Full results available at www.isaca.org/online-shopping-risks

 According to a pan-European survey conducted among members of global association ISACA, nearly 40% of business and IT leaders believe that employees at their organisations will spend more time shopping online during the upcoming holiday season using work computers and mobile devices than they did a year ago, negatively impacting productivity and creating increased security risks. Sixty-three percent of respondents predict that employees will spend 3 hours or more shopping online during company time over the next two months and a quarter of respondents believe employees will shop for a total of more than a full work day—9 hours or more.

 

 According to the European edition of Shopping on the Job:  ISACA’s Online Holiday Shopping and Workplace Internet Safety Survey, the impact on a company’s bottom line can be substantial, as 48% of business and IT leaders predict their organisations will lose over 700 Euros (US $1,000) per employee as a result of employees shopping online during work hours (this could cost 7 million Euros for an enterprise with 10,000 employees who shop online at work). Sixteen percent predict that the cost could be as high as 10,000 Euros (US $15,000) per employee.

 

Business and IT leaders from 30 European countries, including the UK, France, Germany, Italy and Spain, identified the following activities related to online shopping as high risk:

 

• Clicking on links in e-mail messages from unknown senders to access online shopping sites (42%)
• Accessing social networking sites for personal use from work-supplied computers or smart phones (32%)
• Using mobile shopping applications on work-supplied devices (30%)
• Downloading personal files, including music (56%)
• Losing a work-supplied computer or smart phone—ranked the biggest risk of all (68%)

 

“When workers use equipment provided by their employers for personal purposes, such as shopping online for holiday items, not only is productivity reduced, but computers are also exposed to malware, phishing and other attacks that potentially compromise data. It is surprising that 57% of organisations do not even try to restrict the use of work e-mail addresses for personal online shopping or other online non-work-related activities,” said Paul Williams, chair of ISACA’s Strategic Advisory Council and IT governance adviser to Protiviti.

 

But it is not all bad news. As the use of mobile devices such as smart phones, laptops, tablets and netbooks increases, many organisations are improving security, with 73% of European organisations now having a security policy that covers mobile devices and 48% regularly educating employees about securing their work-related and/or personal mobile devices for enterprise use.

 

European organisations are choosing to restrict online shopping using work-issued computers, rather than prohibiting it. The emphasis is on safe usage rather than an outright ban. According to respondents, 14% of their organisations limit personal use to non-working hours, such as before or after work or during lunch, and 31% prevent access to certain sites. Only 9% do not allow online shopping at all. However, nearly a quarter of organisations (24%) prohibit their employees from accessing social networking sites for personal use. Nine percent limit social networking sites to non-working hours, and 28% prevent access to certain sites.

 

The most frequently cited measure taken to limit or minimise the risks associated with personal use of a work computer was to put technology in place to protect against web-based attacks (79%), conduct training on the security policy (56%) and monitor employee usage of the web (50%).

 

“The number of portable computers and mobile devices in the workplace is increasing, so companies need to create realistic security policies that let employees stay mobile without compromising the company’s intellectual property. To balance productivity and security, the IT mantra should be embrace and educate,” said Mark Lobel, CISA, CISM, CISSP, mobile security project leader with ISACA and a principal at PricewaterhouseCoopers.

 

ISACA’s Tips for Safe Shopping From Work Computers or Mobile Devices

For employees/online shoppers:

• Do not click on an e-mail or web link that is from an unfamiliar sender or looks too good to be true.
• Be very careful with the company information on your notebook, tablet or smart phone (for example, use a privacy screen shield on mobile devices).
• Password-protect your mobile device and its memory card.
• Make sure that the security tools and processes protecting your work-supplied mobile devices are kept up to date. If unsure, ask IT.

 

For the IT department:

• Team up with human resources to adopt an “embrace and educate” approach. Promote awareness of the security policy.
• Encrypt data on devices.
• Use secure browsing technology.
• Take advantage of industry-leading practices and governance frameworks such as the Business Model for Information Security (BMIS).

 

Full results of the survey are available at www.isaca.org/online-shopping-risks.

 

 

About the ISACA Shopping on the Job Survey

The third annual “Shopping on the Job: ISACA’s Online Holiday Shopping and Workplace Internet Safety” survey is based on online polling conducted between 27 September and 10 October 2010 of 2,853 US consumers by M/A/R/C Research, with a margin of error of 3.9 percent at the 95 percent confidence level. A separate, but related, online survey was conducted by ISACA between 27 September and 4 October 2010 among 3,307 ISACA members in North America, Central/South America, Europe, Asia and Oceania. European findings are based on responses from 834 ISACA members from 30 countries. The study is designed to capture insights about online holiday shopping using work-supplied computers and devices, and employee compliance with online shopping policies in the workplace. Full survey results are available at www.isaca.org/online-shopping-risks.

 

About ISACA

With 95,000 constituents in 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter:  http://twitter.com/ISACANews