Web 2.0 presents a barely understood risk to companies embracing social networking and instant messaging technology as business tools and could force a change in corporate IT security.

Almost two-thirds (65 per cent) of US companies do nothing to block third-party collaboration tools, such as real-time communications and information sharing, according to research from Yankee Group.

Tom Rashke, senior analyst at Forrester, said 25 per cent of US CIOs in a recent survey admitted adoption of Web 2.0 tools would be a priority in 2008, even though the strategy would potentially increase potential areas of attack, increase the complexity of infrastructure and the return on investment (ROI) was not clear.

Rashke warned traditional security tools such as fire-walling did not go deep enough into rich content to determine whether it was a security risk -- either incoming as malware or outgoing as data leakage.

Essentially, what is needed is a shift in focus from securing the infrastructure, through which data moves, to the data itself, said Rashke.

Group head of information security at Standard Chartered Bank, John Meakin explained the banking industry is embracing web 2.0 tools in two ways.

Externally, banks are responding to customer demands that their interactions with their bank mirror the other interactions they are used to on the internet while internally banks are using Web 2.0 tools to communicate and collaborate across their large organisations and many business units spread around the globe.

He told ZDNet.com.au's UK sister site silicom.com: "Banks are under pressure to operate more efficiently. Web 2.0 applications help people collaborate, which as businesses, we would be foolish to look away from. At the same time, we have to be clear we are not introducing risk into the process -- our businesses are based fundamentally on trust."

Meakin noted that embracing Web 2.0 tools may mean competitive data residing outside the organisation.

He said: "Banks will have to make sure they haven't lost complete control over the integrity of their data if they use Web 2.0. One way to do this is to make sure the data is encrypted. This is a limited solution, because it doesn't take into account the way the security status of data can change. Financial reports, for instance are sensitive until the day they are announced, when they become public domain. A better approach is to make sure that even if data is accessed through something like Facebook, the data still resides within your organisation."

Meakin and Rashke were speaking at a seminar attended by financial analysts and global banks organised by security specialist Worklight.