Employees plan to spend less time shopping online from a work-supplied computer this holiday season than they did a year ago, but more of them are engaging in risky behaviour. That is according to IT security body ISACA’s annual “Shopping on the Job: ISACA’s Online Holiday Shopping and Workplace Internet Safety Survey”, which includes responses from 365 workers in the UK and 638 workers in the US.
Employees are expecting to spend an average of six hours shopping from a work computer or mobile device, with a quarter planning to spend nine hours or more (20pc USA and 33pc UK). But, there is an increase this year in the number of employees who take risky actions online, such as clicking on an e-mail link or providing their work e-mail address when shopping online, and 45pc report accessing social network sites from their work-supplied computer or mobile device (42pc USA and 49pc UK).
“Employees who shop online not only reduce productivity—especially in late November to mid December, when 71% in the US and 65pc in the UK make their purchases—but also open the door to social engineering and phishing attacks, malware, and information breaches that can cost companies thousands per employee to correct, millions in compromised corporate data, and severe damage to their reputation,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, advisor with ISACA and president of IP Architects, LLC.
Shopping on company-issued devices
This year’s survey also found that almost half (47pc in the US and 49% in the UK) of those who will be shopping online with company devices will do so using an employer-issued portable device, such as a notebook computer, tablet or smart phone. This increases a company’s security risk because these devices are often used on wireless networks outside of a protected corporate network. They also are more easily lost or stolen, and contain corporate data that are typically not encrypted.
“The number of portable computers and mobile devices in the workplace is only going to increase, so companies need to create a realistic security policy that lets employees stay mobile without compromising the company’s intellectual property. The IT mantra should be ‘embrace and educate’ to balance productivity and security,” said Mark Lobel, CISA, CISM, CISSP, mobile security project leader with ISACA and a principal at PricewaterhouseCoopers.
Employees say the top three reasons for shopping at work are that it is a convenient use of lunch/break time (38pc in the US and 25pc in the UK), they are working long hours and don’t have time to shop from home (17pc in the US and 26pc in the UK) and they are bored at work (11pc in the US and 5pc in the UK). Security is not a major worry for survey participants, with only 3pc in both the US and UK citing “better security” on their work computer as a reason for shopping online using a work computer, and just under two-thirds reporting that they do not use secure browsing technology on work-supplied devices. Forty-one percent in the US and half in the UK assume that their IT department keeps them up to date on security patches.
This attitude is especially common among digital natives, the generation that has grown up with the Internet. Young adults (ages 18-34) in the survey are less likely to use secure browsing technology. They also are the most likely to shop online at work and have the highest laptop use among all age groups.
“Digital natives are comfortable with blurring the lines between work and play, which poses new and interesting management challenges for their employers,” noted Robert Stroud, CGEIT, international vice president of ISACA and service management and governance evangelist at CA Technologies. “This generation is happy to use their own tablet computer at work or a work-supplied smart phone for shopping or updating Facebook, so they need a new kind of IT security policy—one that balances access and control.”
Shopping on the job
A separate global survey of 834 business and information technology (IT) professionals who are members of ISACA, conducted during the same time period, shows that that a third of European correspondents believe their organisation loses £3,000 or more per employee as a result of an employee shopping online during work hours in November and December.
For mobile devices, an overwhelming majority (68pc) ranked the risk of using a mobile shopping application on a work-supplied device as high or moderate. Despite that, 51pc allow employees to use work-supplied mobile devices for personal use and 37pc let employees use their own mobile devices for work.
For more information on managing risky online behaviors in the workplace, download ISACA’s new free white paper, E-Commerce and Consumer Retailing: Risks and Benefits, at http://www.isaca.org/online-shopping-risks
For employees/online shoppers:
Do not click on an e-mail or web link that is from an unfamiliar sender or looks too good to be true.
Be very careful with the company information on your notebook, tablet or smart phone (for example, use a privacy screen shield on mobile devices).
Password-protect your mobile device and its memory card.
Make sure that the security tools and processes protecting your work-supplied mobile devices are kept up to date. If unsure, ask IT.
For the IT department:
Team up with human resources to adopt an “embrace and educate” approach. Promote awareness of the security policy.
Encrypt data on devices.
Use secure browsing technology.
Take advantage of industry-leading practices and governance frameworks such as the Business Model for Information Security (BMIS – http://www.isaca.org/bmis).
About the ISACA survey
The third annual “Shopping on the Job: ISACA’s Online Holiday Shopping and Workplace Internet Safety survey is based on online polling conducted between 27 September and 10 October 2010 of 2,853 US consumers by M/A/R/C Research, with a margin of error of 3.9 percent at the 95 percent confidence level. The UK edition was conducted by Eskenzi PR and based on a survey of 365 consumers. A separate, but related, online survey was conducted by ISACA between 27 September and 4 October 2010 among 3,307 ISACA members in North America, Central/South America, Europe, Asia and Oceania. European findings are based on responses from 834 ISACA members. The study is designed to capture insights about online holiday shopping using work-supplied computers and devices, and employee compliance with online shopping policies in the workplace.