trends

indicate a growing interest and implementation

o web ltering and web gateway solutions i n the

organizations we surveyed, and roughly

55 percent o the organizations have adopted one

or both o these measures since allowing access

or employees.

Eugene Spaord, Executive Director o CERIAS,

cautions that because the Web 2.0 technology in

use is evolving quickly. It is oten deployed without

sucient thought as to how it may be abused,

alone or in combination with other deployed

technologies. There is great incentive or the bad

guys to develop attacks, and they do, oten with

great creativity and speed.


12/15

Because Web 2.0 applications are particularly

vulnerable to exploitation, industry and security

experts recommend proactive countermeasures and

multi-layered security solutions that include:

Application control: Granular application control,

based upon the business and regulatory requirements

o the organization, gives organizations the ability to

create access policies specic to user identities, and to

reduce risks or some employees without restricting

participation or others.

Next-generation frewalls: Many rewalls today

dont provide eective protection or Web 2.0

technologies. Organizations should consider next-

generation rewalls that provide more sophisticated

discovery, control, and visualization o applications,

along with predictive threat protection or network

inrastructures.

Endpoint protection: The shared and highly

participatory nature o Web 2.0 requires that

businesses protect their endpoints against multiple

threats, including spam, viruses, malicious sotware,

spyware, rootkits, and hacker attacks. Endpointprotection remains a critical piece o inormation

assurance and security in organizations.

Data loss protection: Data exltration is a

continuing challenge o organizations participating

in the Web 2.0 environment. Protecting the

integrity and condentiality o organizational

inormation rom thet and inadvertent loss is a key

issue today. Data loss protection guards private,

sensitive, and condential inormation and data

rom accidental or malicious loss.

Encryption: Important data at rest should be

encrypted, as should communication channels,

with keying material kept separate rom the

encrypted material. Compromise or loss o

endpoints should not automatically give access to

sensitive inormation.

Authentication : Strong, non-password based

authentication should be deployed and used or

access to sensitive inormation and resources.

Web2.0 applications usually employ weak

authentication, and are targets or a chain o

penetration and social engineering attacks that

can compromise valuable resources. Requiring

appropriate token-based or biometric authentication

at key points can help to prevent incidents.

Integrity Monitoring and Whitelisting: Many

current attacks against Web2.0-enabled hosts

involve the installation or modication o code to

enable access, or to install malware. Traditional

anti-malware technologies are not sucient to

prevent these threats, so additional methods

that use conguration integrity monitoring or

application whitelisting should be considered.Solutions that monitor and control patching and

upgrades should also be considered.

Gateway Anti-malware: Proactive scanning

o code in web pages or malicious intent. By

analyzing the code at the web gatewaya

gateway located physically in the enterprise or

in the cloud as a hosted service, malware can

be detected and blocked beore it reaches the

endpoint or other network assets.


Eugene Spaord notes the importance o

understanding the continuing evolution o the

technology, alongside the new norm o heterogeneity

and specicity in organizational contexts:

The key to eective use o new technologies is to

apply them in the correct contexts. For instance,

applying social media to marketing and sales

may result in increased connectivity with clients

and business partners. However, applying those

same applications in sensitive nancial services

and proprietary R&D has the potential to lead

to signicant losses. Organizations that are still

in single network everywhere, same sotware

everywhere mode will have the most diculty

adjusting to this new paradigm, and to those that

ollow. Many decision-makers believe that having

a homogeneous and uniorm environment is

less expensive to procure, maintain, and provide

employee education. However, there is a longer-

term cost in exposure and vulnerability that is

now coming into clearer ocus; heterogeneity and

specicity allow more tailored protections and

uses. Understanding dierences in application,

technology, policy and users is perhaps the most

important actor in success and saety in Web 2.0

environments and beyond.

The power o Web 2.0 technologies as methods

o communication, connection, sharing and

participation, is seductive, causing some people

(and organizations) to adopt tools without

considering the potential consequences. This

report shows both the widespread interest and

some o the widespread concern about Web 2.0

technologies. Both are warranted, as increased

sharing not only has the potential to augment

business and personal relationships, but also to

enable new methods o raud and attack.

