ISACA Survey: Employees Will Spend Six Hours Shopping Online at Work and Take Bigger Risks This Holiday Season

  • Survey features US and UK employees' online holiday shopping plans
  • Additional results available at  

London, UK  (9th November 2010)—Employees plan to spend less time shopping online from a work-supplied computer this holiday season than they did a year ago, but more of them are engaging in risky behavior, according to ISACA’s annual “Shopping on the Job: ISACA’s Online Holiday Shopping and Workplace Internet Safety Survey”, which includes responses from 365 workers in the UK and 638 workers in the US.

Employees are expecting to spend an average of 6 hours shopping from a work computer or mobile device, with a quarter planning to spend 9 hours or more (20% USA and 33% UK). But, there is an increase this year in the number of employees who take risky actions online, such as clicking on an e-mail link or providing their work e-mail address when shopping online, and 45% report accessing social network sites from their work-supplied computer or mobile device (42% USA and 49% UK).

“Employees who shop online not only reduce productivity—especially in late November to mid December, when 71% in the US and 65% in the UK make their purchases—but also open the door to social engineering and phishing attacks, malware, and information breaches that can cost companies thousands per employee to correct, millions in compromised corporate data, and severe damage to their reputation,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, advisor with ISACA and president of IP Architects, LLC.

Shopping on Company-issued Mobile Devices

This year’s survey also found that almost half (47% in the US and 49% in the UK) of those who will be shopping online with company devices will do so using an employer-issued portable device, such as a notebook computer, tablet or smart phone. This increases a company’s security risk because these devices are often used on wireless networks outside of a protected corporate network. They also are more easily lost or stolen, and contain corporate data that are typically not encrypted.

“The number of portable computers and mobile devices in the workplace is only going to increase, so companies need to create a realistic security policy that lets employees stay mobile without compromising the company’s intellectual property. The IT mantra should be ‘embrace and educate’ to balance productivity and security,” said Mark Lobel, CISA, CISM, CISSP, mobile security project leader with ISACA and a principal at PricewaterhouseCoopers.

Security Not a Major Concern, Especially Among Digital Natives

Employees say the top three reasons for shopping at work are that it is a convenient use of lunch/break time (38% in the US and 25% in the UK), they are working long hours and don’t have time to shop from home (17% in the US and 26% in the UK) and they are bored at work (11% in the US and 5% in the UK). Security is not a major worry for survey participants, with only 3% in both the US and UK citing “better security” on their work computer as a reason for shopping online using a work computer, and just under two-thirds reporting that they do not use secure browsing technology on work-supplied devices. Forty-one percent in the US and 50% in the UK assume that their IT department keeps them up to date on security patches.

This attitude is especially common among digital natives, the generation that has grown up with the Internet. Young adults (ages 18-34) in the survey are less likely to use secure browsing technology. They also are the most likely to shop online at work and have the highest laptop use among all age groups.

“Digital natives are comfortable with blurring the lines between work and play, which poses new and interesting management challenges for their employers,” noted Robert Stroud, CGEIT, international vice president of ISACA and service management and governance evangelist at CA Technologies. “This generation is happy to use their own tablet computer at work or a work-supplied smart phone for shopping or updating Facebook, so they need a new kind of IT security policy—one that balances access and control.”

Shopping on the Job Costs UK Companies UK £3,000 or More per Employee

A separate global survey of 834 business and information technology (IT) professionals who are members of ISACA, conducted during the same time period, shows that that a third of European correspondents believe their organization loses £3,000 or more per employee as a result of an employee shopping online during work hours in November and December.

For mobile devices, an overwhelming majority (68%) ranked the risk of using a mobile shopping application on a work-supplied device as high or moderate. Despite that, 51% allow employees to use work-supplied mobile devices for personal use and 37% let employees use their own mobile devices for work.

For more information on managing risky online behaviors in the workplace, download ISACA’s new free white paper, E-Commerce and Consumer Retailing: Risks and Benefits, at

ISACA’s Tips for Safe Shopping From Work Computers or Mobile Devices

For employees/online shoppers:

  • Do not click on an e-mail or web link that is from an unfamiliar sender or looks too good to be true.
  • Be very careful with the company information on your notebook, tablet or smart phone (for example, use a privacy screen shield on mobile devices).
  • Password-protect your mobile device and its memory card.
  • Make sure that the security tools and processes protecting your work-supplied mobile devices are kept up to date. If unsure, ask IT.

For the IT department:

  • Team up with human resources to adopt an “embrace and educate” approach. Promote awareness of the security policy.
  • Encrypt data on devices.
  • Use secure browsing technology.
  • Take advantage of industry-leading practices and governance frameworks such as the Business Model for Information Security (BMIS).

About the ISACA Shopping on the Job Survey

The third annual “Shopping on the Job: ISACA’s Online Holiday Shopping and Workplace Internet Safety survey is based on online polling conducted between 27 September and 10 October 2010 of 2,853 US consumers by M/A/R/C Research, with a margin of error of 3.9 percent at the 95 percent confidence level. The UK edition was conducted by Eskenzi PR and based on a survey of 365 consumers. A separate, but related, online survey was conducted by ISACA between 27 September and 4 October 2010  among 3,307 ISACA members in North America, Central/South America, Europe, Asia and Oceania. European findings are based on responses from 834 ISACA members. The study is designed to capture insights about online holiday shopping using work-supplied computers and devices, and employee compliance with online shopping policies in the workplace.

With 95,000 constituents in 160 countries, ISACA® ( is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

Follow ISACA on Twitter:

Source: Eskenzi PR