Despite an economy expected to show flat or declining holiday retail sales, the second annual "Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety" survey found that fully half of those surveyed plan to shop online for the holidays using a work computer. Less surprising is a growing uncertainty—the number of employees who are unsure about whether they will spend more or less time shopping online compared to a year ago has doubled.
The potential danger of shopping online is that it can open the door to viruses, spam and phishing attacks that invade the workplace and cost enterprises thousands per employee in lost productivity and potentially millions in destruction or compromise of corporate data.
Employees who shop online using a work computer are also likely to engage in other high-risk behaviors. Survey participants also bank online (51%), click on e-mail links redirecting them to shopping sites (40%) and click on links from social network sites (15%). Yet nearly one in five says they are not concerned that their online shopping habits may affect the safety of their organization's IT infrastructure.
"With the Internet now available to almost any employee in the workplace, it's unrealistic to think that companies can completely stop the use of work computers for online shopping," said Robert Stroud, international vice president of ISACA and vice president of IT service management and governance for the service management business unit at CA Inc. "What companies can and should do is educate employees about the risks of online shopping and remind them of their company's security policy. This is especially important this year, when the convenience of shopping online may be very appealing to employees whose workloads have doubled or tripled because of downsizing."
Upwardly Mobile Shopping This survey also found that more than one in 10 Americans who use a mobile work device such as a BlackBerry or iPhone plan to use it for holiday shopping. The increasing use of mobile work devices for personal business such as shopping can lead to additional security issues and exposure to data loss for a company.
"The lines between work and personal data are becoming more and more blurred as a growing number of people check work e-mail from their own phone or PDA, or use a work-supplied mobile device to shop or update their Facebook page. As our mobility increases, so does the risk to our corporate IT systems," said John Pironti, a member of ISACA's Certification Task Force and chief information risk strategist for Archer Technologies.
A significant percentage of those surveyed do not actively manage their work computer's security. Thirty percent report that they leave security up to their company's IT department. Of those who connect via a wireless connection, 30% don't or don't know how to check the security of wireless settings and just 21% personally check their work computer for the most recent security patches.
Reality Gap Between Employees and the IT Department A separate ISACA survey of more than 1,500 IT professionals, who are ISACA members in nine countries, conducted during the same time period shows a major gap between what the IT department believes and what the employees are planning when it comes to online holiday shopping. Close to half (48%) of those in IT believe employees will spend just over one work day, or nine hours, shopping online from a work computer—yet ISACA's consumer survey shows that employees will average closer to two work days, or 14.4 hours.
IT professionals are realistic about the potentially staggering costs of shopping online for the holidays from workplace computers. One in four estimates that their company will lose US $15,000 or more per employee in productivity during this year's holiday season.
"The reality gap between the IT department's perceptions and the online shopping behaviors of the rest of the company actually represents an important opportunity for IT," said Paul Williams, a member of ISACA's Governance Advisory Council and a past president of the association. "By educating employees and communicating common-sense online policies, IT can better protect one of the most critical assets a company has—its IT systems."