Online Christmas Shoppers Are An Enterprise Risk

Employees doing their gift shopping at work are set to create security issues for companies this Christmas

As the holiday shopping season approaches, IT managers are concerned about employees shopping online using their personal devices while at work, according to a new survey.

More than half the time spent shopping will be done using either work computers or personal devices on corporate networks, which would pose significant risks to the network and sensitive data, Information Systems Audit and Control Association (ISACA) said in a report released on 1 November. The fourth annual “Shopping on the Job” survey examined the kind of risks facing enterprises as a result of employees’ online behaviour.

Online shopping increase

The growing “bring your own device” trend means organisations face a bigger risk with employees using personal devices for both shopping and work, according to ISACA. The average American will spend 32 hours shopping online this holiday season, a 15-point increase from the previous year, ISACA found in a poll of 1,224 employees in the United States.

About a third of that time, or 11 hours, will be spent on a personal smartphone or tablet that the employee also uses to access corporate resources and data, such as email. Employees are also likely to conduct their holiday shopping on work-supplied devices, according to the poll.

“For the fourth year in a row, ISACA’s online holiday shopping survey shows that employees are unwittingly risking the introduction of viruses, malware and phishing scams into the workplace,” said Ken Wander Wal, the international president for ISACA and the IT Governance Institute.

About 13 percent of users admitted to clicking on links in emails from people they do not know, and 34 percent have clicked on links on social media sites. Use of mobile applications has nearly tripled since last year’s survey, and 29 percent of users said they click on daily deal sites such as Groupon. The survey also found that 7 percent of the responders regularly scan quick response (QR) codes.

“Personally owned PCs or mobile devices that are also used for work purposes are usually more difficult to secure than work-issued devices and are often used for higher-risk online activities,” Vander Wal wrote on the ISACA Now blog.

Approximately 16 percent of survey respondents said their organisation does not have a policy prohibiting or limiting personal activities while at work, and 20 percent don’t know if there is such a policy.

Vulnerability window

ISACA said IT networks may be most vulnerable during the three weeks after Thanksgiving, on 24 November. The majority of shoppers, about 38 percent, said the first few weeks of December are their primary shopping times, followed by 28 percent who shop between September and November.

A parallel poll of 4,700 ISACA members found that enterprises in Europe, North America and Oceania tend to allow employees to use corporate-issued computers for personal purposes, while enterprises in Asia, Latin America and Africa generally restrict the practice.

“The solution is not as obvious as banning personal devices at work or forbidding the use of work IT assets outside of the office,” Vander Wal wrote.

Employees are increasingly aware that their online shopping behavior may affect their organisation’s IT network, as only 11 percent thought there is no risk, a sharp decline from 2010.

However, users appear to be more concerned about potential threats to their personal devices, ISACA found. Nearly one-third, or 30 percent, of the respondents are more concerned with protecting their personal smartphone or computer than their work-supplied devices, and 28 percent assume the IT department is handling security for the work devices.