Tis season to be shopping online, at work

Employees plan to spend 14.4 hours shopping online from work computers during this year-end festivities, highlighting need to keep systems secure, study finds.
Written by Kevin Kwang, Contributor

With the year-end holiday season beckoning, employees are already planning to spend nearly two working days on their workstations Internet-trawling for gifts, according to a new survey released Wednesday.

Commissioned by the Information Systems Audit and Control Association (ISACA), the annual study revealed that half of the respondents polled planned to shop online at work during this holiday season, spending an average 14.4 hours. In addition, one in 10 respondents indicated plans to spend at least 30 hours combing the Web for holiday gifts.

ISACA is a nonprofit global body focusing on IT governance and certification, and has a membership of some 86,000 IT professionals. This second instalment of the online survey, titled Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety, was conducted in September and polled 1,210 U.S. consumers and 1,513 ISACA members across nine countries.

Some 34 percent of respondents said they planned to shop online during office hours out of convenience, while 23 percent said they would do so out of boredom. According to ISACA, the survey findings come amid predictions the industry will experience flat or declining holiday retail sales in the current economic climate.

Productivity-wise, however, respondents acknowledged businesses could potentially incur losses as a result of employees shopping online from their workstations. One in four estimated their company would lose US$15,000 or more, per employee in productivity during this holiday season. Respondents in Hong Kong though were more upbeat in their predictions, with 6 percent expecting such losses while the majority (40 percent) said their company would lose only US$1,000 in productivity.

But, there are other downsides to employees' use of work computers to shop online, such as the risk of viruses, spam and phishing attacks penetrating the company's IT infrastructure. This could potentially cost businesses thousands of dollars per employee in lost productivity, due to system downtime, and millions of dollars more in loss or compromising of vital corporate information, the survey noted.

And while employees are generally aware of these risks, ISACA said there was a significant "reality gap" between the time IT professionals believe their colleagues will spend and the actual time employees plan to spend on online shopping. Citing findings from another survey conducted also in September, which polled over 1,500 IT professionals in nine countries including Hong Kong, the association said 48 percent believed employees spent just over one work day, or nine hours, shopping online from a workstation. This perception is below the indicated average of 14.4 hours.

In Hong Kong, 52 per cent believed their colleagues would spend between one and nine hours shopping. In contrast, only 19 percent accurately expected fellow workers to spend 10 to 19 hours shopping on the Internet, according to the report.

In addition, only 44 percent of Hong Kong IT professionals polled said their organization had in place a security policy that addresses online shopping, at work while 39 percent replied positively when asked whether their company provides any training in this area.

Educating workforce on IT security
Vincent Chang, ISACA's president of China Hong Kong chapter, said in the report: "This survey…highlights significant trends and risks that are ever-present in this region. As the economic downturn has affected companies' IT budget and their ability to cope with loss as a result of these IT risks, businesses need to be even more vigilant than ever in seeking better IT control and protection."

Paul Williams, a member of ISACA's Governance Advisory Council, added that the findings underscored an "important opportunity for IT [to address] the reality gap between the IT department's perceptions and the online shopping behaviors of the rest of the company".

"By educating employees and communicating common-sense online policies, IT can better protect one of the most critical assets a company has--its IT systems," said Williams.

To reduce these IT risks, ISACA suggested five tips for both employees and IT administrators to maintain system security even when people shop online using their work computers.

For employees:

  • Use your desktop PC, not your mobile device, to shop because your desktop browser is likely to be more secure.
  • Protect sensitive information, such as credit card numbers, by password-protecting both your mobile device and its memory card.
  • Update your antivirus and antimalware programs regularly.
  • Treat social networking sites with the same caution as other Web site. Be mindful that social networking sites are a growing target for fraudsters and virus writers.
  • Be cautious of special offers. If it looks too good to be true, it probably is. Fake online offers and coupons may lead to harmful sites.

For IT departments:

  • Educate employees. Blocking sites can do more harm than good, causing employees to seek out less secure ways to circumvent the filters. Education works better.
  • Get employees on board by teaching them how to protect both their work computers and home computers.
  • Reinforce what you teach by having employees sign an acceptable-use policy every year.
  • Offer a "safe zone" for holiday shopping, for example, by creating an online sandbox that can be taken down after the holidays.
  • Don't wait until Cyber Monday to step up security. Think of "Cyber Season" as the time from September to January and be extra-diligent throughout that time.

The ISACA report also noted a large proportion of organizations in the nine countries polled were limiting or prohibiting employees from accessing social networking sites, such as Facebook and Twitter. Mexico and India led the way, at 71 percent, while Hong Kong (at 48 percent) and France (at 42 percent) appeared more flexible with their policies on limiting or blocking social networks access.

Editorial standards