Holiday shopping exposes US BYOD users to online privacy, security risks

A survey by ISACA has found that workers that are making use of the bring-your-own-device (BYOD) phenomenon are the most worrisome group – that segment expects to spend on average 12 hours shopping from those devices for holiday gifts.

“Companies that embrace BYOD should implement security awareness training,” said Robert Stroud, ISACA Strategic Advisory Council member and vice president at CA Technologies. “ISACA recommends an embrace-and-educate approach as the best way of getting the benefits of BYOD while mitigating the associated risks.”

Those shopping online with work-issued devices estimate that they will use them for about nine hours in pursuit of e-commerce and m-commerce deals.

The problem, of course, is that that while the report found that 90% of US consumers who use a computer, tablet PC or smartphone for work activities feel their online privacy is threatened, many persist with actions and attitudes that put their privacy and security at risk – like giving up personal information.

“The 2012 IT Risk/Reward Barometer shows a significant gap between what people believe and how they act,” said John Pironti, advisor with ISACA and president of IP Architects LLC. “Despite considerable concern about their online privacy and security, consumers are simply not willing to give up behaviors that IT departments find to be high-risk. Enterprises need to balance employee reward and IT risk when it comes to mobile connectivity.”

For instance, to get a 50% discount on a $100 item, 58% of respondents said that they would reveal their email address, 22% would reveal the name of the street they grew up on and 15% would reveal their mother’s maiden name. While each seems harmless, they are pieces of a personal puzzle that can be exploited by criminals in tailored (and therefore more effective) attacks.

"As people share more intimate details about themselves online, they are more likely to be victims of targeted fraud and social engineering attacks," added Pironti.

While more than half of respondents (53%) said that they feel that sharing information online has become riskier over the past year, that hasn’t stopped the risky behaviors. A full 65% do not verify the security settings of online shopping sites, for instance.

ISACA said that enterprises will lose $15,000 or more in productivity as a result of an employee shopping online during work hours, but for companies there are big cybersecurity risks too. The study found that 36% have clicked on a link on a social media site from their work device – a clear and known vector for malware infection. Worse, 19% have used their work email address for personal online shopping or other non-work activities, and 12% stored work passwords on their personal device. Linking work emails with personal credentials can give hackers another database to cross-reference when trying to get into corporate accounts.

Meanwhile, ironically, employees mistrust corporations more than they do fellow internet users. When asked to select the greatest threats to their online privacy, respondents chose a company’s misuse of personal information they supplied online to purchase or download an item (26%); inadequate privacy policies on social networking sites (13%); and a company’s use of cookies to track their web activities (10%).

What’s Hot on Infosecurity Magazine?