While industry experts recommend both policy and

technology solutions, as many as 60 percent o

organizations do not budget or Web 2.0-specic

security solutions, and some have incurred high,

unanticipated losses. Organizations in India

and Brazil, which have seen high l osses rom

security incidents, are most likely to budget or

Web 2.0-specic security solutions. Three quarters

o Indian organizations and more than hal o

Brazilian organizations do so.

Experts agree that the benets o using Web 2.0

exceed the risks. The benets are there and

theyre real. There is a strong desire by those

who are worried about security to avoid risk.

There might be areas where that is a rational

way to do it, but you cannot NOT communicate

rom these platorms today. I you dont, youare at a serious disadvantage no matter what

kind o organization you are. You have to strike

that balance or your organization, explains

Commander Scott McIlnay, Director o Emerging

Media Integration or the U.S. Navy.

Even in organizations or which security is a

topmost concern the U.S. Department o

Deense, the U.S. Navy and national intelligence

agencies the benets outweigh the risks, and

these organizations have embraced social media at

several levels.

You can allow employee use o Web 2.0 and

absolutely embrace Web 2.0 or your corporate

and government goals. But contemplate user

behavior and control what goes in and out o

your network, and that can be done through both

administrative and technical controls, advises

McAee cybercrime strategist, Pamela Warren.

Both IT security experts and industry analysts

emphasize the importance o weaving complex

security solutions that i nclude policy, technology

and education help employees to make good

decisions. Echoing cybercrime strategist Warrens

comments, industry analyst Dion Hinchclie

believes writing a social media policy is not

enough. Just as employees went through digital

literacy training when they rst l earned how

to use email and computerized productivity

tools, they now need education about Web 2.0.

Throwing things out to workers and not

explaining the implications, not explaining how to

use them properly, is, o course, a ri sk. Education

is hal o the challenge o ensuring that things we

dont want to have happen wont happen.



13/15


As we enter the second decade o the 21st century, the landscape o

communication, inormation and organizational technologies continues

to refect emerging technological capabilities as well as changing user

demands and needs. Web 2.0 is a convenient term used to describe the

social technologies o the 21st century that infuence the way we interact.

But technological development moves along a continuum, and human

creativity and advancements in technology will continue to push the

boundaries o how we communicate, share, and interact as implied

by the word Web itsel. Cloud computing, immersive reality, geotagging

and location-aware computing, ad hoc networking, agent/avatar-based

computing, multicore chips, quantum computing, and more are all in

research labs or being deployed by early adopters.

These advancements will continue to bring new opportunities and threats,

thus requiring agility and continued evolution o resources. Successul

organizations will be those that determine where and how to embrace

these emergent tools to add new value and agility to their organizations.

Success will require careul, on-going eorts to saeguard assets, including

inrastructure, data, and employees, along with measured and educated

adoption o new cyber technologies.

Conclusion

Overall, research suggests that successul organizational use o Web 2.0 is a

complex balancing act that requires analyzing challenges and opportunities,

mitigating risks, and combining policy, employee education and technology

solutions to ensure security.

While the next generation security solutions

will be specifc to the organizations mission,

industry, size, and locale, there are general

best practices that we recommend or all

organizations that adopt Web 2.0 solutions:

Policy: Web 2.0 environments have created new

organizational contexts that challenge traditional

norms o proessional behavior. Clear social media

policies enable employees to make good decisions

about their behaviors in these new contexts,

and provide examples and guidelines regarding

potential threats.

Technology: Web 2.0 applications andtechnologies require multi-layered security

solutions that provide protection against data

loss, endpoint security, application control, and

inrastructure rewalls.

Education: As new threats and problems emerge

it is vital that all users in the organization are

made aware o how to protect resources. Social

media require a new level o digital literacy,

and organizations need to educate employees

about the risks and benets o accessing and

participating in these contexts.

