Survey: Organisations fail to educate employees about risks from online shopping

Rolling Meadows, IL, USA: Organisations allow employees to shop online but do not educate users about risks, exposing employees and employers alike to spam, malware, phishing and loss of productivity in the workplace. ISACA, a nonprofit association that serves more than 86,000 IT security, assurance and governance professionals globally, has carried out three simultaneous surveys (two in the US and one in the UK) to look at the latest trends in online shopping and workplace Internet safety.

The UK survey of ISACA members found that a mere 21% of respondents said their organization's employees fully understood the risks associated with shopping online from their workplace computers. More than 82% said their organisation either does not have or they are not aware of a policy that prohibits employees from shopping online. There was also an expectation that there would be more online shopping from the work place than last year with over 51% predicting an increase. Only 32% of organisations that allow online shopping educate employees about the risks. Slightly over 31% of organisations prohibit using a work e-mail for online shopping or other online non-work related activities, even though allowing the use of work e-mails can expose the organisation to greater volumes of spam. Over 40% of organisations thought they were going to lose an average of £2,000 or more in productivity per employee from online holiday shopping at work during November and December. Slightly more than one in 10 organisations had security measures in place to prevent employees from shopping online at work. The age groups that respondents felt posed the greatest threat to their organisations infrastructure were Millennials (born 1977-94).

“Shopping from the workplace looks set to continue, especially with the increased pressures inevitable in a recessionary environment. It is clear that more needs to be done to improve employee awareness of the hidden dangers of shopping online, particularly regarding clicking on links from unsolicited e-mails or making sure that a web site is safe before shopping,” said Lynn Lawton, CISA, FCA, FIIA, FBCS CITP, international president of ISACA and the IT Governance Institute. “The challenge for organisations is not only to educate workers about information security, but also to change their behaviour. For example, it is one thing to make someone aware that it is wrong to click on a link from a spam e-mail, but quite another to change their behaviour so that they do not click on these suspicious links.”

In a separate survey of 973 US consumers, ISACA found that 63% of employees plan to shop online from their work computer during November and December, but 26% do not know how to or do not bother to check whether a web site is secure. They also found that nearly half of employees (49%) had clicked on an e-mail link to go to a retailer’s web site from their workplace computer, potentially exposing their employer to Trojans or malware from infected or unscrupulous web sites. Over a fifth of all employees, 22%, had compounded the problem by clicking on a link to order goods while also using their work e-mail address as a contact address for purchases, exposing themselves to a greater risk of attack by spammers.

“It is clear that we still have a long way to go in making sure that employees think before they click on a link. There are literally millions of web sites infected with malware. If someone just clicks on a link in an e-mail, they are compromising the security of their PC and potentially the security of the whole organisation, said Paul Williams, MBCS, FCA, CITP, past international president of ISACA. “Many of the new forms of malware are designed to bypass traditional security systems, so once someone has let one in from an infected page, it can damage a lot more than just that one person’s credit rating.”

One third of workers were more concerned about the security of their personal computer than their work computer, but for younger workers aged 18-25, this figure shot up to 49% paying less attention to the security of their employer’s computer. A quarter of employees either did not check or were not sure how to check if a web site was secure before they made a purchase.

The survey of ISACA members in the US revealed similar findings to the survey of ISACA members in the UK but with a few striking differences; 21% of respondents said their organization's employees fully understood the risks associated with shopping online from their workplace computers. A total of 71% either do not think that or are unsure whether their organisation has a policy in place that prohibits employees from shopping online. There was less expectation that there would be an increase in online shopping from the work place with only 34% predicting an increase compared to last year. Only 31% of organisations that allow online shopping educate employees about the risks. Slightly over 33% of organisations prohibit using a work e-mail for online shopping or other online non-work-related activities, even though allowing this type of use of work e-mails can expose the organisation to greater volumes of spam. Over 45% of organisations thought they were going to lose an average of US $3,000 or more in productivity per employee from online holiday shopping at work during November and December. Over 16% of organisations had security measures in place to prevent employees from shopping online at work. Again the age groups that respondents felt posed the greatest threat to their organisations infrastructure were Millennials (born 1977-94).

Tips for Safer Holiday Shopping from the Office Computer

ISACA recommends that employees and IT departments take the following steps to reduce the risk of spam, viruses and inadvertent downloading of backdoor “agents” that can highjack corporate data.

For online shoppers:

1) Make sure web sites you connect to are secured with SSL, display a padlock, and possibly a green address bar if secured by an EV SSL certificate before you enter personal information.
2) Do not allow sites to save your username or password. Avoid providing your work e-mail address as your contact information.
3) Delete cookies from your computer after you are finished shopping, Instructions on how to delete cookies for in many different browsers can be found at http://www.aboutcookies.org/Default.aspx?page=2.
4) Use separate browser sessions for your holiday shopping versus your work-related browsing.
5) If it looks too good to be true, it probably is. Do not download free games, ringtones, wallpapers or animations on to your work computer.

For the IT department:

1) Train employees on safe computing just prior to the holiday shopping season and follow up with periodic reminders.
2) Tailor education programs to match the various demographics, attitudes and technology know-how of groups within the workplace.
3) Conduct formal risk and threat assessments and update your Acceptable Use Policy and security measures appropriately.
4) Make sure that patches are deployed; security functions are enabled, and firewall rules, web security gateways, anti malware, intrusion detection systems (IDS), spam and URL filters are updated regularly.
5) Monitor networks for high-volume or suspicious traffic, and respond immediately to threats. Remind employees to sound the alarm if suspicious events occur.


The ISACA UK survey was of 251 IT professionals in October 2008, the ISACA US survey was of 3,191 IT professionals in October 2008 and the US consumer survey was of 937 employees in late September 2008.

With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 60,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by more than 9,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

Source: EskenziPR
<>