IT professionals see employees to shop more online at work

Shopping online for more than 3 hours this holiday season expected to pose security risks to companies.

More than half of IT professionals and managers in Hong Kong think employees in the territory will spend more time shopping online from a work-supplied computer this holiday season than they did a year ago, according to the Hong Kong edition of the third annual “Shopping on the Job: ISACA’s Online Holiday Shopping and Workplace Internet Safety Survey.”

The survey, conducted among IT professionals who are members of ISACA, shows a clear upward trend of employees using their work-supplied computers for online shopping in Hong Kong. About 53% of the respondents think employees will spend more time on online shopping during this holiday season than last year, while another 40% think employees will spend about the same amount of time compared to last year.

Hong Kong IT professionals anticipate that employees will spend more time shopping online at work than their counterparts in other areas of Asia.

More than 60 percent of respondents in Hong Kong think employees in Hong Kong will spend more than 3 hours shopping online via a work-issued device in November and December this year. Just over 30% say employees will spend 1 to 2 hours shopping online at work. This puts Hong Kong ahead of the curve in terms of the expected amount of online shopping time compared to the all-Asia results, where 41% of IT professionals surveyed across Asia think their employees will only spend 1 to 2 hours during the same period.

IT managers in Hong Kong will allow employees more ability to shop online on work computers during this holiday season, while more sophisticated security measures are put in place this year. In 2010 only 13% of IT professionals plan to prohibit employees from shopping online on work computers, compared to 18% last year.

However, 29% of the IT professionals say they set limits to prevent employees from accessing certain sites to reduce the risk of security breaches. IT professionals are increasingly following an “embrace and educate” model and are implementing less restrictive approaches to improve the level of security for employees’ online shopping activities. About 64% of the respondents say they provide training on security policies to employees, compared to only 39% in 2009, while another 64% say they have technologies in place to protect against web-based attacks, an increase from 55% last year.

“Employees who shop online on work computers not only reduce productivity, but also open the door to social engineering and phishing attacks, malware and information breaches that can cost companies thousands per employee to correct, millions in compromised corporate data, and severe damage to their reputation,” said Michael Yung, president, ISACA China Hong Kong Chapter.

Among all IT managers surveyed in Hong Kong, only 33% say access to social networking sites (SNS) on work computers is prohibited, compared to Asia’s average of 37%. Nonetheless, IT managers in Hong Kong continue to get more stringent in controlling SNS access, as the number of IT managers saying they block SNS at work went up 6% since last year.

Shopping on the job costs companies
The survey also shows that almost half of the respondents believe their organization loses up to about HK$7,800 per employee as a result of an employee shopping online during work hours in November and December. Another 22% of the respondents say they will lose HK$7,800 to HK$39,000 per employee.

“The number of portable computers and mobile devices in the workplace is increasing, so companies need to create realistic security policies that let employees stay mobile without compromising the company’s intellectual property. To balance productivity and security, the IT mantra should be embrace and educate,” said Mark Lobel, CISA, CISM, CISSP, mobile security project leader with ISACA and a principal at PricewaterhouseCoopers.

ISACA Tips for Safe Shopping From Work Computers or Mobile Devices

For employees/online shoppers:

• Do not click on an e-mail or web link that is from an unfamiliar sender or looks too good to be true.
• Be very careful with the company information on your notebook, tablet or smart phone; for example, use a privacy screen shield on mobile devices.
• Password-protect your mobile device and its memory card.
• Ensure that the security tools and processes protecting your work-supplied mobile devices are kept up to date. If unsure, ask IT.

For the IT department:

• Team up with human resources to adopt an “embrace and educate” approach. Promote awareness of the security policy.
• Encrypt data on devices.
• Use secure browsing technology.
• Take advantage of industry-leading practices and governance frameworks such as BMIS.