Enterprise 2.0 fear factor: Overcoming risks, uncertainties and doubts
There are risks associated with adopting any new technology, and Enterprise 2.0 is no different. Enterprise 2.0 holds the promise of dramatically increasing business productivity, stimulating greater innovation, and creating tighter connections between employees, as well as with partners, suppliers and customers. While these technologies and other social networking softwares are facilitating knowledge sharing, accelerating team communications, fostering increased collaboration and online communities creation, many executives are recognising their value but worry about losing control of information, compromising sensitive data, opening their networks to security breaches or even exposing employees to time-killing “network noise".
Liability for potentially illegal activity involving workers, risk of malware infections, bandwidth constraints and other drop-offs in employee productivity are obvious reasons why the "open social Internet" just goes against the instincts of many Chief Information Officers.
It is also true that employees using these systems for group collaboration, usually operate outside the approved IT applications, meaning they aren't actually subject to enterprise policies governing compliance and information protection. It is obviously a challenge for any IT professional to give up control over the IT systems they depend on. As Enterprise 2.0 is decentralised and ad hoc, control is in the hands of users rather than the IT department.
Security risk - either incoming, as malware, or outgoing, as data leakage - is probably the biggest issue with Enterprise 2.0 technology since opening up your company to share information and allowing users to upload files to your system - while a laudable idea for improved collaboration- surely expose your infrastructure to related threats. An open social system makes it a challenge to maintain security.
Additionally, many managers may be concerned about the risks associated with bad publicity or confidential data disseminated due to employees potentially sharing information on blogs or other social networking sites. Lots of companies are spending large lump of money creating their message, maintaining its consistency and build a brand. Opening up the conversation means, for better or worse, that you will be losing control of that message, at least in ways it was previously defined. While there are benefits related to opening up the conversation, not all content or opinions are created equal and some may be more valuable than others. Community policing are therefore also required to provide the necessary checks and balances to potentially eliminate noise.
Some concerns could be addressed by providing tools and dashboards, giving control over these conversations as well as which employees can access and use which tools. While this could help allay IT fears, it may still be difficult for some to accept this cultural shift without some assurance that critical business systems will keep operating. The first rule of thumb for improving security protection and securing risks is considering people and process alongside with technologies including "next-generation" capabilities such as web filtering technologies, reputation services, blended threat protection and behaviour-based detection. IT professionals are highly required to think about security implications and ensure appropriate safeguards are taken as their companies adopt Enterprise 2.0 techniques. These technologies are indeed enabling information to move in new faster ways, with users being so much more involved, putting networks, employees, and customers at risk.
As businesses rush to get involved in Web 2.0, a Forrester research study recently revealed that the vast majority of organisations adopt Enterprise 2.0 technologies without even preparing to fend off the related threats and dealing with the security risks that come along with it. The report indeed found that 97 percent of companies surveyed considered themselves prepared, though 68 percent conceded there was room for improvement. Even scarier, a full 90% of surveyed IT professionals and security decision makers reported that they are at the least "very concerned" about related threats and may have made the leap into these technologies without thinking about the security consequences. The study further notes a lack of risk awareness, user training and consistent policies, making essential for organisations to re-examine the adequacy of security policies and protection mechanisms together with implementing systematic and comprehensive training to communicate the magnitude and extent of web threats to users.
Finally, as with any disruptive technology, a critical success factor resides in the fact that companies will need to assess the strategic value and implementation plans with an eye toward enterprise requirements including reliability, security, governance, compliance, and privacy. As companies dive into Enterprise 2.0, associated risks such as security, infrastructure stability, data loss or reliability, just to name a few, are increasingly important to secure. Nevertheless, in most cases, the benefits provided to enterprises considering the new social media technologies as a collaboration platform, may outweigh the risks, especially if some precautions are taken to mitigate these.
Most of what we do in an entreprise context is related to risk management. That's especially true in IT, even if IT decisions are not always (often?) handled that way. There are some risks associated with Entreprise 2.0 and web technologies, but these risks must be weighted by the benefits and the risks for not using them, otherwise a proper risk analysis is impossible. Besides that analysis should go way beyond the technology scope and must embrace each company objectives as is mentionned at the end of the article.
I'd like to emphasize the data security risk: it's often considered as a very technology-related risk (as opposed to reputation related risks for instance), to be tackled by IT. But imho that's an highly flawed point of view. Most of the data security issues are human related: forwarded email containing information that should be transfered, important spreadsheet not saved on a server and lost after a PC crash, the system engineer who can get access to the CEO emails because he's got that "magic" admin password, the sales who leaves the company with a listing of all customers, people who receive unknown emails with an attachment and open that attachment, etc, etc. I'd bet that's more than 90% of the security issues.
Two examples.
(1) You cited a Forrester study on security: well, Forrester knows a lot about security as 3 months ago their HR head had her laptop stolen, containing critical HR data all unsecured (http://www.01net.com/editorial/365749/forrester-se-fait-voler-ses-donnees/ , sorry for the article being French)
(2) A friend of mine works in an IT department in the health industry; they get all sort of security reviews and approval from various organisms as they manipulate and store sensitive medical data. They have very strict security policies, enforced by very serious security managers (or pretend to be). A couple of months ago they discovered that some IT technicians managed to install unauthorized Wifi routers in the ceiling of their highly secured 24x7datacenter, linked to an unsecured Internet access, and apparently used to play network games. And they are reluctant to Entreprise 2.0 tools: too "unsecured".
The key point is: don't be obsessed by security from a technology point of view; as far as security is concerned technology is the tree hiding the forest. Entreprise 2.0 doesn't bring new security holes; but it can highlight the holes you don't tackle. Security is all about what you don't know, by definition; so having a conservative security policy is meaningless and does not reduce risk; it hides the risks, which is worse.
Posted by: Matthieu Hug | February 27, 2008 at 11:40