Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/25/2009
11:15 AM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Cyber Monday Security Risks Are All Business

Why Cyber Monday for the online shopping surge? Because for many, Monday's the first working day after Thanksgiving. Which means they can do their online shopping on business time, on the business dime, using business machines over business connections. You may not be able -- or want -- to do anything about the productivity drop, but at least you can tell your people to shop safely.

Why Cyber Monday for the online shopping surge? Because for many, Monday's the first working day after Thanksgiving. Which means they can do their online shopping on business time, on the business dime, using business machines over business connections. You may not be able -- or want -- to do anything about the productivity drop, but at least you can tell your people to shop safely.According to IT governance organization ISACA, employees plan to spend two full working days shopping from work this year, with one in ten admitting to planning on 30 full hours of online shopping while on the job.

Meanwhile, the organizations behind Cyber Monday, the National Retail Federation (NRF) and its online arm, Shop.org. are actually making the case (or trying to) that employees doing their online shopping during work hours (and over work networks) is a good thing

Based on findings in a retailer and consumer survey conducted by BIGResearch, the NRF proclaims that:

53.5 percent of workers with Internet access will shop online while at work.

That's 68.8 million employees, some of them no doubt yours.

But don't worry, this is a plus, as the NRF press release makes clear:

 'Although employers may cringe at the thought of their workers browsing or buying gifts online at work, there is a potential bright side,' said Phil Rist, Executive Vice President, Strategic Initiatives, BIGresearch. 'Employees who spend ten minutes at the office completing their holiday shopping online are likely to be much more efficient than those who use extended lunch breaks waiting in line at the store and fighting holiday traffic on the way back to work.' 

Now that's what I call spin.

I wonder sometimes -- pretty much always, actually -- if the issuers of statements such as this are as sanguine about employees in their workplace spending business time doing non-business business online as they are about everybody else's staffs.

But this is no place or time to be Ebeneezer Scrooge, nor is that my intent or, frankly, my nature.

It's just that a) Online shopping -- and other non-work online activities such as social networking are spending a lot more than ten minutes here and there (see ISACA figures above), and b) every online activity, business or not, is inherently risky in today's threat environment, and if your employees are going to be shopping from work, they had better be armed with some basic knowledge and protections as well as credit cards and wish lists.

Shop. org knows this too, at least, and has partnered with security company AVG to put together a list of online shopping security tips including the importance of shopping only at secure sites, and doing so with newly created strong passwords, a unique password for each log-in and account. Basic stuff, but better than nothing.

More to the business point, network monitoring company GFI is making the (not entirely sales-serving) point that small and midsized businesses just aren't monitoring what their employees are doing online.

According to GFI, only a third or so of SMBs monitor employee usage and browsing at all, leaving their employers vulnerable to threats as well as lost productivity.

GFI recommends 24/7 monitoring of course, but also advocates strongly for investing company IT energy and time in actually educating the employees in both security and company policy, and doing so frankly if not bluntly, as was made clear in a recent statement:

"SMBs need to approach security without allowing emotions and friendship to interfere. Every employee, including the CEO, is a security risk. Employees need to understand that controls are there for good reason and not because the company doesnt trust them. The IT manager is employed to ensure the network is as secure as possible; and if that means stepping on peoples toes, so be it."

What I particularly like about GFI's approach is the company's recognition that shopping -- and a certain amount of surfing -- is not only likely but can be turned into a (fairly) cost-free benefit. GFI states:

"With proper measures in place, there is no harm in allowing employees to shop online during the lunch break -- So long as you know what's happening."

That's lunch break, not coffee break, not "just for a minute break", not anything else break.

Anybody out there tried this -- letting your employees shop and (safely) surf during specifically designated and policy-enforced times during the work day?

If not, the holiday shopping season might be a good time to start.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13873
PUBLISHED: 2021-05-12
A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin. (As an admin, an attacker can upload a PHP shell and execute remote code on the...
CVE-2020-35198
PUBLISHED: 2021-05-12
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
CVE-2021-23872
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in the File Lock component of McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by manipulating a symbolic link in the IOTL interface.
CVE-2021-23891
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by impersonating a client token which could lead to the bypassing of MTP self-defense.
CVE-2021-23892
PUBLISHED: 2021-05-12
By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitra...