Online shopping at work can impact enterprise security, according to the Information Systems Audit and Control Association. Organizations have to educate employees to shop safely to protect their networks.
As the holiday shopping season
approaches, IT managers are concerned about employees shopping online using
their personal devices while at work, according to a new survey.
More than half the time spent shopping
will be done using either work computers or personal devices on corporate
networks, which would pose significant risks to the network and sensitive data,
Information Systems Audit and Control Association (ISACA) said in a report
released Nov. 1. The fourth annual "Shopping on the Job" survey examined
the kind of risks facing enterprises as a result of employees' online behavior.
The growing "bring your own
device" trend means organizations face a bigger risk with employees using
personal devices for both shopping and work, according to ISACA. The average
American will spend 32 hours shopping online this holiday season, a 15-point
increase from the previous year, ISACA found in a poll of 1,224 employees in
the United States.
About a third of that time, or 11
hours, will be spent on a personal smartphone or tablet that the employee also
uses to access corporate resources and data, such as email. Employees are also
likely to conduct their holiday shopping on work-supplied devices, according to
"For the fourth year in a row, ISACA's
online holiday shopping survey shows that employees are unwittingly risking the
introduction of viruses, malware and phishing scams into the workplace,"
said Ken Wander Wal, the international president for ISACA and the IT
About 13 percent of users admitted to
clicking on links in emails from people they do not know, and 34 percent have
clicked on links on social media sites. Use of mobile applications has nearly
tripled since last year's survey, and 29 percent of users said they click on
daily deal sites such as Groupon. The survey also found that 7 percent of the
responders regularly scan quick response (QR) codes.
"Personally owned PCs or mobile
devices that are also used for work purposes are usually more difficult to
secure than work-issued devices and are often used for higher-risk online
activities," Vander Wal wrote on the ISACA Now blog.
Approximately 16 percent of survey respondents
said their organization does not have a policy prohibiting or limiting personal
activities while at work, and 20 percent don't know if there is such a policy.
ISACA said IT networks may be most
vulnerable the three weeks after Thanksgiving. The majority of shoppers, about
38 percent, said the first few weeks of December are their primary shopping
times, followed by 28 percent who shop between September and November.
A parallel poll of 4,700 ISACA members
found that enterprises in Europe, North America and Oceania tend to allow
employees to use corporate-issued computers for personal purposes, while
enterprises in Asia, Latin America and Africa generally restrict the practice.
"The solution is not as obvious as
banning personal devices at work or forbidding the use of work IT assets
outside of the office," Vander Wal wrote.
Employees are increasingly aware that their
online shopping behavior may affect their organization's IT network, as only 11
percent thought there is no risk, a sharp decline from 2010. However, users
appear to be more concerned about potential threats to their personal devices,
ISACA found. Nearly a third, or 30 percent, of the respondents are more
concerned with protecting their personal smartphone or computer than their
work-supplied devices, and 28 percent assume the IT department is handling
security for the work devices.