Practices: Organizations must acknowledge the

21st century work practices o employees that

are global, mobile, and constantly connected.

Policies and technology solutions must be device-

independent, whether access comes rom the

desktop, laptop, handheld, or even wearable

or embedded devices, and must be location-independent as well. Organizational practices

must protect employees and institutional data no

matter what they use, and where they are.

Adaptability: Web 2.0 and social media

technologies are notable or their rapid change

and evolution. Organizations must be alert to new

risks, but also adaptable to changes, and open to

seeing opportunities or new value that can be

embraced or organizational success.



14/15

Recruitment and Sampling

Participants were recruited rom multiple sources,including a panel o senior IT decision makers orthe UK, an online global B2B sample partner, GlobalMarket Insite and Survey Sampling International. Therecruitment sample was pre-screened using criteriaestablished to represent decision-makers, and screenedat a second level with initial questions in the survey,to ensure respondents met the criteria or appropriatelevels o authority in their organization. Sampling wasbalanced across organizational size, sector and country.Sixty respondents were sampled rom each o 17

countries. Respondents were also sampled rom threeorganizational sizes to achieve a balanced response romsmall (< 100 PC users), medium (100-1000 PC users) andlarge (> 1000 PC users) organizations. There was a 19percent total response rate or the survey, varying rom 8to 42 percent by country.

Interviews

All interviews were conducted in accordance withPurdue Universitys Institutional Review Board rulesor the protection o human subjects. Interviews wereconducted with the consent and knowledge o theparticipants, who gave permission to be identiedand quoted in this report. For quotes and case studiesavailable in the public domain, see citation notes ororiginal source.

Respondent Profle

A total o 1055 organizational leaders and decisionmakers rom 17 countries around the globe respondedto our survey about current practices and attitudesabout Web 2.0 technologies in their organizations.Predominantly CIOs (79 percent) and CEOs (21 percent),the respondents were decision-makers at executive(38 percent), global (15 percent) and national (13percent) levels in their organizations. Providing a globalview, leaders rom organizations in 17 countries weresurveyed, including respondents rom North America(United States, Canada, Mexico), Europe (United

Kingdom, Sweden, France, Germany, Benelux, Italy,Spain, Poland), South America (Brazil), Asia (Japan, India,Singapore), Australia and the Middle East (United ArabEmirates). Respondents represented both private sector(63 percent) and public sector (37 percent) organizations,and were drawn equally rom small (


15/15

The inormation in this document is provided only or educational purposes and or the convenience o McAee customers.

The inormation contained herein is subject to change without notice, and is provided AS IS without guarantee or warranty as to

the accuracy or applicability o the inormation to any speciic situation or circumstance. McAee and the McAee logo are registered

trademarks or trademarks o McAee, Inc. or its subsidiaries in the United States and other countries. Other names and brand may be

claimed as the property o others. 2010 McAee, Inc.

About McAee, Inc.

McAee, Inc., headquartered in Santa Clara,

Caliornia, is the worlds largest dedicated security

technology company. McAee delivers proactive

and proven solutions and services that help securesystems, networks, and mobile devices around

the world, allowing users to saely connect to the

Internet, browse and shop the Web more securely.

Backed by unrivaled Global Threat Intelligence,

McAee creates innovative products that

empower home users, businesses, the public

sector and service providers by enabling them to

prove compliance with regulations, protect data,

prevent disruptions, identiy vulnerabilities, and

continuously monitor and improve their security.

McAee secures your digital world.

For more inormation, visit:http://www.mcaee.com

McAee, Inc.

3965 Freedom Circle

Santa Clara, CA 95054

888 847 8766

www.mcaee.com 12001rpt_web2.0-global_0910

Web 2.0: A Complex Balancing Act – The First Global Study on Web 2.0 Usage, Risks and Best...

Documents

Transcript of Web 2.0: A Complex Balancing Act – The First Global Study on Web 2.0 Usage, Risks and Best...