With the holidays quickly approaching, many employees are sneaking in shopping time whenever and wherever they can. A recent ISACA survey revealed that a whopping 63 percent of respondents intend to do at least part of their holiday shopping on their work computers. Unfortunately, this automatically increases the risk of threats such as spam and viruses infiltrating workplace equipment.
“This is something we’ve seen steadily increasing over the past 10 years,” said Kent Anderson, managing director of Encurve LLC, an information security consulting company. “As people become more familiar with [the Web], [and] as traffic and gas prices go up, there’s the draw to shop online — and most people do that from work.”
However, employers must understand the dangers of employees’ online shopping activities.
“One that would concern me as a security professional is the use of e-mail to receive information to do credit transactions,” Anderson said. “It’s opening up the corporation to unwanted e-mail coming in, [as well as] malicious software coming in through phishing exercises.”
The risk might be mitigated if employees stick with trusted brand names, Anderson added. However, given the current economic climate, many employees undoubtedly will be hunting for bargains, which could lead them to unreliable Web sites.
Then there are the intangible costs associated with online shopping. A related survey of ISACA members found that online holiday shopping cost almost half of organizations about $3,000 in lost productivity per employee.
“Let’s say you have an organization of 1,000 employees,” Anderson said. “If 60 percent of them are shopping online and it’s costing you $3,000 a piece, that can have a fairly big impact. In larger organizations, it could be 100,000 employees.”
Organizations would benefit from performing threat and risk assessments, Anderson explained. “Companies need to understand what the risk is to their particular organization — not just common wisdom or urban legend,” he said.
Once they understand the specific threats and risks, employers can use the information to develop and justify their security investments. Subsequently, they can define acceptable user behaviors by creating formal policies and procedures for employees. After these are in place, they can identify the best technical tools to implement them.
“Unfortunately in the business, people usually do that backwards,” Anderson said.
Other surveys have revealed that it is not uncommon for all employees — even those in the IT department and even security professionals specifically — to be unaware of their companies’ security risks and policies.
The security awareness programs of most big companies typically consists of an occasional e-mail outlining procedures, or perhaps a brown-bag lunch with an expert, Anderson explained.
But these efforts are nothing without an explanation of the bigger picture, Anderson said.
“People don’t necessarily need to know what to do; they need to understand why they should be doing it,” he said. “You can give people lists of rules forever, but to motivate them is to [have them] understand why it’s important to the company.”
– Deanna Hartley, firstname.lastname@example.org