Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:15 AM
Keith Ferrell
Keith Ferrell

Cyber Monday Security Risks Are All Business

Why Cyber Monday for the online shopping surge? Because for many, Monday's the first working day after Thanksgiving. Which means they can do their online shopping on business time, on the business dime, using business machines over business connections. You may not be able -- or want -- to do anything about the productivity drop, but at least you can tell your people to shop safely.

Why Cyber Monday for the online shopping surge? Because for many, Monday's the first working day after Thanksgiving. Which means they can do their online shopping on business time, on the business dime, using business machines over business connections. You may not be able -- or want -- to do anything about the productivity drop, but at least you can tell your people to shop safely.According to IT governance organization ISACA, employees plan to spend two full working days shopping from work this year, with one in ten admitting to planning on 30 full hours of online shopping while on the job.

Meanwhile, the organizations behind Cyber Monday, the National Retail Federation (NRF) and its online arm, Shop.org. are actually making the case (or trying to) that employees doing their online shopping during work hours (and over work networks) is a good thing

Based on findings in a retailer and consumer survey conducted by BIGResearch, the NRF proclaims that:

53.5 percent of workers with Internet access will shop online while at work.

That's 68.8 million employees, some of them no doubt yours.

But don't worry, this is a plus, as the NRF press release makes clear:

 'Although employers may cringe at the thought of their workers browsing or buying gifts online at work, there is a potential bright side,' said Phil Rist, Executive Vice President, Strategic Initiatives, BIGresearch. 'Employees who spend ten minutes at the office completing their holiday shopping online are likely to be much more efficient than those who use extended lunch breaks waiting in line at the store and fighting holiday traffic on the way back to work.' 

Now that's what I call spin.

I wonder sometimes -- pretty much always, actually -- if the issuers of statements such as this are as sanguine about employees in their workplace spending business time doing non-business business online as they are about everybody else's staffs.

But this is no place or time to be Ebeneezer Scrooge, nor is that my intent or, frankly, my nature.

It's just that a) Online shopping -- and other non-work online activities such as social networking are spending a lot more than ten minutes here and there (see ISACA figures above), and b) every online activity, business or not, is inherently risky in today's threat environment, and if your employees are going to be shopping from work, they had better be armed with some basic knowledge and protections as well as credit cards and wish lists.

Shop. org knows this too, at least, and has partnered with security company AVG to put together a list of online shopping security tips including the importance of shopping only at secure sites, and doing so with newly created strong passwords, a unique password for each log-in and account. Basic stuff, but better than nothing.

More to the business point, network monitoring company GFI is making the (not entirely sales-serving) point that small and midsized businesses just aren't monitoring what their employees are doing online.

According to GFI, only a third or so of SMBs monitor employee usage and browsing at all, leaving their employers vulnerable to threats as well as lost productivity.

GFI recommends 24/7 monitoring of course, but also advocates strongly for investing company IT energy and time in actually educating the employees in both security and company policy, and doing so frankly if not bluntly, as was made clear in a recent statement:

"SMBs need to approach security without allowing emotions and friendship to interfere. Every employee, including the CEO, is a security risk. Employees need to understand that controls are there for good reason and not because the company doesnt trust them. The IT manager is employed to ensure the network is as secure as possible; and if that means stepping on peoples toes, so be it."

What I particularly like about GFI's approach is the company's recognition that shopping -- and a certain amount of surfing -- is not only likely but can be turned into a (fairly) cost-free benefit. GFI states:

"With proper measures in place, there is no harm in allowing employees to shop online during the lunch break -- So long as you know what's happening."

That's lunch break, not coffee break, not "just for a minute break", not anything else break.

Anybody out there tried this -- letting your employees shop and (safely) surf during specifically designated and policy-enforced times during the work day?

If not, the holiday shopping season might be a good time to start.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...