informa
/
Risk
Commentary

Cyber Monday Security Risks Are All Business

Why Cyber Monday for the online shopping surge? Because for many, Monday's the first working day after Thanksgiving. Which means they can do their online shopping on business time, on the business dime, using business machines over business connections. You may not be able -- or want -- to do anything about the productivity drop, but at least you can tell your people to shop safely.
Why Cyber Monday for the online shopping surge? Because for many, Monday's the first working day after Thanksgiving. Which means they can do their online shopping on business time, on the business dime, using business machines over business connections. You may not be able -- or want -- to do anything about the productivity drop, but at least you can tell your people to shop safely.According to IT governance organization ISACA, employees plan to spend two full working days shopping from work this year, with one in ten admitting to planning on 30 full hours of online shopping while on the job.

Meanwhile, the organizations behind Cyber Monday, the National Retail Federation (NRF) and its online arm, Shop.org. are actually making the case (or trying to) that employees doing their online shopping during work hours (and over work networks) is a good thing

Based on findings in a retailer and consumer survey conducted by BIGResearch, the NRF proclaims that:

53.5 percent of workers with Internet access will shop online while at work.

That's 68.8 million employees, some of them no doubt yours.

But don't worry, this is a plus, as the NRF press release makes clear:

 'Although employers may cringe at the thought of their workers browsing or buying gifts online at work, there is a potential bright side,' said Phil Rist, Executive Vice President, Strategic Initiatives, BIGresearch. 'Employees who spend ten minutes at the office completing their holiday shopping online are likely to be much more efficient than those who use extended lunch breaks waiting in line at the store and fighting holiday traffic on the way back to work.' 

Now that's what I call spin.

I wonder sometimes -- pretty much always, actually -- if the issuers of statements such as this are as sanguine about employees in their workplace spending business time doing non-business business online as they are about everybody else's staffs.

But this is no place or time to be Ebeneezer Scrooge, nor is that my intent or, frankly, my nature.

It's just that a) Online shopping -- and other non-work online activities such as social networking are spending a lot more than ten minutes here and there (see ISACA figures above), and b) every online activity, business or not, is inherently risky in today's threat environment, and if your employees are going to be shopping from work, they had better be armed with some basic knowledge and protections as well as credit cards and wish lists.

Shop. org knows this too, at least, and has partnered with security company AVG to put together a list of online shopping security tips including the importance of shopping only at secure sites, and doing so with newly created strong passwords, a unique password for each log-in and account. Basic stuff, but better than nothing.

More to the business point, network monitoring company GFI is making the (not entirely sales-serving) point that small and midsized businesses just aren't monitoring what their employees are doing online.

According to GFI, only a third or so of SMBs monitor employee usage and browsing at all, leaving their employers vulnerable to threats as well as lost productivity.

GFI recommends 24/7 monitoring of course, but also advocates strongly for investing company IT energy and time in actually educating the employees in both security and company policy, and doing so frankly if not bluntly, as was made clear in a recent statement:

"SMBs need to approach security without allowing emotions and friendship to interfere. Every employee, including the CEO, is a security risk. Employees need to understand that controls are there for good reason and not because the company doesnt trust them. The IT manager is employed to ensure the network is as secure as possible; and if that means stepping on peoples toes, so be it."

What I particularly like about GFI's approach is the company's recognition that shopping -- and a certain amount of surfing -- is not only likely but can be turned into a (fairly) cost-free benefit. GFI states:

"With proper measures in place, there is no harm in allowing employees to shop online during the lunch break -- So long as you know what's happening."

That's lunch break, not coffee break, not "just for a minute break", not anything else break.

Anybody out there tried this -- letting your employees shop and (safely) surf during specifically designated and policy-enforced times during the work day?

If not, the holiday shopping season might be a good time to start.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5