Simply blocking applications means disgruntled staff and missed opportunities. Businesses need to change tack. By Barry Mansfield.

Young people entering the workplace see email as slow and have grown up with P2P applications and Web 2.0 technology - yet most businesses are still living in a Web 1.0 world, with security policies to match.

The web landscape has changed dramatically in the past five years. Users have evolved from passive consumers of information to active contributors of content. Blogs, podcasts and RSS (really simple syndication) are being used within the enterprise. Wikis, tagging and web-enabled social networking can improve collaboration among workers.

The arrival of the Web 2.0 era has coincided with an explosion of new business tools popularised by consumers at home, including the MSN Live instant messenger, Symbian smartphones and peer-to-peer (P2P) applications such as voice-over-IP (VoIP) favourite Skype. With employees simply adding their new toys to the corporate network, infosec managers need to be more vigilant than ever - in particular, allowing employees to share information through blogs or mashups with outside web services poses significant security challenges.

If a company makes use of Web 2.0 features on its website, its clients rather than the business itself may be at risk. "Any kid can write a Web 2.0 script that turns the victim's browser into spyware," warns researcher Paul Johnstone. "It can record every keystroke made within that browser window. There may be security precautions in place, but there are ways around them if you know how."

JavaScript object notation (JSON) makes it easier for the criminal to hijack Web 2.0 sites and run any script they want on these. "You can steal credit-card details, change the user's homepage and tinker with favourites," says Johnstone. "New flaws are being discovered all the time. And, frustratingly, there is no answer. Every browser can be turned into a spyware tool. No firewall can stop this; it's just the way things are."

It sounds like a grim assessment of the situation, but Johnstone is not alone. "You can disable JavaScript, but that also means that most of the net won't work for you," says Mathijs van Abbe, founder and CEO of Amsterdam-based Van Abbe IT. "A new method for Ajax (asynchronous JavaScript and XML) development called Hijax works even with JavaScript turned off, so it can provide a potential means of getting around security issues. But it's like that more for accessibility than for security reasons. Essentially what it boils down to is that progress and functionality are higher up people's list of priorities than security, and that's true for browser makers, developers and users alike."

As organisations look to customise a range of technologies for their own needs, Forrester predicts that the Enterprise 2.0 space could be worth up to $4.6 billion (£2.3 billion) by 2013. But who exactly is using Web 2.0 for business? Swedish car maker Volvo has used collaborative software from NetAge to improve internal networking and claims it can now quickly gather ideas on manufacturing processes from staff around the world, enabling it to save money by tapping into knowledge that already exists within the company. Online giant Amazon.com's example is publicly visible: on a single page, it provides up to 24 social components, from book reviewing, via those who bought similar books, to tagging, ratings and comments.

The NHS has also tapped into Enterprise 2.0. To stop email overload strangling its internal communications, NHS Orkney implemented Traction TeamPage, a hybrid blog platform built for enterprise groups. Under the new system, blogs offload traffic from email into a more easily accessible and time-ordered platform for communication and collaboration. Projects covered range from clinical services to HR and IT.

Although the integrity of the platform itself has not been a problem so far, security guidance and policies can actually be more clearly laid out for employees under Orkney's new system. For example, the IT news page features a content section with new password reset policy information, together with advice on how to fix a BlackBerry problem.

But whatever the possible advantages of Web 2.0, access to pornographic sites, downloading of freeware, and the sharing of pirated music, films or software leaves companies vulnerable to legal liability and exposes the network to malware.

Promoting ad hoc collaboration and multiple modes of communication can be good for business, but employees need policies and IT administrators must have tools to govern those policies. Content-filtering vendors such as Websense and Blue Coat believe they have found the answer: tools that block offending sites at the gateway but discriminate in accordance with company policy. Enterprises can choose from different categories; they might want to block sites categorised as adult content and malware, or put a time limit on certain sites, but allow their employees full access to instant-messaging applications, business networking and news sites.

This appears to be just as well, since the hidden costs of internet abuse for companies of all sizes can really hit the bank balance; a Gallup poll last year suggested that the average employee spends more than 75 minutes a day on personal web use. That translates into an annual loss of around £3,150 per person. Another study by research company Tickbox claims British workers are adding up to 14 days' unofficial holiday a year emailing and browsing online.

However, in a fast-moving business world, the enthusiastic take-up of Web 2.0 technologies for problem-solving and information-sharing has thrown the productivity argument into doubt. For example, employees may find technical problem shooting difficult if content they badly need - for example, an online discussion forum or wiki - is blocked.

As for VoIP, worries over Skype's security are nothing new - a problem the eBay subsidiary has attempted to address with a business version that claims to be easier for IT administrators to manage and control. However, employees often download the consumer version to their desktop of their own accord; causing headaches for network managers, since the application uses a proprietary encryption method to cloak traffic, which can include text messages and file transfers as well as voice calls. In addition to hiding itself, Skype has also established a cycle of continuous upgrades that made effective detection and management notoriously tricky.

German company iPoque sells hardware-based systems for detecting and blocking a range of unauthorised software from use on corporate networks, including Skype and P2P systems such as BitTorrent. But there are other ways to block Skype, the simplest being to detect the presence of the client executable on the PC and stop it running in the first place. A tool offered by Sophos does this free of charge, although it requires a connection with the Sophos anti-virus client to function.

Many corporates, sensitive of data leakage, have an urgent need to stop Skype on security grounds. But P2P applications can also be a severe bandwidth drain. If employees are using the network pipe for surfing, P2P exchanges and streaming media, instead of processing e-commerce transactions, conducting sales webinars or advising customers, then they may be impacting business-critical functions and applications.

In the end, the simplest and most effective deployments of Enterprise 2.0 bring little security risk. For example, Janssen-Cilag, a pharmaceutical subsidiary of Johnson & Johnson, has replaced its company intranet, a static HTML site without a search capability, with a wiki.

Janssen-Cilag's employees don't even know it is a wiki - they just think of it as an easy-to-use intranet. Nathan Wallace, the firm's CIO, claims only five minutes of staff training was required. "Announcements ranging from major restructures to new babies for employees flow through the news page without clogging up email inboxes," he says. "Business information that was previously scattered in emails is now collected into a permanent, secure online space. We have a growing reference and history of information to build on and make available to newcomers. Knowledge management, previously a great concern to us, has moved off the agenda for the time being."

DAVID BENJAMIN, BT DIRECTORIES
As the CEO of BT Directories, David Benjamin might be expected to exploit mobile technology, but he has embraced it with an almost evangelical zeal.

"All my management team are home workers and a large proportion of non-management positions are remote as well," he says. Benjamin claims that the use of mobile technology within BT encourages remote working in general, but his department has taken up such tools as BT Meet Me and LiveLink, which make mobile collaboration easy across IP-based networks. Benjamin, who previously worked at Guardian Media Group, says: "This is the first time I've worked for an organisation that actively encourages remote working."

So much so that Benjamin has now organised the commercial and development activities of BT Directories around a 9am "all-hands call" every Friday. All his 1,500 employees join what must be one of the biggest conference calls in the UK and, as well as taking a healthcheck on the business and his direct reports, it's an opportunity for all staff to get things off their chest. "There's a good half-hour's questioning as well each week," he says. "It's not a replacement for all meetings - strategic sessions are still face-to-face - but it makes you a more efficient and effective organisation."

To take part, his team need little more than a laptop and a broadband connection; everything else is down to the efficacy of BT's "functional and rich" intranet. Among other admin functions, it can be used to measure staff performance through BT's Scorecard appraisal system. "Every quarter, staff are measured on their delivery and output - not on how they did it," explains Benjamin. It's all logged and managed online. "I can't remember the last time I printed something off," he adds. As befits such an enthusiastic advocate of Web 2.0 tools, Benjamin is launching two multi-platform websites that will embrace these ideas. One, part of the rebranding of the BT Phone Book products, is a beta site called btexchanges.com, where search enquiries can be combined with messaging and mapping services.

The other, BT Tradespace, is a social network for small traders that will endeavour to match potential customers to traders via reputation and feedback tools.

- www.bttradespace.com / www.btexchanges.com.