And yet this year--the first in which we asked respondents about social media, only 23 percent said their security efforts now include provisions to defend Web 2.0 technologies and control what can be posted on social networking sites. One positive sign: Every year, more companies dedicate staff to monitoring how employees use online assets--57 percent this year compared to 50 percent last year and 40 percent in 2006. Thirty-six percent of respondents monitor what employees are posting to external blogs and social networking sites.
To prevent sensitive information from escaping, 65 percent of companies use Web content filters to keep data behind the firewall, and 62 percent make sure they are using the most secure version of whichever browser they choose. Forty percent said that when they evaluate security products, support and compatibility for Web 2.0 is essential.
Unfortunately, social networking insecurity isn't something one can fix with just technology, says Mark Lobel, a partner in the security practice at PricewaterhouseCoopers.
"The problems are cultural, not technological. How do you educate people to use these sites intelligently?" he asks. "Historically, security people have come up from the tech path, not the sociologist path. So we have a long way to go in finding the right security balance."
Guy Pace, security administrator with the Washington State Board for Community and Technical Colleges, says his organization takes many of the precautions described above. But he agrees with Lobel that the true battleground is one of office culture, not technology. "The most effective mitigation here is user education and creative, effective security awareness programs," he says.
Jumping into the Cloud, Sans Parachute
Given the expense to maintain a physical IT infrastructure, the thought of replacing server rooms and haphazardly configured appliances with cloud services is simply too hard for many companies to resist. But rushing into the cloud without a security strategy is a recipe for risk.
According to the survey, 43 percent of respondents are using cloud services such as software as a service or infrastructure as a service. Even more are investing in the virtualization technology that helps to enable cloud computing. Sixty-seven percent of respondents say they now use server, storage and other forms of IT asset virtualization. Among them, 48 percent actually believe their information security has improved, while 42 percent say their security is at about the same level. Only 10 percent say virtualization has created more security holes.
Fears about vendors dominate cloud security risks.