According to a survey of 638 US workers conducted by ISACA, employees are planning to spend less time shopping online at work using work-supplied devices during the 2010 holiday season, but at the same time they are engaging in riskier behaviors, such as using less secure personal mobile devices to shop online at work.
When employees use their personal mobile devices to shop online and then link their devices into the corporate network, they create a “bridge” for infections to attack the network from the mobile device, explained Pironti. “When they sync their devices to the corporate network, there is the opportunity for infection from viruses, trojans, and other malware”, he warned.
To lessen the risks to companies, Pironti recommends that they develop security policies that include employees’ personal mobile devices. He acknowledges that it is difficult for companies to strictly enforce policies on personal devices.
“The best thing for corporations to do is to follow the ‘embrace but educate’ conversation. We are not going to stop employees from using these devices…but what is better is to educate the users about the security challenges online, the different types of websites where trojans and viruses tend to lurk, and the different ways that hackers and adversaries are doing things”, he said.
According to the ISACA survey, employees expect to spend less time shopping from a work computer or mobile device, 6 hours on average this year as opposed to 14 hours in 2009. However, around 29% of US employees plan to spend 9 hours or more shopping this year. Forty-two percent plan to access social networking sites from their work-supplied computer or mobile device, according to the survey.
The top three reasons for employees to shop at work are that it is a convenient use of lunch/break time (38% of US employees), they are working long hours and do not have time to shop from home (17%), and they are bored at work (11%).
Security is not a major concern of survey participants, with only 3% in the US citing “better security” at work as a reason for shopping online using a work computer, and just under two-thirds reporting that they do not use secure browsing technology on work-supplied devices. Forty-one percent in the US assume that their IT department keeps them up to date on security patches.
A separate global survey of 834 business and IT professionals who are members of ISACA showed that two-thirds of US respondents believe their organization loses $1000 or more per employee as a result of shopping online during work hours in November and December. Approximately one-third of respondents put the number at $15,000 or higher.
ISACA offered a number of steps employees can take to reduce the risks of shopping online: do not click on an e-mail or web link that is from an unfamiliar sender or looks too good to be true; be very careful with company information on a personal notebook, tablet, or smart phone; password-protect a personal mobile device and its memory card; and make sure that the security tools and processes protecting mobile devices are kept up to date.
For the IT department, ISACA recommends: teaming up with human resources to adopt an embrace but educate approach; promoting awareness of the security policy; encrypting data on devices; using secure browsing technology; and taking advantage of industry-leading practices and governance frameworks such as the Business Model for Information Security.