The association, which has more than 80,000 members worldwide, says its research suggests that employees will spend six hours shopping online in the next six weeks.
The research – which centres on ISACA's annual 'Shopping on the Job: ISACA's Online Holiday Shopping and Workplace Internet Safety Survey' and draws on a poll of more than 360 workers in the UK and more than 630 employees in the US –claims that 33% of UK workers are planning to spend nine hours or more doing their online shopping.
UK staff are saying they may undertake risky actions online, such as clicking on an email link or providing their work e-mail address when shopping online, and 49% report they are accessing social network sites from their work-supplied computer or mobile device.
Commenting on the results, John Pironti, a security advisor with ISACA and president of IP Architects, says that employees who shop online not only reduce productivity, especially in the period late November to mid December, when 65% in the UK make their purchases, but it also opens the door to social engineering and phishing attacks, malware, and information breaches that can cost companies large sums of money.
These attacks, he adds, can cost "thousands per employee" to correct and millions in compromised corporate data, and severe damage to their reputation.
Shopping online using company devices also increases the security risk, says ISACA, because these devices are often used on wireless networks outside of a protected corporate network.
They are also, adds the association, more easily lost or stolen, and contain corporate data that are typically not encrypted.
A separate global survey of 834 business and IT professionals who are members of ISACA, has discovered that a third of European correspondents believe their organisation loses £3000 or more per employee as a result of an employee shopping online during work hours in November and December.
To assist managers in tackling the security problem of holiday shopping using company devices, ISACA has published a free white paper – E-Commerce and Consumer Retailing: Risks and Benefits – which can be downloaded from their website..
Recommendations for IT departments include the option of teaming up with the HR department to adopt an 'embrace and educate' approach, and promoting an awareness of the firm's security policy.
IT departments, says ISACA, should also encrypt data on devices and use secure browsing technology. They should also, recommends the association, take advantage of industry-leading practices and governance frameworks such as the Business Model for Information Security (BMIS).